Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0307
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.3 | ||
| SUSE | N/A | SUSE Linux Enterprise Desktop 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.3 | ||
| SUSE | N/A | SUSE Manager Proxy 4.3 | ||
| SUSE | N/A | Basesystem Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.2 | ||
| SUSE | N/A | SUSE Real Time Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP4 | ||
| SUSE | N/A | Public Cloud Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro for Rancher 5.4 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP4 | ||
| SUSE | N/A | SUSE Manager Retail Branch Server 4.3 | ||
| SUSE | N/A | openSUSE Leap 15.4 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP4 | ||
| SUSE | N/A | openSUSE Leap 15.5 | ||
| SUSE | N/A | SUSE Manager Server 4.3 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | N/A | Legacy Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP4 LTSS | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.2 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | N/A | openSUSE Leap 15.6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP4 | ||
| SUSE | N/A | SUSE Linux Enterprise Workstation Extension 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.1 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.4 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | N/A | Development Tools Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.5 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Desktop 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Proxy 4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Public Cloud Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Retail Branch Server 4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Manager Server 4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP4 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing LTSS 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2017-5753",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5753"
},
{
"name": "CVE-2020-27835",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27835"
},
{
"name": "CVE-2022-1016",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1016"
},
{
"name": "CVE-2022-1184",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1184"
},
{
"name": "CVE-2022-1048",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1048"
},
{
"name": "CVE-2022-0168",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0168"
},
{
"name": "CVE-2022-3435",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3435"
},
{
"name": "CVE-2022-29901",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29901"
},
{
"name": "CVE-2022-29900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29900"
},
{
"name": "CVE-2022-2977",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2977"
},
{
"name": "CVE-2022-3303",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3303"
},
{
"name": "CVE-2023-0179",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0179"
},
{
"name": "CVE-2023-1652",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1652"
},
{
"name": "CVE-2023-28410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28410"
},
{
"name": "CVE-2023-2162",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2162"
},
{
"name": "CVE-2023-3567",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3567"
},
{
"name": "CVE-2024-2201",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2201"
},
{
"name": "CVE-2024-26634",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26634"
},
{
"name": "CVE-2021-47248",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47248"
},
{
"name": "CVE-2024-35910",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35910"
},
{
"name": "CVE-2024-26873",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26873"
},
{
"name": "CVE-2024-35826",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35826"
},
{
"name": "CVE-2024-41005",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41005"
},
{
"name": "CVE-2024-38606",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38606"
},
{
"name": "CVE-2024-41077",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41077"
},
{
"name": "CVE-2024-42229",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42229"
},
{
"name": "CVE-2024-41092",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41092"
},
{
"name": "CVE-2024-42098",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42098"
},
{
"name": "CVE-2024-42240",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42240"
},
{
"name": "CVE-2021-47517",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47517"
},
{
"name": "CVE-2024-46782",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46782"
},
{
"name": "CVE-2024-50126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50126"
},
{
"name": "CVE-2024-50290",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50290"
},
{
"name": "CVE-2024-53057",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53057"
},
{
"name": "CVE-2024-53063",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53063"
},
{
"name": "CVE-2024-42307",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42307"
},
{
"name": "CVE-2024-43820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43820"
},
{
"name": "CVE-2024-49924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49924"
},
{
"name": "CVE-2024-47678",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47678"
},
{
"name": "CVE-2024-53140",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53140"
},
{
"name": "CVE-2024-53064",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53064"
},
{
"name": "CVE-2024-56642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56642"
},
{
"name": "CVE-2024-56651",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56651"
},
{
"name": "CVE-2024-49994",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49994"
},
{
"name": "CVE-2024-53124",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53124"
},
{
"name": "CVE-2024-56703",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56703"
},
{
"name": "CVE-2025-21631",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21631"
},
{
"name": "CVE-2025-21671",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21671"
},
{
"name": "CVE-2024-49940",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49940"
},
{
"name": "CVE-2024-50056",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50056"
},
{
"name": "CVE-2024-50140",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50140"
},
{
"name": "CVE-2024-50152",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50152"
},
{
"name": "CVE-2024-53163",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53163"
},
{
"name": "CVE-2024-53176",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53176"
},
{
"name": "CVE-2024-53178",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53178"
},
{
"name": "CVE-2024-56702",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56702"
},
{
"name": "CVE-2024-56751",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56751"
},
{
"name": "CVE-2023-52926",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52926"
},
{
"name": "CVE-2024-47408",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47408"
},
{
"name": "CVE-2024-49571",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49571"
},
{
"name": "CVE-2024-53680",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53680"
},
{
"name": "CVE-2024-56640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56640"
},
{
"name": "CVE-2024-56718",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56718"
},
{
"name": "CVE-2024-56770",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56770"
},
{
"name": "CVE-2024-57807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57807"
},
{
"name": "CVE-2024-57900",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57900"
},
{
"name": "CVE-2021-47633",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47633"
},
{
"name": "CVE-2021-47644",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47644"
},
{
"name": "CVE-2022-49076",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49076"
},
{
"name": "CVE-2022-49089",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49089"
},
{
"name": "CVE-2022-49134",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49134"
},
{
"name": "CVE-2022-49135",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49135"
},
{
"name": "CVE-2022-49151",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49151"
},
{
"name": "CVE-2022-49178",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49178"
},
{
"name": "CVE-2022-49182",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49182"
},
{
"name": "CVE-2022-49201",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49201"
},
{
"name": "CVE-2022-49247",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49247"
},
{
"name": "CVE-2022-49490",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49490"
},
{
"name": "CVE-2022-49626",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49626"
},
{
"name": "CVE-2022-49661",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49661"
},
{
"name": "CVE-2024-57979",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57979"
},
{
"name": "CVE-2025-21733",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21733"
},
{
"name": "CVE-2025-21753",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21753"
},
{
"name": "CVE-2025-21754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21754"
},
{
"name": "CVE-2021-4453",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4453"
},
{
"name": "CVE-2021-47631",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47631"
},
{
"name": "CVE-2021-47632",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47632"
},
{
"name": "CVE-2021-47635",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47635"
},
{
"name": "CVE-2021-47636",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47636"
},
{
"name": "CVE-2021-47637",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47637"
},
{
"name": "CVE-2021-47638",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47638"
},
{
"name": "CVE-2021-47639",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47639"
},
{
"name": "CVE-2021-47641",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47641"
},
{
"name": "CVE-2021-47642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47642"
},
{
"name": "CVE-2021-47643",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47643"
},
{
"name": "CVE-2021-47645",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47645"
},
{
"name": "CVE-2021-47646",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47646"
},
{
"name": "CVE-2021-47647",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47647"
},
{
"name": "CVE-2021-47648",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47648"
},
{
"name": "CVE-2021-47649",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47649"
},
{
"name": "CVE-2021-47650",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47650"
},
{
"name": "CVE-2021-47651",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47651"
},
{
"name": "CVE-2021-47652",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47652"
},
{
"name": "CVE-2021-47653",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47653"
},
{
"name": "CVE-2021-47654",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47654"
},
{
"name": "CVE-2021-47656",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47656"
},
{
"name": "CVE-2021-47657",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47657"
},
{
"name": "CVE-2021-47659",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47659"
},
{
"name": "CVE-2022-0995",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0995"
},
{
"name": "CVE-2022-49044",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49044"
},
{
"name": "CVE-2022-49050",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49050"
},
{
"name": "CVE-2022-49051",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49051"
},
{
"name": "CVE-2022-49054",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49054"
},
{
"name": "CVE-2022-49055",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49055"
},
{
"name": "CVE-2022-49058",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49058"
},
{
"name": "CVE-2022-49059",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49059"
},
{
"name": "CVE-2022-49060",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49060"
},
{
"name": "CVE-2022-49061",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49061"
},
{
"name": "CVE-2022-49063",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49063"
},
{
"name": "CVE-2022-49065",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49065"
},
{
"name": "CVE-2022-49066",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49066"
},
{
"name": "CVE-2022-49073",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49073"
},
{
"name": "CVE-2022-49074",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49074"
},
{
"name": "CVE-2022-49078",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49078"
},
{
"name": "CVE-2022-49082",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49082"
},
{
"name": "CVE-2022-49083",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49083"
},
{
"name": "CVE-2022-49084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49084"
},
{
"name": "CVE-2022-49085",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49085"
},
{
"name": "CVE-2022-49086",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49086"
},
{
"name": "CVE-2022-49088",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49088"
},
{
"name": "CVE-2022-49090",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49090"
},
{
"name": "CVE-2022-49091",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49091"
},
{
"name": "CVE-2022-49092",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49092"
},
{
"name": "CVE-2022-49093",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49093"
},
{
"name": "CVE-2022-49095",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49095"
},
{
"name": "CVE-2022-49096",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49096"
},
{
"name": "CVE-2022-49097",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49097"
},
{
"name": "CVE-2022-49098",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49098"
},
{
"name": "CVE-2022-49099",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49099"
},
{
"name": "CVE-2022-49100",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49100"
},
{
"name": "CVE-2022-49102",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49102"
},
{
"name": "CVE-2022-49103",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49103"
},
{
"name": "CVE-2022-49104",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49104"
},
{
"name": "CVE-2022-49105",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49105"
},
{
"name": "CVE-2022-49106",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49106"
},
{
"name": "CVE-2022-49107",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49107"
},
{
"name": "CVE-2022-49109",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49109"
},
{
"name": "CVE-2022-49111",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49111"
},
{
"name": "CVE-2022-49112",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49112"
},
{
"name": "CVE-2022-49113",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49113"
},
{
"name": "CVE-2022-49114",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49114"
},
{
"name": "CVE-2022-49115",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49115"
},
{
"name": "CVE-2022-49116",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49116"
},
{
"name": "CVE-2022-49118",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49118"
},
{
"name": "CVE-2022-49119",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49119"
},
{
"name": "CVE-2022-49120",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49120"
},
{
"name": "CVE-2022-49121",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49121"
},
{
"name": "CVE-2022-49122",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49122"
},
{
"name": "CVE-2022-49126",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49126"
},
{
"name": "CVE-2022-49128",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49128"
},
{
"name": "CVE-2022-49129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49129"
},
{
"name": "CVE-2022-49130",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49130"
},
{
"name": "CVE-2022-49131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49131"
},
{
"name": "CVE-2022-49132",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49132"
},
{
"name": "CVE-2022-49137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49137"
},
{
"name": "CVE-2022-49145",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49145"
},
{
"name": "CVE-2022-49147",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49147"
},
{
"name": "CVE-2022-49148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49148"
},
{
"name": "CVE-2022-49153",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49153"
},
{
"name": "CVE-2022-49154",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49154"
},
{
"name": "CVE-2022-49155",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49155"
},
{
"name": "CVE-2022-49156",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49156"
},
{
"name": "CVE-2022-49157",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49157"
},
{
"name": "CVE-2022-49158",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49158"
},
{
"name": "CVE-2022-49159",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49159"
},
{
"name": "CVE-2022-49160",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49160"
},
{
"name": "CVE-2022-49162",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49162"
},
{
"name": "CVE-2022-49163",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49163"
},
{
"name": "CVE-2022-49164",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49164"
},
{
"name": "CVE-2022-49165",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49165"
},
{
"name": "CVE-2022-49174",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49174"
},
{
"name": "CVE-2022-49175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49175"
},
{
"name": "CVE-2022-49176",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49176"
},
{
"name": "CVE-2022-49177",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49177"
},
{
"name": "CVE-2022-49179",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49179"
},
{
"name": "CVE-2022-49180",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49180"
},
{
"name": "CVE-2022-49185",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49185"
},
{
"name": "CVE-2022-49187",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49187"
},
{
"name": "CVE-2022-49188",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49188"
},
{
"name": "CVE-2022-49189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49189"
},
{
"name": "CVE-2022-49193",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49193"
},
{
"name": "CVE-2022-49194",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49194"
},
{
"name": "CVE-2022-49196",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49196"
},
{
"name": "CVE-2022-49199",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49199"
},
{
"name": "CVE-2022-49200",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49200"
},
{
"name": "CVE-2022-49206",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49206"
},
{
"name": "CVE-2022-49208",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49208"
},
{
"name": "CVE-2022-49212",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49212"
},
{
"name": "CVE-2022-49213",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49213"
},
{
"name": "CVE-2022-49214",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49214"
},
{
"name": "CVE-2022-49216",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49216"
},
{
"name": "CVE-2022-49217",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49217"
},
{
"name": "CVE-2022-49218",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49218"
},
{
"name": "CVE-2022-49221",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49221"
},
{
"name": "CVE-2022-49222",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49222"
},
{
"name": "CVE-2022-49224",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49224"
},
{
"name": "CVE-2022-49226",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49226"
},
{
"name": "CVE-2022-49227",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49227"
},
{
"name": "CVE-2022-49232",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49232"
},
{
"name": "CVE-2022-49235",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49235"
},
{
"name": "CVE-2022-49236",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49236"
},
{
"name": "CVE-2022-49239",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49239"
},
{
"name": "CVE-2022-49241",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49241"
},
{
"name": "CVE-2022-49242",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49242"
},
{
"name": "CVE-2022-49243",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49243"
},
{
"name": "CVE-2022-49244",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49244"
},
{
"name": "CVE-2022-49246",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49246"
},
{
"name": "CVE-2022-49248",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49248"
},
{
"name": "CVE-2022-49249",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49249"
},
{
"name": "CVE-2022-49250",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49250"
},
{
"name": "CVE-2022-49251",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49251"
},
{
"name": "CVE-2022-49252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49252"
},
{
"name": "CVE-2022-49253",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49253"
},
{
"name": "CVE-2022-49254",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49254"
},
{
"name": "CVE-2022-49256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49256"
},
{
"name": "CVE-2022-49257",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49257"
},
{
"name": "CVE-2022-49258",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49258"
},
{
"name": "CVE-2022-49259",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49259"
},
{
"name": "CVE-2022-49260",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49260"
},
{
"name": "CVE-2022-49261",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49261"
},
{
"name": "CVE-2022-49262",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49262"
},
{
"name": "CVE-2022-49263",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49263"
},
{
"name": "CVE-2022-49264",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49264"
},
{
"name": "CVE-2022-49265",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49265"
},
{
"name": "CVE-2022-49266",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49266"
},
{
"name": "CVE-2022-49268",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49268"
},
{
"name": "CVE-2022-49269",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49269"
},
{
"name": "CVE-2022-49270",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49270"
},
{
"name": "CVE-2022-49271",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49271"
},
{
"name": "CVE-2022-49272",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49272"
},
{
"name": "CVE-2022-49273",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49273"
},
{
"name": "CVE-2022-49274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49274"
},
{
"name": "CVE-2022-49275",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49275"
},
{
"name": "CVE-2022-49276",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49276"
},
{
"name": "CVE-2022-49277",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49277"
},
{
"name": "CVE-2022-49278",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49278"
},
{
"name": "CVE-2022-49279",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49279"
},
{
"name": "CVE-2022-49280",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49280"
},
{
"name": "CVE-2022-49281",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49281"
},
{
"name": "CVE-2022-49283",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49283"
},
{
"name": "CVE-2022-49285",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49285"
},
{
"name": "CVE-2022-49286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49286"
},
{
"name": "CVE-2022-49287",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49287"
},
{
"name": "CVE-2022-49288",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49288"
},
{
"name": "CVE-2022-49290",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49290"
},
{
"name": "CVE-2022-49291",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49291"
},
{
"name": "CVE-2022-49292",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49292"
},
{
"name": "CVE-2022-49294",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49294"
},
{
"name": "CVE-2022-49295",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49295"
},
{
"name": "CVE-2022-49297",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49297"
},
{
"name": "CVE-2022-49298",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49298"
},
{
"name": "CVE-2022-49299",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49299"
},
{
"name": "CVE-2022-49300",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49300"
},
{
"name": "CVE-2022-49301",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49301"
},
{
"name": "CVE-2022-49302",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49302"
},
{
"name": "CVE-2022-49304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49304"
},
{
"name": "CVE-2022-49305",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49305"
},
{
"name": "CVE-2022-49307",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49307"
},
{
"name": "CVE-2022-49308",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49308"
},
{
"name": "CVE-2022-49309",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49309"
},
{
"name": "CVE-2022-49310",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49310"
},
{
"name": "CVE-2022-49311",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49311"
},
{
"name": "CVE-2022-49312",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49312"
},
{
"name": "CVE-2022-49313",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49313"
},
{
"name": "CVE-2022-49314",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49314"
},
{
"name": "CVE-2022-49315",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49315"
},
{
"name": "CVE-2022-49316",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49316"
},
{
"name": "CVE-2022-49319",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49319"
},
{
"name": "CVE-2022-49320",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49320"
},
{
"name": "CVE-2022-49321",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49321"
},
{
"name": "CVE-2022-49322",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49322"
},
{
"name": "CVE-2022-49323",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49323"
},
{
"name": "CVE-2022-49326",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49326"
},
{
"name": "CVE-2022-49327",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49327"
},
{
"name": "CVE-2022-49328",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49328"
},
{
"name": "CVE-2022-49331",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49331"
},
{
"name": "CVE-2022-49332",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49332"
},
{
"name": "CVE-2022-49335",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49335"
},
{
"name": "CVE-2022-49336",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49336"
},
{
"name": "CVE-2022-49337",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49337"
},
{
"name": "CVE-2022-49339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49339"
},
{
"name": "CVE-2022-49341",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49341"
},
{
"name": "CVE-2022-49342",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49342"
},
{
"name": "CVE-2022-49343",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49343"
},
{
"name": "CVE-2022-49345",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49345"
},
{
"name": "CVE-2022-49346",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49346"
},
{
"name": "CVE-2022-49347",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49347"
},
{
"name": "CVE-2022-49348",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49348"
},
{
"name": "CVE-2022-49349",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49349"
},
{
"name": "CVE-2022-49350",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49350"
},
{
"name": "CVE-2022-49351",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49351"
},
{
"name": "CVE-2022-49352",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49352"
},
{
"name": "CVE-2022-49354",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49354"
},
{
"name": "CVE-2022-49356",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49356"
},
{
"name": "CVE-2022-49357",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49357"
},
{
"name": "CVE-2022-49367",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49367"
},
{
"name": "CVE-2022-49368",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49368"
},
{
"name": "CVE-2022-49370",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49370"
},
{
"name": "CVE-2022-49371",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49371"
},
{
"name": "CVE-2022-49373",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49373"
},
{
"name": "CVE-2022-49375",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49375"
},
{
"name": "CVE-2022-49376",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49376"
},
{
"name": "CVE-2022-49377",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49377"
},
{
"name": "CVE-2022-49378",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49378"
},
{
"name": "CVE-2022-49379",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49379"
},
{
"name": "CVE-2022-49381",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49381"
},
{
"name": "CVE-2022-49382",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49382"
},
{
"name": "CVE-2022-49384",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49384"
},
{
"name": "CVE-2022-49385",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49385"
},
{
"name": "CVE-2022-49386",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49386"
},
{
"name": "CVE-2022-49389",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49389"
},
{
"name": "CVE-2022-49392",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49392"
},
{
"name": "CVE-2022-49394",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49394"
},
{
"name": "CVE-2022-49396",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49396"
},
{
"name": "CVE-2022-49397",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49397"
},
{
"name": "CVE-2022-49398",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49398"
},
{
"name": "CVE-2022-49399",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49399"
},
{
"name": "CVE-2022-49400",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49400"
},
{
"name": "CVE-2022-49402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49402"
},
{
"name": "CVE-2022-49404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49404"
},
{
"name": "CVE-2022-49407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49407"
},
{
"name": "CVE-2022-49409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49409"
},
{
"name": "CVE-2022-49410",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49410"
},
{
"name": "CVE-2022-49411",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49411"
},
{
"name": "CVE-2022-49412",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49412"
},
{
"name": "CVE-2022-49413",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49413"
},
{
"name": "CVE-2022-49414",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49414"
},
{
"name": "CVE-2022-49416",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49416"
},
{
"name": "CVE-2022-49418",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49418"
},
{
"name": "CVE-2022-49421",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49421"
},
{
"name": "CVE-2022-49422",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49422"
},
{
"name": "CVE-2022-49424",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49424"
},
{
"name": "CVE-2022-49426",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49426"
},
{
"name": "CVE-2022-49427",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49427"
},
{
"name": "CVE-2022-49429",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49429"
},
{
"name": "CVE-2022-49430",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49430"
},
{
"name": "CVE-2022-49431",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49431"
},
{
"name": "CVE-2022-49432",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49432"
},
{
"name": "CVE-2022-49433",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49433"
},
{
"name": "CVE-2022-49434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49434"
},
{
"name": "CVE-2022-49435",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49435"
},
{
"name": "CVE-2022-49437",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49437"
},
{
"name": "CVE-2022-49438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49438"
},
{
"name": "CVE-2022-49440",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49440"
},
{
"name": "CVE-2022-49441",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49441"
},
{
"name": "CVE-2022-49442",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49442"
},
{
"name": "CVE-2022-49443",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49443"
},
{
"name": "CVE-2022-49444",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49444"
},
{
"name": "CVE-2022-49445",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49445"
},
{
"name": "CVE-2022-49447",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49447"
},
{
"name": "CVE-2022-49448",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49448"
},
{
"name": "CVE-2022-49449",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49449"
},
{
"name": "CVE-2022-49451",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49451"
},
{
"name": "CVE-2022-49453",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49453"
},
{
"name": "CVE-2022-49455",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49455"
},
{
"name": "CVE-2022-49459",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49459"
},
{
"name": "CVE-2022-49460",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49460"
},
{
"name": "CVE-2022-49462",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49462"
},
{
"name": "CVE-2022-49463",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49463"
},
{
"name": "CVE-2022-49466",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49466"
},
{
"name": "CVE-2022-49467",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49467"
},
{
"name": "CVE-2022-49468",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49468"
},
{
"name": "CVE-2022-49472",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49472"
},
{
"name": "CVE-2022-49473",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49473"
},
{
"name": "CVE-2022-49474",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49474"
},
{
"name": "CVE-2022-49475",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49475"
},
{
"name": "CVE-2022-49477",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49477"
},
{
"name": "CVE-2022-49478",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49478"
},
{
"name": "CVE-2022-49480",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49480"
},
{
"name": "CVE-2022-49481",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49481"
},
{
"name": "CVE-2022-49482",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49482"
},
{
"name": "CVE-2022-49486",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49486"
},
{
"name": "CVE-2022-49487",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49487"
},
{
"name": "CVE-2022-49488",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49488"
},
{
"name": "CVE-2022-49489",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49489"
},
{
"name": "CVE-2022-49491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49491"
},
{
"name": "CVE-2022-49492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49492"
},
{
"name": "CVE-2022-49493",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49493"
},
{
"name": "CVE-2022-49494",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49494"
},
{
"name": "CVE-2022-49495",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49495"
},
{
"name": "CVE-2022-49498",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49498"
},
{
"name": "CVE-2022-49501",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49501"
},
{
"name": "CVE-2022-49502",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49502"
},
{
"name": "CVE-2022-49503",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49503"
},
{
"name": "CVE-2022-49504",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49504"
},
{
"name": "CVE-2022-49505",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49505"
},
{
"name": "CVE-2022-49506",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49506"
},
{
"name": "CVE-2022-49507",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49507"
},
{
"name": "CVE-2022-49508",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49508"
},
{
"name": "CVE-2022-49509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49509"
},
{
"name": "CVE-2022-49512",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49512"
},
{
"name": "CVE-2022-49514",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49514"
},
{
"name": "CVE-2022-49515",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49515"
},
{
"name": "CVE-2022-49517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49517"
},
{
"name": "CVE-2022-49519",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49519"
},
{
"name": "CVE-2022-49520",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49520"
},
{
"name": "CVE-2022-49521",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49521"
},
{
"name": "CVE-2022-49522",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49522"
},
{
"name": "CVE-2022-49523",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49523"
},
{
"name": "CVE-2022-49524",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49524"
},
{
"name": "CVE-2022-49525",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49525"
},
{
"name": "CVE-2022-49526",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49526"
},
{
"name": "CVE-2022-49527",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49527"
},
{
"name": "CVE-2022-49532",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49532"
},
{
"name": "CVE-2022-49534",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49534"
},
{
"name": "CVE-2022-49535",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49535"
},
{
"name": "CVE-2022-49536",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49536"
},
{
"name": "CVE-2022-49537",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49537"
},
{
"name": "CVE-2022-49541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49541"
},
{
"name": "CVE-2022-49542",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49542"
},
{
"name": "CVE-2022-49544",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49544"
},
{
"name": "CVE-2022-49545",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49545"
},
{
"name": "CVE-2022-49546",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49546"
},
{
"name": "CVE-2022-49549",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49549"
},
{
"name": "CVE-2022-49551",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49551"
},
{
"name": "CVE-2022-49555",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49555"
},
{
"name": "CVE-2022-49556",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49556"
},
{
"name": "CVE-2022-49559",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49559"
},
{
"name": "CVE-2022-49562",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49562"
},
{
"name": "CVE-2022-49563",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49563"
},
{
"name": "CVE-2022-49564",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49564"
},
{
"name": "CVE-2022-49566",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49566"
},
{
"name": "CVE-2022-49568",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49568"
},
{
"name": "CVE-2022-49569",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49569"
},
{
"name": "CVE-2022-49570",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49570"
},
{
"name": "CVE-2022-49579",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49579"
},
{
"name": "CVE-2022-49581",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49581"
},
{
"name": "CVE-2022-49583",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49583"
},
{
"name": "CVE-2022-49584",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49584"
},
{
"name": "CVE-2022-49591",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49591"
},
{
"name": "CVE-2022-49592",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49592"
},
{
"name": "CVE-2022-49603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49603"
},
{
"name": "CVE-2022-49605",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49605"
},
{
"name": "CVE-2022-49606",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49606"
},
{
"name": "CVE-2022-49607",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49607"
},
{
"name": "CVE-2022-49609",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49609"
},
{
"name": "CVE-2022-49610",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49610"
},
{
"name": "CVE-2022-49611",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49611"
},
{
"name": "CVE-2022-49613",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49613"
},
{
"name": "CVE-2022-49615",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49615"
},
{
"name": "CVE-2022-49616",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49616"
},
{
"name": "CVE-2022-49617",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49617"
},
{
"name": "CVE-2022-49618",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49618"
},
{
"name": "CVE-2022-49621",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49621"
},
{
"name": "CVE-2022-49623",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49623"
},
{
"name": "CVE-2022-49625",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49625"
},
{
"name": "CVE-2022-49627",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49627"
},
{
"name": "CVE-2022-49628",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49628"
},
{
"name": "CVE-2022-49631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49631"
},
{
"name": "CVE-2022-49634",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49634"
},
{
"name": "CVE-2022-49640",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49640"
},
{
"name": "CVE-2022-49641",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49641"
},
{
"name": "CVE-2022-49642",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49642"
},
{
"name": "CVE-2022-49643",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49643"
},
{
"name": "CVE-2022-49644",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49644"
},
{
"name": "CVE-2022-49645",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49645"
},
{
"name": "CVE-2022-49646",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49646"
},
{
"name": "CVE-2022-49647",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49647"
},
{
"name": "CVE-2022-49648",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49648"
},
{
"name": "CVE-2022-49649",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49649"
},
{
"name": "CVE-2022-49652",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49652"
},
{
"name": "CVE-2022-49653",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49653"
},
{
"name": "CVE-2022-49656",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49656"
},
{
"name": "CVE-2022-49657",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49657"
},
{
"name": "CVE-2022-49663",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49663"
},
{
"name": "CVE-2022-49665",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49665"
},
{
"name": "CVE-2022-49667",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49667"
},
{
"name": "CVE-2022-49668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49668"
},
{
"name": "CVE-2022-49670",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49670"
},
{
"name": "CVE-2022-49671",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49671"
},
{
"name": "CVE-2022-49672",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49672"
},
{
"name": "CVE-2022-49673",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49673"
},
{
"name": "CVE-2022-49674",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49674"
},
{
"name": "CVE-2022-49675",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49675"
},
{
"name": "CVE-2022-49676",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49676"
},
{
"name": "CVE-2022-49677",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49677"
},
{
"name": "CVE-2022-49678",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49678"
},
{
"name": "CVE-2022-49679",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49679"
},
{
"name": "CVE-2022-49680",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49680"
},
{
"name": "CVE-2022-49683",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49683"
},
{
"name": "CVE-2022-49685",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49685"
},
{
"name": "CVE-2022-49687",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49687"
},
{
"name": "CVE-2022-49688",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49688"
},
{
"name": "CVE-2022-49693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49693"
},
{
"name": "CVE-2022-49695",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49695"
},
{
"name": "CVE-2022-49699",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49699"
},
{
"name": "CVE-2022-49700",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49700"
},
{
"name": "CVE-2022-49701",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49701"
},
{
"name": "CVE-2022-49703",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49703"
},
{
"name": "CVE-2022-49704",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49704"
},
{
"name": "CVE-2022-49705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49705"
},
{
"name": "CVE-2022-49707",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49707"
},
{
"name": "CVE-2022-49708",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49708"
},
{
"name": "CVE-2022-49710",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49710"
},
{
"name": "CVE-2022-49711",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49711"
},
{
"name": "CVE-2022-49712",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49712"
},
{
"name": "CVE-2022-49713",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49713"
},
{
"name": "CVE-2022-49714",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49714"
},
{
"name": "CVE-2022-49715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49715"
},
{
"name": "CVE-2022-49716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49716"
},
{
"name": "CVE-2022-49719",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49719"
},
{
"name": "CVE-2022-49720",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49720"
},
{
"name": "CVE-2022-49721",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49721"
},
{
"name": "CVE-2022-49722",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49722"
},
{
"name": "CVE-2022-49723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49723"
},
{
"name": "CVE-2022-49724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49724"
},
{
"name": "CVE-2022-49725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49725"
},
{
"name": "CVE-2022-49726",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49726"
},
{
"name": "CVE-2022-49729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49729"
},
{
"name": "CVE-2022-49730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49730"
},
{
"name": "CVE-2022-49731",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49731"
},
{
"name": "CVE-2022-49733",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49733"
},
{
"name": "CVE-2024-57996",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57996"
},
{
"name": "CVE-2024-58014",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58014"
},
{
"name": "CVE-2025-21718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21718"
},
{
"name": "CVE-2025-21772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21772"
},
{
"name": "CVE-2025-21780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21780"
},
{
"name": "CVE-2025-21785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21785"
},
{
"name": "CVE-2024-47794",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47794"
},
{
"name": "CVE-2024-54683",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-54683"
},
{
"name": "CVE-2024-56638",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56638"
},
{
"name": "CVE-2024-56719",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56719"
},
{
"name": "CVE-2024-56758",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56758"
},
{
"name": "CVE-2025-21635",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21635"
},
{
"name": "CVE-2025-21659",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21659"
},
{
"name": "CVE-2024-57834",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57834"
},
{
"name": "CVE-2024-57973",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57973"
},
{
"name": "CVE-2024-57978",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57978"
},
{
"name": "CVE-2024-57980",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57980"
},
{
"name": "CVE-2024-57981",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57981"
},
{
"name": "CVE-2024-57986",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57986"
},
{
"name": "CVE-2024-57993",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57993"
},
{
"name": "CVE-2024-57997",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57997"
},
{
"name": "CVE-2024-58007",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58007"
},
{
"name": "CVE-2024-58009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58009"
},
{
"name": "CVE-2024-58011",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58011"
},
{
"name": "CVE-2024-58013",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58013"
},
{
"name": "CVE-2024-58017",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58017"
},
{
"name": "CVE-2024-58020",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58020"
},
{
"name": "CVE-2024-58034",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58034"
},
{
"name": "CVE-2024-58051",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58051"
},
{
"name": "CVE-2024-58052",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58052"
},
{
"name": "CVE-2024-58054",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58054"
},
{
"name": "CVE-2024-58055",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58055"
},
{
"name": "CVE-2024-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58056"
},
{
"name": "CVE-2024-58058",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58058"
},
{
"name": "CVE-2024-58061",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58061"
},
{
"name": "CVE-2024-58063",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58063"
},
{
"name": "CVE-2024-58069",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58069"
},
{
"name": "CVE-2024-58072",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58072"
},
{
"name": "CVE-2024-58076",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58076"
},
{
"name": "CVE-2024-58080",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58080"
},
{
"name": "CVE-2024-58083",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58083"
},
{
"name": "CVE-2024-58085",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58085"
},
{
"name": "CVE-2024-58086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58086"
},
{
"name": "CVE-2025-21701",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21701"
},
{
"name": "CVE-2025-21703",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21703"
},
{
"name": "CVE-2025-21704",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21704"
},
{
"name": "CVE-2025-21706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21706"
},
{
"name": "CVE-2025-21708",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21708"
},
{
"name": "CVE-2025-21711",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21711"
},
{
"name": "CVE-2025-21726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21726"
},
{
"name": "CVE-2025-21727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21727"
},
{
"name": "CVE-2025-21731",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21731"
},
{
"name": "CVE-2025-21734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21734"
},
{
"name": "CVE-2025-21735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21735"
},
{
"name": "CVE-2025-21736",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21736"
},
{
"name": "CVE-2025-21738",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21738"
},
{
"name": "CVE-2025-21744",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21744"
},
{
"name": "CVE-2025-21745",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21745"
},
{
"name": "CVE-2025-21749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21749"
},
{
"name": "CVE-2025-21750",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21750"
},
{
"name": "CVE-2025-21760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21760"
},
{
"name": "CVE-2025-21761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21761"
},
{
"name": "CVE-2025-21762",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21762"
},
{
"name": "CVE-2025-21763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21763"
},
{
"name": "CVE-2025-21764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21764"
},
{
"name": "CVE-2025-21765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21765"
},
{
"name": "CVE-2025-21766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21766"
},
{
"name": "CVE-2025-21775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21775"
},
{
"name": "CVE-2025-21776",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21776"
},
{
"name": "CVE-2025-21779",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21779"
},
{
"name": "CVE-2025-21781",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21781"
},
{
"name": "CVE-2025-21782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21782"
},
{
"name": "CVE-2025-21791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21791"
},
{
"name": "CVE-2025-21794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21794"
},
{
"name": "CVE-2025-21796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21796"
},
{
"name": "CVE-2025-21804",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21804"
},
{
"name": "CVE-2025-21819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21819"
},
{
"name": "CVE-2025-21820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21820"
},
{
"name": "CVE-2025-21821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21821"
},
{
"name": "CVE-2025-21823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21823"
},
{
"name": "CVE-2025-21829",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21829"
},
{
"name": "CVE-2025-21830",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21830"
},
{
"name": "CVE-2025-21832",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21832"
},
{
"name": "CVE-2025-21835",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21835"
},
{
"name": "CVE-2021-4454",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4454"
},
{
"name": "CVE-2022-49053",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49053"
},
{
"name": "CVE-2022-49056",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49056"
},
{
"name": "CVE-2022-49057",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49057"
},
{
"name": "CVE-2022-49062",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49062"
},
{
"name": "CVE-2022-49064",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49064"
},
{
"name": "CVE-2022-49070",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49070"
},
{
"name": "CVE-2022-49071",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49071"
},
{
"name": "CVE-2022-49075",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49075"
},
{
"name": "CVE-2022-49123",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49123"
},
{
"name": "CVE-2022-49125",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49125"
},
{
"name": "CVE-2022-49133",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49133"
},
{
"name": "CVE-2022-49136",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49136"
},
{
"name": "CVE-2022-49138",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49138"
},
{
"name": "CVE-2022-49139",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49139"
},
{
"name": "CVE-2022-49144",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49144"
},
{
"name": "CVE-2022-49183",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49183"
},
{
"name": "CVE-2022-49192",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49192"
},
{
"name": "CVE-2022-49202",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49202"
},
{
"name": "CVE-2022-49203",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49203"
},
{
"name": "CVE-2022-49204",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49204"
},
{
"name": "CVE-2022-49205",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49205"
},
{
"name": "CVE-2022-49207",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49207"
},
{
"name": "CVE-2022-49209",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49209"
},
{
"name": "CVE-2022-49215",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49215"
},
{
"name": "CVE-2022-49219",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49219"
},
{
"name": "CVE-2022-49225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49225"
},
{
"name": "CVE-2022-49228",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49228"
},
{
"name": "CVE-2022-49230",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49230"
},
{
"name": "CVE-2022-49233",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49233"
},
{
"name": "CVE-2022-49237",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49237"
},
{
"name": "CVE-2022-49238",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49238"
},
{
"name": "CVE-2022-49293",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49293"
},
{
"name": "CVE-2022-49296",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49296"
},
{
"name": "CVE-2022-49306",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49306"
},
{
"name": "CVE-2022-49325",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49325"
},
{
"name": "CVE-2022-49329",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49329"
},
{
"name": "CVE-2022-49330",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49330"
},
{
"name": "CVE-2022-49333",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49333"
},
{
"name": "CVE-2022-49338",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49338"
},
{
"name": "CVE-2022-49353",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49353"
},
{
"name": "CVE-2022-49359",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49359"
},
{
"name": "CVE-2022-49362",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49362"
},
{
"name": "CVE-2022-49365",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49365"
},
{
"name": "CVE-2022-49390",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49390"
},
{
"name": "CVE-2022-49406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49406"
},
{
"name": "CVE-2022-49419",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49419"
},
{
"name": "CVE-2022-49436",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49436"
},
{
"name": "CVE-2022-49446",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49446"
},
{
"name": "CVE-2022-49458",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49458"
},
{
"name": "CVE-2022-49465",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49465"
},
{
"name": "CVE-2022-49470",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49470"
},
{
"name": "CVE-2022-49476",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49476"
},
{
"name": "CVE-2022-49479",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49479"
},
{
"name": "CVE-2022-49483",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49483"
},
{
"name": "CVE-2022-49484",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49484"
},
{
"name": "CVE-2022-49485",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49485"
},
{
"name": "CVE-2022-49497",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49497"
},
{
"name": "CVE-2022-49499",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49499"
},
{
"name": "CVE-2022-49510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49510"
},
{
"name": "CVE-2022-49511",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49511"
},
{
"name": "CVE-2022-49516",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49516"
},
{
"name": "CVE-2022-49518",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49518"
},
{
"name": "CVE-2022-49529",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49529"
},
{
"name": "CVE-2022-49530",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49530"
},
{
"name": "CVE-2022-49533",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49533"
},
{
"name": "CVE-2022-49538",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49538"
},
{
"name": "CVE-2022-49543",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49543"
},
{
"name": "CVE-2022-49548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49548"
},
{
"name": "CVE-2022-49552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49552"
},
{
"name": "CVE-2022-49560",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49560"
},
{
"name": "CVE-2022-49565",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49565"
},
{
"name": "CVE-2022-49624",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49624"
},
{
"name": "CVE-2022-49635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49635"
},
{
"name": "CVE-2022-49638",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49638"
},
{
"name": "CVE-2022-49650",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49650"
},
{
"name": "CVE-2022-49655",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49655"
},
{
"name": "CVE-2022-49658",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49658"
},
{
"name": "CVE-2022-49686",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49686"
},
{
"name": "CVE-2022-49694",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49694"
},
{
"name": "CVE-2022-49697",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49697"
},
{
"name": "CVE-2022-49732",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49732"
},
{
"name": "CVE-2022-49739",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49739"
},
{
"name": "CVE-2022-49746",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49746"
},
{
"name": "CVE-2022-49748",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49748"
},
{
"name": "CVE-2022-49751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49751"
},
{
"name": "CVE-2022-49753",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49753"
},
{
"name": "CVE-2022-49755",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49755"
},
{
"name": "CVE-2022-49759",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49759"
},
{
"name": "CVE-2023-52831",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52831"
},
{
"name": "CVE-2023-52927",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52927"
},
{
"name": "CVE-2023-52930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52930"
},
{
"name": "CVE-2023-52933",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52933"
},
{
"name": "CVE-2023-52935",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52935"
},
{
"name": "CVE-2023-52939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52939"
},
{
"name": "CVE-2023-52941",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52941"
},
{
"name": "CVE-2023-52973",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52973"
},
{
"name": "CVE-2023-52974",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52974"
},
{
"name": "CVE-2023-52975",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52975"
},
{
"name": "CVE-2023-52976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52976"
},
{
"name": "CVE-2023-52979",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52979"
},
{
"name": "CVE-2023-52983",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52983"
},
{
"name": "CVE-2023-52984",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52984"
},
{
"name": "CVE-2023-52988",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52988"
},
{
"name": "CVE-2023-52989",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52989"
},
{
"name": "CVE-2023-52992",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52992"
},
{
"name": "CVE-2023-52993",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52993"
},
{
"name": "CVE-2023-53000",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53000"
},
{
"name": "CVE-2023-53005",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53005"
},
{
"name": "CVE-2023-53006",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53006"
},
{
"name": "CVE-2023-53007",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53007"
},
{
"name": "CVE-2023-53008",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53008"
},
{
"name": "CVE-2023-53010",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53010"
},
{
"name": "CVE-2023-53015",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53015"
},
{
"name": "CVE-2023-53016",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53016"
},
{
"name": "CVE-2023-53019",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53019"
},
{
"name": "CVE-2023-53023",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53023"
},
{
"name": "CVE-2023-53024",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53024"
},
{
"name": "CVE-2023-53025",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53025"
},
{
"name": "CVE-2023-53026",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53026"
},
{
"name": "CVE-2023-53028",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53028"
},
{
"name": "CVE-2023-53029",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53029"
},
{
"name": "CVE-2023-53030",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53030"
},
{
"name": "CVE-2023-53033",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53033"
},
{
"name": "CVE-2024-41149",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41149"
},
{
"name": "CVE-2024-46736",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46736"
},
{
"name": "CVE-2024-46796",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46796"
},
{
"name": "CVE-2024-52559",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52559"
},
{
"name": "CVE-2024-57947",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57947"
},
{
"name": "CVE-2024-57974",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57974"
},
{
"name": "CVE-2024-57990",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57990"
},
{
"name": "CVE-2024-57999",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57999"
},
{
"name": "CVE-2024-58002",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58002"
},
{
"name": "CVE-2024-58005",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58005"
},
{
"name": "CVE-2024-58006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58006"
},
{
"name": "CVE-2024-58012",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58012"
},
{
"name": "CVE-2024-58019",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58019"
},
{
"name": "CVE-2024-58057",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58057"
},
{
"name": "CVE-2024-58078",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58078"
},
{
"name": "CVE-2024-58079",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58079"
},
{
"name": "CVE-2025-21693",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21693"
},
{
"name": "CVE-2025-21714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21714"
},
{
"name": "CVE-2025-21723",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21723"
},
{
"name": "CVE-2025-21732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21732"
},
{
"name": "CVE-2025-21739",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21739"
},
{
"name": "CVE-2025-21741",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21741"
},
{
"name": "CVE-2025-21742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21742"
},
{
"name": "CVE-2025-21743",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21743"
},
{
"name": "CVE-2025-21756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21756"
},
{
"name": "CVE-2025-21759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21759"
},
{
"name": "CVE-2025-21773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21773"
},
{
"name": "CVE-2025-21784",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21784"
},
{
"name": "CVE-2025-21793",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21793"
},
{
"name": "CVE-2025-21810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21810"
},
{
"name": "CVE-2025-21815",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21815"
},
{
"name": "CVE-2025-21825",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21825"
},
{
"name": "CVE-2025-21828",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21828"
},
{
"name": "CVE-2025-21831",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21831"
},
{
"name": "CVE-2025-21838",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21838"
},
{
"name": "CVE-2025-21839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21839"
},
{
"name": "CVE-2025-21844",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21844"
},
{
"name": "CVE-2025-21846",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21846"
},
{
"name": "CVE-2025-21847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21847"
},
{
"name": "CVE-2025-21848",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21848"
},
{
"name": "CVE-2025-21850",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21850"
},
{
"name": "CVE-2025-21855",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21855"
},
{
"name": "CVE-2025-21856",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21856"
},
{
"name": "CVE-2025-21857",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21857"
},
{
"name": "CVE-2025-21858",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21858"
},
{
"name": "CVE-2025-21859",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21859"
},
{
"name": "CVE-2025-21861",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21861"
},
{
"name": "CVE-2025-21862",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21862"
},
{
"name": "CVE-2025-21864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21864"
},
{
"name": "CVE-2025-21865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21865"
},
{
"name": "CVE-2025-21866",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21866"
},
{
"name": "CVE-2025-21869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21869"
},
{
"name": "CVE-2025-21870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21870"
},
{
"name": "CVE-2025-21871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21871"
},
{
"name": "CVE-2025-21876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21876"
},
{
"name": "CVE-2025-21877",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21877"
},
{
"name": "CVE-2025-21878",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21878"
},
{
"name": "CVE-2025-21883",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21883"
},
{
"name": "CVE-2025-21885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21885"
},
{
"name": "CVE-2025-21886",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21886"
},
{
"name": "CVE-2025-21888",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21888"
},
{
"name": "CVE-2025-21890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21890"
},
{
"name": "CVE-2025-21891",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21891"
},
{
"name": "CVE-2025-21892",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21892"
}
],
"initial_release_date": "2025-04-11T00:00:00",
"last_revision_date": "2025-04-11T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0307",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-04-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-04-08",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:1177-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20251177-1"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:1180-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20251180-1"
},
{
"published_at": "2025-04-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:1194-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20251194-1"
},
{
"published_at": "2025-04-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:1195-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20251195-1"
},
{
"published_at": "2025-04-08",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:1178-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20251178-1"
},
{
"published_at": "2025-04-08",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:1176-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20251176-1"
},
{
"published_at": "2025-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:1183-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20251183-1"
}
]
}
CVE-2022-49477 (GCVE-0-2022-49477)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: samsung: Fix refcount leak in aries_audio_probe
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
If extcon_find_edev_by_node() fails, it doesn't call of_node_put()
Calling of_node_put() after extcon_find_edev_by_node() to fix this.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:32.696001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:45.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/samsung/aries_wm8994.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cacea459f95be22b3750f3b25b7a1c5897a68206",
"status": "affected",
"version": "7a3a7671fa6c7e90aff5f4242add2a40587b85ef",
"versionType": "git"
},
{
"lessThan": "85d899f396622d3034643bf89615a78f9be7c91a",
"status": "affected",
"version": "7a3a7671fa6c7e90aff5f4242add2a40587b85ef",
"versionType": "git"
},
{
"lessThan": "70130bde3457d28c02c76b6cacc5d40a72dd6e17",
"status": "affected",
"version": "7a3a7671fa6c7e90aff5f4242add2a40587b85ef",
"versionType": "git"
},
{
"lessThan": "46d1b310a2d571811c4e08041ce287babb60b86a",
"status": "affected",
"version": "7a3a7671fa6c7e90aff5f4242add2a40587b85ef",
"versionType": "git"
},
{
"lessThan": "bf4a9b2467b775717d0e9034ad916888e19713a3",
"status": "affected",
"version": "7a3a7671fa6c7e90aff5f4242add2a40587b85ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/samsung/aries_wm8994.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: samsung: Fix refcount leak in aries_audio_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nIf extcon_find_edev_by_node() fails, it doesn\u0027t call of_node_put()\nCalling of_node_put() after extcon_find_edev_by_node() to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:34.621Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cacea459f95be22b3750f3b25b7a1c5897a68206"
},
{
"url": "https://git.kernel.org/stable/c/85d899f396622d3034643bf89615a78f9be7c91a"
},
{
"url": "https://git.kernel.org/stable/c/70130bde3457d28c02c76b6cacc5d40a72dd6e17"
},
{
"url": "https://git.kernel.org/stable/c/46d1b310a2d571811c4e08041ce287babb60b86a"
},
{
"url": "https://git.kernel.org/stable/c/bf4a9b2467b775717d0e9034ad916888e19713a3"
}
],
"title": "ASoC: samsung: Fix refcount leak in aries_audio_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49477",
"datePublished": "2025-02-26T02:13:18.686Z",
"dateReserved": "2025-02-26T02:08:31.581Z",
"dateUpdated": "2025-10-01T19:46:45.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49482 (GCVE-0-2022-49482)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e Version: 08641c7c74dddfcd726512edfaa3b4cbe42e523e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:19.833223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:45.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mxs/mxs-saif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c933829cbf3338b684869e6c4c8931abf5d68fbd",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "d42601e93fce7802bb8d70dd59b60cfeefa20469",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "30d110ca703ce60162ec337aa564a3e4da30715f",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "18b907ff0ae4bf20120aae1538f7156b9d08e3a7",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "2a0da7641e1f17a744ac7b3f76471388c97b63dc",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "24491124406666bf0dcb9ee10c5575c6ce6a1730",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "4e2a1bcc51bdebed48176f6e88c150f175983f9c",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "d855505851ee8ba666eb204149b49f906130dc17",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
},
{
"lessThan": "2be84f73785fa9ed6443e3c5b158730266f1c2ee",
"status": "affected",
"version": "08641c7c74dddfcd726512edfaa3b4cbe42e523e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mxs/mxs-saif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mxs-saif: Fix refcount leak in mxs_saif_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:45.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c933829cbf3338b684869e6c4c8931abf5d68fbd"
},
{
"url": "https://git.kernel.org/stable/c/d42601e93fce7802bb8d70dd59b60cfeefa20469"
},
{
"url": "https://git.kernel.org/stable/c/30d110ca703ce60162ec337aa564a3e4da30715f"
},
{
"url": "https://git.kernel.org/stable/c/18b907ff0ae4bf20120aae1538f7156b9d08e3a7"
},
{
"url": "https://git.kernel.org/stable/c/2a0da7641e1f17a744ac7b3f76471388c97b63dc"
},
{
"url": "https://git.kernel.org/stable/c/24491124406666bf0dcb9ee10c5575c6ce6a1730"
},
{
"url": "https://git.kernel.org/stable/c/4e2a1bcc51bdebed48176f6e88c150f175983f9c"
},
{
"url": "https://git.kernel.org/stable/c/d855505851ee8ba666eb204149b49f906130dc17"
},
{
"url": "https://git.kernel.org/stable/c/2be84f73785fa9ed6443e3c5b158730266f1c2ee"
}
],
"title": "ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49482",
"datePublished": "2025-02-26T02:13:22.005Z",
"dateReserved": "2025-02-26T02:08:31.582Z",
"dateUpdated": "2025-10-01T19:46:45.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21635 (GCVE-0-2025-21635)
Vulnerability from cvelistv5
Published
2025-01-19 10:17
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy
As mentioned in a previous commit of this series, using the 'net'
structure via 'current' is not recommended for different reasons:
- Inconsistency: getting info from the reader's/writer's netns vs only
from the opener's netns.
- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
(null-ptr-deref), e.g. when the current task is exiting, as spotted by
syzbot [1] using acct(2).
The per-netns structure can be obtained from the table->data using
container_of(), then the 'net' one can be retrieved from the listen
socket (if available).
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:54:16.928023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:18.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de8d6de0ee27be4b2b1e5b06f04aeacbabbba492",
"status": "affected",
"version": "c6a58ffed53612be86b758df1cdb0b0f4305e9cb",
"versionType": "git"
},
{
"lessThan": "7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c",
"status": "affected",
"version": "c6a58ffed53612be86b758df1cdb0b0f4305e9cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.10",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current-\u003ensproxy\n\nAs mentioned in a previous commit of this series, using the \u0027net\u0027\nstructure via \u0027current\u0027 is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader\u0027s/writer\u0027s netns vs only\n from the opener\u0027s netns.\n\n- current-\u003ensproxy can be NULL in some cases, resulting in an \u0027Oops\u0027\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe per-netns structure can be obtained from the table-\u003edata using\ncontainer_of(), then the \u0027net\u0027 one can be retrieved from the listen\nsocket (if available)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:17:56.511Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de8d6de0ee27be4b2b1e5b06f04aeacbabbba492"
},
{
"url": "https://git.kernel.org/stable/c/7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c"
}
],
"title": "rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current-\u003ensproxy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21635",
"datePublished": "2025-01-19T10:17:53.832Z",
"dateReserved": "2024-12-29T08:45:45.726Z",
"dateUpdated": "2025-10-01T19:57:18.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47678 (GCVE-0-2024-47678)
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2025-11-03 22:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp: change the order of rate limits
ICMP messages are ratelimited :
After the blamed commits, the two rate limiters are applied in this order:
1) host wide ratelimit (icmp_global_allow())
2) Per destination ratelimit (inetpeer based)
In order to avoid side-channels attacks, we need to apply
the per destination check first.
This patch makes the following change :
1) icmp_global_allow() checks if the host wide limit is reached.
But credits are not yet consumed. This is deferred to 3)
2) The per destination limit is checked/updated.
This might add a new node in inetpeer tree.
3) icmp_global_consume() consumes tokens if prior operations succeeded.
This means that host wide ratelimit is still effective
in keeping inetpeer tree small even under DDOS.
As a bonus, I removed icmp_global.lock as the fast path
can use a lock-free operation.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T13:07:41.965400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:14:17.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:20:43.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"net/ipv4/icmp.c",
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "997ba8889611891f91e8ad83583466aeab6239a3",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "662ec52260cc07b9ae53ecd3925183c29d34288b",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "a7722921adb046e3836eb84372241f32584bdb07",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "483397b4ba280813e4a9c161a0a85172ddb43d19",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "8c2bd38b95f75f3d2a08c93e35303e26d480d24e",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"net/ipv4/icmp.c",
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.54",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:37:04.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3"
},
{
"url": "https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b"
},
{
"url": "https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07"
},
{
"url": "https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19"
},
{
"url": "https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e"
}
],
"title": "icmp: change the order of rate limits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47678",
"datePublished": "2024-10-21T11:53:21.814Z",
"dateReserved": "2024-09-30T16:00:12.939Z",
"dateUpdated": "2025-11-03T22:20:43.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49429 (GCVE-0-2022-49429)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hfi1: Prevent panic when SDMA is disabled
If the hfi1 module is loaded with HFI1_CAP_SDMA off, a call to
hfi1_write_iter() will dereference a NULL pointer and panic. A typical
stack frame is:
sdma_select_user_engine [hfi1]
hfi1_user_sdma_process_request [hfi1]
hfi1_write_iter [hfi1]
do_iter_readv_writev
do_iter_write
vfs_writev
do_writev
do_syscall_64
The fix is to test for SDMA in hfi1_write_iter() and fail the I/O with
EINVAL.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/file_ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33794e8e9bcb4affc0ebff9cdec85acc8b8a1762",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0e4dda8b3f4c07ee9ea670a10ea3171a5e63a86f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e60ad83f645ee6fadd5a8057ba267aeec54f08fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cc80d3c37cec9d6ddb140483647901bc7cc6c31d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "32e6aea33944f364d51cd263e4cd236393a188b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29952ab85d6c3fe0b7909d9a737f10c58bf6824d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "22e7e400fd1a890db2ea13686324aff50e972f4f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "629e052d0c98e46dde9f0824f0aa437f678d9b8f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/file_ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Prevent panic when SDMA is disabled\n\nIf the hfi1 module is loaded with HFI1_CAP_SDMA off, a call to\nhfi1_write_iter() will dereference a NULL pointer and panic. A typical\nstack frame is:\n\n sdma_select_user_engine [hfi1]\n hfi1_user_sdma_process_request [hfi1]\n hfi1_write_iter [hfi1]\n do_iter_readv_writev\n do_iter_write\n vfs_writev\n do_writev\n do_syscall_64\n\nThe fix is to test for SDMA in hfi1_write_iter() and fail the I/O with\nEINVAL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:29.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33794e8e9bcb4affc0ebff9cdec85acc8b8a1762"
},
{
"url": "https://git.kernel.org/stable/c/0e4dda8b3f4c07ee9ea670a10ea3171a5e63a86f"
},
{
"url": "https://git.kernel.org/stable/c/e60ad83f645ee6fadd5a8057ba267aeec54f08fe"
},
{
"url": "https://git.kernel.org/stable/c/cc80d3c37cec9d6ddb140483647901bc7cc6c31d"
},
{
"url": "https://git.kernel.org/stable/c/32e6aea33944f364d51cd263e4cd236393a188b6"
},
{
"url": "https://git.kernel.org/stable/c/29952ab85d6c3fe0b7909d9a737f10c58bf6824d"
},
{
"url": "https://git.kernel.org/stable/c/22e7e400fd1a890db2ea13686324aff50e972f4f"
},
{
"url": "https://git.kernel.org/stable/c/629e052d0c98e46dde9f0824f0aa437f678d9b8f"
}
],
"title": "RDMA/hfi1: Prevent panic when SDMA is disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49429",
"datePublished": "2025-02-26T02:12:48.646Z",
"dateReserved": "2025-02-26T02:08:31.569Z",
"dateUpdated": "2025-05-04T08:37:29.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49092 (GCVE-0-2022-49092)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv4: fix route with nexthop object delete warning
FRR folks have hit a kernel warning[1] while deleting routes[2] which is
caused by trying to delete a route pointing to a nexthop id without
specifying nhid but matching on an interface. That is, a route is found
but we hit a warning while matching it. The warning is from
fib_info_nh() in include/net/nexthop.h because we run it on a fib_info
with nexthop object. The call chain is:
inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a
nexthop fib_info and also with fc_oif set thus calling fib_info_nh on
the fib_info and triggering the warning). The fix is to not do any
matching in that branch if the fi has a nexthop object because those are
managed separately. I.e. we should match when deleting without nh spec and
should fail when deleting a nexthop route with old-style nh spec because
nexthop objects are managed separately, e.g.:
$ ip r show 1.2.3.4/32
1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0
$ ip r del 1.2.3.4/32
$ ip r del 1.2.3.4/32 nhid 12
<both should work>
$ ip r del 1.2.3.4/32 dev dummy0
<should fail with ESRCH>
[1]
[ 523.462226] ------------[ cut here ]------------
[ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460
[ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd
[ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse
[ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1
[ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020
[ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460
[ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00
[ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286
[ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0
[ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380
[ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000
[ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031
[ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0
[ 523.462311] FS: 00007f2455
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 Version: 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 Version: 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 Version: 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 Version: 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 Version: 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_semantics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f5064531c23ad646da7be8b938292b00a7e61438",
"status": "affected",
"version": "4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56",
"versionType": "git"
},
{
"lessThan": "63ea57478aaa3e06a597081a0f537318fc04e49f",
"status": "affected",
"version": "4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56",
"versionType": "git"
},
{
"lessThan": "907c97986d6fa77318d17659dd76c94b65dd27c5",
"status": "affected",
"version": "4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56",
"versionType": "git"
},
{
"lessThan": "dcd689f9e2640c992f94eae9955b106f71c6825d",
"status": "affected",
"version": "4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56",
"versionType": "git"
},
{
"lessThan": "f8db5743d09523c0bb35f16e13691e3b7eb5dba0",
"status": "affected",
"version": "4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56",
"versionType": "git"
},
{
"lessThan": "6bf92d70e690b7ff12b24f4bfff5e5434d019b82",
"status": "affected",
"version": "4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_semantics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix route with nexthop object delete warning\n\nFRR folks have hit a kernel warning[1] while deleting routes[2] which is\ncaused by trying to delete a route pointing to a nexthop id without\nspecifying nhid but matching on an interface. That is, a route is found\nbut we hit a warning while matching it. The warning is from\nfib_info_nh() in include/net/nexthop.h because we run it on a fib_info\nwith nexthop object. The call chain is:\n inet_rtm_delroute -\u003e fib_table_delete -\u003e fib_nh_match (called with a\nnexthop fib_info and also with fc_oif set thus calling fib_info_nh on\nthe fib_info and triggering the warning). The fix is to not do any\nmatching in that branch if the fi has a nexthop object because those are\nmanaged separately. I.e. we should match when deleting without nh spec and\nshould fail when deleting a nexthop route with old-style nh spec because\nnexthop objects are managed separately, e.g.:\n $ ip r show 1.2.3.4/32\n 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0\n\n $ ip r del 1.2.3.4/32\n $ ip r del 1.2.3.4/32 nhid 12\n \u003cboth should work\u003e\n\n $ ip r del 1.2.3.4/32 dev dummy0\n \u003cshould fail with ESRCH\u003e\n\n[1]\n [ 523.462226] ------------[ cut here ]------------\n [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460\n [ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd\n [ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse\n [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1\n [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020\n [ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460\n [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff \u003c0f\u003e 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00\n [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286\n [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0\n [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380\n [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000\n [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031\n [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0\n [ 523.462311] FS: 00007f2455\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:38.189Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f5064531c23ad646da7be8b938292b00a7e61438"
},
{
"url": "https://git.kernel.org/stable/c/63ea57478aaa3e06a597081a0f537318fc04e49f"
},
{
"url": "https://git.kernel.org/stable/c/907c97986d6fa77318d17659dd76c94b65dd27c5"
},
{
"url": "https://git.kernel.org/stable/c/dcd689f9e2640c992f94eae9955b106f71c6825d"
},
{
"url": "https://git.kernel.org/stable/c/f8db5743d09523c0bb35f16e13691e3b7eb5dba0"
},
{
"url": "https://git.kernel.org/stable/c/6bf92d70e690b7ff12b24f4bfff5e5434d019b82"
}
],
"title": "net: ipv4: fix route with nexthop object delete warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49092",
"datePublished": "2025-02-26T01:54:47.172Z",
"dateReserved": "2025-02-26T01:49:39.249Z",
"dateUpdated": "2025-05-04T08:29:38.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21760 (GCVE-0-2025-21760)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ndisc: extend RCU protection in ndisc_send_skb()
ndisc_send_skb() can be called without RTNL or RCU held.
Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu()
and avoid a potential UAF.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1762f7e88eb34f653b4a915be99a102e347dd45e Version: 1762f7e88eb34f653b4a915be99a102e347dd45e Version: 1762f7e88eb34f653b4a915be99a102e347dd45e Version: 1762f7e88eb34f653b4a915be99a102e347dd45e Version: 1762f7e88eb34f653b4a915be99a102e347dd45e Version: 1762f7e88eb34f653b4a915be99a102e347dd45e Version: 1762f7e88eb34f653b4a915be99a102e347dd45e Version: 1762f7e88eb34f653b4a915be99a102e347dd45e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:40.416234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:05.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "4d576202b90b1b95a7c428a80b536f91b8201bcc",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "e24d225e4cb8cf108bde00b76594499b98f0a74d",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "ae38982f521621c216fc2f5182cd091f4734641d",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "789230e5a8c1097301afc802e242c79bc8835c67",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "04e05112f10354ffc3bb6cc796d553bab161594c",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "ed6ae1f325d3c43966ec1b62ac1459e2b8e45640",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: extend RCU protection in ndisc_send_skb()\n\nndisc_send_skb() can be called without RTNL or RCU held.\n\nAcquire rcu_read_lock() earlier, so that we can use dev_net_rcu()\nand avoid a potential UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:32.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1"
},
{
"url": "https://git.kernel.org/stable/c/4d576202b90b1b95a7c428a80b536f91b8201bcc"
},
{
"url": "https://git.kernel.org/stable/c/e24d225e4cb8cf108bde00b76594499b98f0a74d"
},
{
"url": "https://git.kernel.org/stable/c/a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d"
},
{
"url": "https://git.kernel.org/stable/c/ae38982f521621c216fc2f5182cd091f4734641d"
},
{
"url": "https://git.kernel.org/stable/c/789230e5a8c1097301afc802e242c79bc8835c67"
},
{
"url": "https://git.kernel.org/stable/c/04e05112f10354ffc3bb6cc796d553bab161594c"
},
{
"url": "https://git.kernel.org/stable/c/ed6ae1f325d3c43966ec1b62ac1459e2b8e45640"
}
],
"title": "ndisc: extend RCU protection in ndisc_send_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21760",
"datePublished": "2025-02-27T02:18:13.496Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:05.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49139 (GCVE-0-2022-49139)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
This event is just specified for SCO and eSCO link types.
On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR
of an existing LE connection, LE link type and a status that triggers the
second case of the packet processing a NULL pointer dereference happens,
as conn->link is NULL.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:01.755849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:02.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c1291a84e94f6501644634c97544bb8291e9a1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f9db1209f59844839175b5b907d3778cafde93d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c1aa0dd52db4ce888be0bd820c3fa918d350ca0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f61c23e73dc653b957781066abfa8105c3fa3f5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3afee2118132e93e5f6fa636dfde86201a860ab3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix null ptr deref on hci_sync_conn_complete_evt\n\nThis event is just specified for SCO and eSCO link types.\nOn the reception of a HCI_Synchronous_Connection_Complete for a BDADDR\nof an existing LE connection, LE link type and a status that triggers the\nsecond case of the packet processing a NULL pointer dereference happens,\nas conn-\u003elink is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:50.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c1291a84e94f6501644634c97544bb8291e9a1a"
},
{
"url": "https://git.kernel.org/stable/c/0f9db1209f59844839175b5b907d3778cafde93d"
},
{
"url": "https://git.kernel.org/stable/c/c1aa0dd52db4ce888be0bd820c3fa918d350ca0b"
},
{
"url": "https://git.kernel.org/stable/c/f61c23e73dc653b957781066abfa8105c3fa3f5b"
},
{
"url": "https://git.kernel.org/stable/c/3afee2118132e93e5f6fa636dfde86201a860ab3"
}
],
"title": "Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49139",
"datePublished": "2025-02-26T01:55:11.163Z",
"dateReserved": "2025-02-26T01:49:39.269Z",
"dateUpdated": "2025-10-01T19:57:02.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49940 (GCVE-0-2024-49940)
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2025-05-04 09:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: prevent possible tunnel refcount underflow
When a session is created, it sets a backpointer to its tunnel. When
the session refcount drops to 0, l2tp_session_free drops the tunnel
refcount if session->tunnel is non-NULL. However, session->tunnel is
set in l2tp_session_create, before the tunnel refcount is incremented
by l2tp_session_register, which leaves a small window where
session->tunnel is non-NULL when the tunnel refcount hasn't been
bumped.
Moving the assignment to l2tp_session_register is trivial but
l2tp_session_create calls l2tp_session_set_header_len which uses
session->tunnel to get the tunnel's encap. Add an encap arg to
l2tp_session_set_header_len to avoid using session->tunnel.
If l2tpv3 sessions have colliding IDs, it is possible for
l2tp_v3_session_get to race with l2tp_session_register and fetch a
session which doesn't yet have session->tunnel set. Add a check for
this case.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:37:52.827630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:50.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c",
"net/l2tp/l2tp_core.h",
"net/l2tp/l2tp_netlink.c",
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7415e60c25a6108cd7955a20b2e66b6251ffe02",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "24256415d18695b46da06c93135f5b51c548b950",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c",
"net/l2tp/l2tp_core.h",
"net/l2tp/l2tp_netlink.c",
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: prevent possible tunnel refcount underflow\n\nWhen a session is created, it sets a backpointer to its tunnel. When\nthe session refcount drops to 0, l2tp_session_free drops the tunnel\nrefcount if session-\u003etunnel is non-NULL. However, session-\u003etunnel is\nset in l2tp_session_create, before the tunnel refcount is incremented\nby l2tp_session_register, which leaves a small window where\nsession-\u003etunnel is non-NULL when the tunnel refcount hasn\u0027t been\nbumped.\n\nMoving the assignment to l2tp_session_register is trivial but\nl2tp_session_create calls l2tp_session_set_header_len which uses\nsession-\u003etunnel to get the tunnel\u0027s encap. Add an encap arg to\nl2tp_session_set_header_len to avoid using session-\u003etunnel.\n\nIf l2tpv3 sessions have colliding IDs, it is possible for\nl2tp_v3_session_get to race with l2tp_session_register and fetch a\nsession which doesn\u0027t yet have session-\u003etunnel set. Add a check for\nthis case."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:41:55.265Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02"
},
{
"url": "https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950"
}
],
"title": "l2tp: prevent possible tunnel refcount underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49940",
"datePublished": "2024-10-21T18:01:59.668Z",
"dateReserved": "2024-10-21T12:17:06.043Z",
"dateUpdated": "2025-05-04T09:41:55.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49202 (GCVE-0-2022-49202)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: add missing NULL check in h5_enqueue
Syzbot hit general protection fault in __pm_runtime_resume(). The problem
was in missing NULL check.
hu->serdev can be NULL and we should not blindly pass &serdev->dev
somewhere, since it will cause GPF.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_h5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7235485433d290367d60ae22fcdfc565e61d42ab",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
},
{
"lessThan": "e6b6c904c0f88588b6a3ace20e4c0d61eab124f8",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
},
{
"lessThan": "8a3896c30f542439d36303183dc96f65df8cc528",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
},
{
"lessThan": "32cb08e958696908a9aad5e49a78d74f7e32fffb",
"status": "affected",
"version": "d9dd833cf6d29695682ec7e7924c0d0992b906bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_h5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: add missing NULL check in h5_enqueue\n\nSyzbot hit general protection fault in __pm_runtime_resume(). The problem\nwas in missing NULL check.\n\nhu-\u003eserdev can be NULL and we should not blindly pass \u0026serdev-\u003edev\nsomewhere, since it will cause GPF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:15.567Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7235485433d290367d60ae22fcdfc565e61d42ab"
},
{
"url": "https://git.kernel.org/stable/c/e6b6c904c0f88588b6a3ace20e4c0d61eab124f8"
},
{
"url": "https://git.kernel.org/stable/c/8a3896c30f542439d36303183dc96f65df8cc528"
},
{
"url": "https://git.kernel.org/stable/c/32cb08e958696908a9aad5e49a78d74f7e32fffb"
}
],
"title": "Bluetooth: hci_uart: add missing NULL check in h5_enqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49202",
"datePublished": "2025-02-26T01:55:43.738Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-05-04T08:32:15.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21736 (GCVE-0-2025-21736)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix possible int overflows in nilfs_fiemap()
Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result
by being prepared to go through potentially maxblocks == INT_MAX blocks,
the value in n may experience an overflow caused by left shift of blkbits.
While it is extremely unlikely to occur, play it safe and cast right hand
expression to wider type to mitigate the issue.
Found by Linux Verification Center (linuxtesting.org) with static analysis
tool SVACE.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 Version: 622daaff0a8975fb5c5b95f24f3234550ba32e92 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:43.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7649937987fed51ed09985da4019d50189fc534e",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
},
{
"lessThan": "58b1c6881081f5ddfb9a14dc241a74732c0f855c",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
},
{
"lessThan": "8f41df5fd4c11d26e929a85f7239799641f92da7",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
},
{
"lessThan": "f3d80f34f58445355fa27b9579a449fb186aa64e",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
},
{
"lessThan": "f2bd0f1ab47822fe5bd699c8458b896c4b2edea1",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
},
{
"lessThan": "b9495a9109abc31d3170f7aad7d48aa64610a1a2",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
},
{
"lessThan": "250423300b4b0335918be187ef3cade248c06e6a",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
},
{
"lessThan": "6438ef381c183444f7f9d1de18f22661cba1e946",
"status": "affected",
"version": "622daaff0a8975fb5c5b95f24f3234550ba32e92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix possible int overflows in nilfs_fiemap()\n\nSince nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result\nby being prepared to go through potentially maxblocks == INT_MAX blocks,\nthe value in n may experience an overflow caused by left shift of blkbits.\n\nWhile it is extremely unlikely to occur, play it safe and cast right hand\nexpression to wider type to mitigate the issue.\n\nFound by Linux Verification Center (linuxtesting.org) with static analysis\ntool SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:03.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7649937987fed51ed09985da4019d50189fc534e"
},
{
"url": "https://git.kernel.org/stable/c/58b1c6881081f5ddfb9a14dc241a74732c0f855c"
},
{
"url": "https://git.kernel.org/stable/c/8f41df5fd4c11d26e929a85f7239799641f92da7"
},
{
"url": "https://git.kernel.org/stable/c/f3d80f34f58445355fa27b9579a449fb186aa64e"
},
{
"url": "https://git.kernel.org/stable/c/f2bd0f1ab47822fe5bd699c8458b896c4b2edea1"
},
{
"url": "https://git.kernel.org/stable/c/b9495a9109abc31d3170f7aad7d48aa64610a1a2"
},
{
"url": "https://git.kernel.org/stable/c/250423300b4b0335918be187ef3cade248c06e6a"
},
{
"url": "https://git.kernel.org/stable/c/6438ef381c183444f7f9d1de18f22661cba1e946"
}
],
"title": "nilfs2: fix possible int overflows in nilfs_fiemap()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21736",
"datePublished": "2025-02-27T02:12:12.871Z",
"dateReserved": "2024-12-29T08:45:45.756Z",
"dateUpdated": "2025-11-03T19:36:43.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49322 (GCVE-0-2022-49322)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix sleeping function called from invalid context on RT kernel
When setting bootparams="trace_event=initcall:initcall_start tp_printk=1" in the
cmdline, the output_printk() was called, and the spin_lock_irqsave() was called in the
atomic and irq disable interrupt context suitation. On the PREEMPT_RT kernel,
these locks are replaced with sleepable rt-spinlock, so the stack calltrace will
be triggered.
Fix it by raw_spin_lock_irqsave when PREEMPT_RT and "trace_event=initcall:initcall_start
tp_printk=1" enabled.
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
preempt_count: 2, expected: 0
RCU nest depth: 0, expected: 0
Preemption disabled at:
[<ffffffff8992303e>] try_to_wake_up+0x7e/0xba0
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.1-rt17+ #19 34c5812404187a875f32bee7977f7367f9679ea7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x60/0x8c
dump_stack+0x10/0x12
__might_resched.cold+0x11d/0x155
rt_spin_lock+0x40/0x70
trace_event_buffer_commit+0x2fa/0x4c0
? map_vsyscall+0x93/0x93
trace_event_raw_event_initcall_start+0xbe/0x110
? perf_trace_initcall_finish+0x210/0x210
? probe_sched_wakeup+0x34/0x40
? ttwu_do_wakeup+0xda/0x310
? trace_hardirqs_on+0x35/0x170
? map_vsyscall+0x93/0x93
do_one_initcall+0x217/0x3c0
? trace_event_raw_event_initcall_level+0x170/0x170
? push_cpu_stop+0x400/0x400
? cblist_init_generic+0x241/0x290
kernel_init_freeable+0x1ac/0x347
? _raw_spin_unlock_irq+0x65/0x80
? rest_init+0xf0/0xf0
kernel_init+0x1e/0x150
ret_from_fork+0x22/0x30
</TASK>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:41.615652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:56.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be1f323fb9d9b14a505ca22d742d321769454de1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40f9fde06b25884baa0c4bd138b909a9b67218b4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48c6ee7d6c614f09b2c8553a95eefef6ecf196e0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1788e6dbb61286215442b1af99e51405a6206762",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9b534640a2c6a8d88168febc82ec6d161184f2ec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43bfc4dccc416c964b53cbdc430e814f8b6f770b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9abf3db8bdb63ab545034148ef2118f4d088ca59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "12025abdc8539ed9d5014e2d647a3fd1bd3de5cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix sleeping function called from invalid context on RT kernel\n\nWhen setting bootparams=\"trace_event=initcall:initcall_start tp_printk=1\" in the\ncmdline, the output_printk() was called, and the spin_lock_irqsave() was called in the\natomic and irq disable interrupt context suitation. On the PREEMPT_RT kernel,\nthese locks are replaced with sleepable rt-spinlock, so the stack calltrace will\nbe triggered.\nFix it by raw_spin_lock_irqsave when PREEMPT_RT and \"trace_event=initcall:initcall_start\ntp_printk=1\" enabled.\n\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n Preemption disabled at:\n [\u003cffffffff8992303e\u003e] try_to_wake_up+0x7e/0xba0\n CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.1-rt17+ #19 34c5812404187a875f32bee7977f7367f9679ea7\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x60/0x8c\n dump_stack+0x10/0x12\n __might_resched.cold+0x11d/0x155\n rt_spin_lock+0x40/0x70\n trace_event_buffer_commit+0x2fa/0x4c0\n ? map_vsyscall+0x93/0x93\n trace_event_raw_event_initcall_start+0xbe/0x110\n ? perf_trace_initcall_finish+0x210/0x210\n ? probe_sched_wakeup+0x34/0x40\n ? ttwu_do_wakeup+0xda/0x310\n ? trace_hardirqs_on+0x35/0x170\n ? map_vsyscall+0x93/0x93\n do_one_initcall+0x217/0x3c0\n ? trace_event_raw_event_initcall_level+0x170/0x170\n ? push_cpu_stop+0x400/0x400\n ? cblist_init_generic+0x241/0x290\n kernel_init_freeable+0x1ac/0x347\n ? _raw_spin_unlock_irq+0x65/0x80\n ? rest_init+0xf0/0xf0\n kernel_init+0x1e/0x150\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:10.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be1f323fb9d9b14a505ca22d742d321769454de1"
},
{
"url": "https://git.kernel.org/stable/c/40f9fde06b25884baa0c4bd138b909a9b67218b4"
},
{
"url": "https://git.kernel.org/stable/c/48c6ee7d6c614f09b2c8553a95eefef6ecf196e0"
},
{
"url": "https://git.kernel.org/stable/c/1788e6dbb61286215442b1af99e51405a6206762"
},
{
"url": "https://git.kernel.org/stable/c/9b534640a2c6a8d88168febc82ec6d161184f2ec"
},
{
"url": "https://git.kernel.org/stable/c/43bfc4dccc416c964b53cbdc430e814f8b6f770b"
},
{
"url": "https://git.kernel.org/stable/c/9abf3db8bdb63ab545034148ef2118f4d088ca59"
},
{
"url": "https://git.kernel.org/stable/c/12025abdc8539ed9d5014e2d647a3fd1bd3de5cd"
}
],
"title": "tracing: Fix sleeping function called from invalid context on RT kernel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49322",
"datePublished": "2025-02-26T02:10:46.658Z",
"dateReserved": "2025-02-26T02:08:31.537Z",
"dateUpdated": "2025-10-01T19:46:56.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21756 (GCVE-0-2025-21756)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Keep the binding until socket destruction
Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().
Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:
1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
2. transport->release() calls vsock_remove_bound() without checking if
sk was bound and moved to bound list (refcnt=1)
3. vsock_bind() assumes sk is in unbound list and before
__vsock_insert_bound(vsock_bound_sockets()) calls
__vsock_remove_bound() which does:
list_del_init(&vsk->bound_table); // nop
sock_put(&vsk->sk); // refcnt=0
BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
Read of size 4 at addr ffff88816b46a74c by task a.out/2057
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
__vsock_bind+0x62e/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
__vsock_create.constprop.0+0x2e/0xb60
vsock_create+0xe4/0x420
__sock_create+0x241/0x650
__sys_socket+0xf2/0x1a0
__x64_sys_socket+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
__vsock_bind+0x5e1/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
RIP: 0010:refcount_warn_saturate+0xce/0x150
__vsock_bind+0x66d/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
RIP: 0010:refcount_warn_saturate+0xee/0x150
vsock_remove_bound+0x187/0x1e0
__vsock_release+0x383/0x4a0
vsock_release+0x90/0x120
__sock_release+0xa3/0x250
sock_close+0x14/0x20
__fput+0x359/0xa80
task_work_run+0x107/0x1d0
do_exit+0x847/0x2560
do_group_exit+0xb8/0x250
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0xfec/0x14f0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21756",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T21:01:56.187542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T21:02:02.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:01.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7754d564579a5db9c5c9f74228df5d6dd6f1173",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "e48fcb403c2d0e574c19683f09399ab4cf67809c",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "42b33381e5e1f2b967dc4fb4221ddb9aaf10d197",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "3f43540166128951cc1be7ab1ce6b7f05c670d8b",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "645ce25aa0e67895b11d89f27bb86c9d444c40f8",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "b1afd40321f1c243cffbcf40ea7ca41aca87fa5e",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "fcdd2242c0231032fc84e1404315c245ae56322a",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Keep the binding until socket destruction\n\nPreserve sockets bindings; this includes both resulting from an explicit\nbind() and those implicitly bound through autobind during connect().\n\nPrevents socket unbinding during a transport reassignment, which fixes a\nuse-after-free:\n\n 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)\n 2. transport-\u003erelease() calls vsock_remove_bound() without checking if\n sk was bound and moved to bound list (refcnt=1)\n 3. vsock_bind() assumes sk is in unbound list and before\n __vsock_insert_bound(vsock_bound_sockets()) calls\n __vsock_remove_bound() which does:\n list_del_init(\u0026vsk-\u003ebound_table); // nop\n sock_put(\u0026vsk-\u003esk); // refcnt=0\n\nBUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730\nRead of size 4 at addr ffff88816b46a74c by task a.out/2057\n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n __vsock_bind+0x62e/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAllocated by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n __vsock_create.constprop.0+0x2e/0xb60\n vsock_create+0xe4/0x420\n __sock_create+0x241/0x650\n __sys_socket+0xf2/0x1a0\n __x64_sys_socket+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n __vsock_bind+0x5e1/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150\nRIP: 0010:refcount_warn_saturate+0xce/0x150\n __vsock_bind+0x66d/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150\nRIP: 0010:refcount_warn_saturate+0xee/0x150\n vsock_remove_bound+0x187/0x1e0\n __vsock_release+0x383/0x4a0\n vsock_release+0x90/0x120\n __sock_release+0xa3/0x250\n sock_close+0x14/0x20\n __fput+0x359/0xa80\n task_work_run+0x107/0x1d0\n do_exit+0x847/0x2560\n do_group_exit+0xb8/0x250\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0xfec/0x14f0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:28.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173"
},
{
"url": "https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c"
},
{
"url": "https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197"
},
{
"url": "https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b"
},
{
"url": "https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8"
},
{
"url": "https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e"
},
{
"url": "https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a"
}
],
"title": "vsock: Keep the binding until socket destruction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21756",
"datePublished": "2025-02-27T02:18:11.547Z",
"dateReserved": "2024-12-29T08:45:45.760Z",
"dateUpdated": "2025-11-03T19:37:01.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53124 (GCVE-0-2024-53124)
Vulnerability from cvelistv5
Published
2024-12-02 13:44
Modified
2025-11-03 20:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix data-races around sk->sk_forward_alloc
Syzkaller reported this warning:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0
Modules linked in:
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:inet_sock_destruct+0x1c5/0x1e0
Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00
RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206
RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007
RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00
RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007
R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00
R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78
FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __warn+0x88/0x130
? inet_sock_destruct+0x1c5/0x1e0
? report_bug+0x18e/0x1a0
? handle_bug+0x53/0x90
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? inet_sock_destruct+0x1c5/0x1e0
__sk_destruct+0x2a/0x200
rcu_do_batch+0x1aa/0x530
? rcu_do_batch+0x13b/0x530
rcu_core+0x159/0x2f0
handle_softirqs+0xd3/0x2b0
? __pfx_smpboot_thread_fn+0x10/0x10
run_ksoftirqd+0x25/0x30
smpboot_thread_fn+0xdd/0x1d0
kthread+0xd3/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace 0000000000000000 ]---
Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()
concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,
which triggers a data-race around sk->sk_forward_alloc:
tcp_v6_rcv
tcp_v6_do_rcv
skb_clone_and_charge_r
sk_rmem_schedule
__sk_mem_schedule
sk_forward_alloc_add()
skb_set_owner_r
sk_mem_charge
sk_forward_alloc_add()
__kfree_skb
skb_release_all
skb_release_head_state
sock_rfree
sk_mem_uncharge
sk_forward_alloc_add()
sk_mem_reclaim
// set local var reclaimable
__sk_mem_reclaim
sk_forward_alloc_add()
In this syzkaller testcase, two threads call
tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like
this:
(cpu 1) | (cpu 2) | sk_forward_alloc
... | ... | 0
__sk_mem_schedule() | | +4096 = 4096
| __sk_mem_schedule() | +4096 = 8192
sk_mem_charge() | | -768 = 7424
| sk_mem_charge() | -768 = 6656
... | ... |
sk_mem_uncharge() | | +768 = 7424
reclaimable=7424 | |
| sk_mem_uncharge() | +768 = 8192
| reclaimable=8192 |
__sk_mem_reclaim() | | -4096 = 4096
| __sk_mem_reclaim() | -8192 = -4096 != 0
The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when
sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().
Fix the same issue in dccp_v6_do_rcv().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e994b2f0fb9229aeff5eea9541320bd7b2ca8714 Version: e994b2f0fb9229aeff5eea9541320bd7b2ca8714 Version: e994b2f0fb9229aeff5eea9541320bd7b2ca8714 Version: e994b2f0fb9229aeff5eea9541320bd7b2ca8714 Version: e994b2f0fb9229aeff5eea9541320bd7b2ca8714 Version: e994b2f0fb9229aeff5eea9541320bd7b2ca8714 Version: e994b2f0fb9229aeff5eea9541320bd7b2ca8714 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:46:04.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dccp/ipv6.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d",
"status": "affected",
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"versionType": "git"
},
{
"lessThan": "fe2c0bd6d1e29ccefdc978b9a290571c93c27473",
"status": "affected",
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"versionType": "git"
},
{
"lessThan": "c3d052cae566ec2285f5999958a5deb415a0f59e",
"status": "affected",
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"versionType": "git"
},
{
"lessThan": "be7c61ea5f816168c38955eb4e898adc8b4b32fd",
"status": "affected",
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"versionType": "git"
},
{
"lessThan": "3f51f8c9d28954cf380100883a02eed35a8277e9",
"status": "affected",
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"versionType": "git"
},
{
"lessThan": "d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6",
"status": "affected",
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"versionType": "git"
},
{
"lessThan": "073d89808c065ac4c672c0a613a71b27a80691cb",
"status": "affected",
"version": "e994b2f0fb9229aeff5eea9541320bd7b2ca8714",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dccp/ipv6.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.290",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.234",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.290",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.234",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.177",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.127",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.74",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix data-races around sk-\u003esk_forward_alloc\n\nSyzkaller reported this warning:\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0\n Modules linked in:\n CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:inet_sock_destruct+0x1c5/0x1e0\n Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 \u003c0f\u003e 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206\n RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007\n RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00\n RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007\n R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00\n R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78\n FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ? __warn+0x88/0x130\n ? inet_sock_destruct+0x1c5/0x1e0\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x53/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? inet_sock_destruct+0x1c5/0x1e0\n __sk_destruct+0x2a/0x200\n rcu_do_batch+0x1aa/0x530\n ? rcu_do_batch+0x13b/0x530\n rcu_core+0x159/0x2f0\n handle_softirqs+0xd3/0x2b0\n ? __pfx_smpboot_thread_fn+0x10/0x10\n run_ksoftirqd+0x25/0x30\n smpboot_thread_fn+0xdd/0x1d0\n kthread+0xd3/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nIts possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()\nconcurrently when sk-\u003esk_state == TCP_LISTEN with sk-\u003esk_lock unlocked,\nwhich triggers a data-race around sk-\u003esk_forward_alloc:\ntcp_v6_rcv\n tcp_v6_do_rcv\n skb_clone_and_charge_r\n sk_rmem_schedule\n __sk_mem_schedule\n sk_forward_alloc_add()\n skb_set_owner_r\n sk_mem_charge\n sk_forward_alloc_add()\n __kfree_skb\n skb_release_all\n skb_release_head_state\n sock_rfree\n sk_mem_uncharge\n sk_forward_alloc_add()\n sk_mem_reclaim\n // set local var reclaimable\n __sk_mem_reclaim\n sk_forward_alloc_add()\n\nIn this syzkaller testcase, two threads call\ntcp_v6_do_rcv() with skb-\u003etruesize=768, the sk_forward_alloc changes like\nthis:\n (cpu 1) | (cpu 2) | sk_forward_alloc\n ... | ... | 0\n __sk_mem_schedule() | | +4096 = 4096\n | __sk_mem_schedule() | +4096 = 8192\n sk_mem_charge() | | -768 = 7424\n | sk_mem_charge() | -768 = 6656\n ... | ... |\n sk_mem_uncharge() | | +768 = 7424\n reclaimable=7424 | |\n | sk_mem_uncharge() | +768 = 8192\n | reclaimable=8192 |\n __sk_mem_reclaim() | | -4096 = 4096\n | __sk_mem_reclaim() | -8192 = -4096 != 0\n\nThe skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when\nsk-\u003esk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().\nFix the same issue in dccp_v6_do_rcv()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:53:37.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/695fb0b9aecfd5dd5b2946ba8897ac2c1eef654d"
},
{
"url": "https://git.kernel.org/stable/c/fe2c0bd6d1e29ccefdc978b9a290571c93c27473"
},
{
"url": "https://git.kernel.org/stable/c/c3d052cae566ec2285f5999958a5deb415a0f59e"
},
{
"url": "https://git.kernel.org/stable/c/be7c61ea5f816168c38955eb4e898adc8b4b32fd"
},
{
"url": "https://git.kernel.org/stable/c/3f51f8c9d28954cf380100883a02eed35a8277e9"
},
{
"url": "https://git.kernel.org/stable/c/d285eb9d0641c8344f2836081b4ccb7b3c5cc1b6"
},
{
"url": "https://git.kernel.org/stable/c/073d89808c065ac4c672c0a613a71b27a80691cb"
}
],
"title": "net: fix data-races around sk-\u003esk_forward_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53124",
"datePublished": "2024-12-02T13:44:54.257Z",
"dateReserved": "2024-11-19T17:17:24.995Z",
"dateUpdated": "2025-11-03T20:46:04.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21779 (GCVE-0-2025-21779)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel
Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and
only if the local API is emulated/virtualized by KVM, and explicitly reject
said hypercalls if the local APIC is emulated in userspace, i.e. don't rely
on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.
Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if
Hyper-V enlightenments are exposed to the guest without an in-kernel local
APIC:
dump_stack+0xbe/0xfd
__kasan_report.cold+0x34/0x84
kasan_report+0x3a/0x50
__apic_accept_irq+0x3a/0x5c0
kvm_hv_send_ipi.isra.0+0x34e/0x820
kvm_hv_hypercall+0x8d9/0x9d0
kvm_emulate_hypercall+0x506/0x7e0
__vmx_handle_exit+0x283/0xb60
vmx_handle_exit+0x1d/0xd0
vcpu_enter_guest+0x16b0/0x24c0
vcpu_run+0xc0/0x550
kvm_arch_vcpu_ioctl_run+0x170/0x6d0
kvm_vcpu_ioctl+0x413/0xb20
__se_sys_ioctl+0x111/0x160
do_syscal1_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode
can't be modified after vCPUs are created, i.e. if one vCPU has an
in-kernel local APIC, then all vCPUs have an in-kernel local APIC.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486 Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486 Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486 Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486 Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486 Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486 Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:24.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/hyperv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61224533f2b61e252b03e214195d27d64b22989a",
"status": "affected",
"version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
"versionType": "git"
},
{
"lessThan": "45fa526b0f5a34492ed0536c3cdf88b78380e4de",
"status": "affected",
"version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
"versionType": "git"
},
{
"lessThan": "5393cf22312418262679eaadb130d608c75fe690",
"status": "affected",
"version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
"versionType": "git"
},
{
"lessThan": "874ff13c73c45ecb38cb82191e8c1d523f0dc81b",
"status": "affected",
"version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
"versionType": "git"
},
{
"lessThan": "aca8be4403fb90db7adaf63830e27ebe787a76e8",
"status": "affected",
"version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
"versionType": "git"
},
{
"lessThan": "ca29f58ca374c40a0e69c5306fc5c940a0069074",
"status": "affected",
"version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
"versionType": "git"
},
{
"lessThan": "a8de7f100bb5989d9c3627d3a223ee1c863f3b69",
"status": "affected",
"version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/hyperv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reject Hyper-V\u0027s SEND_IPI hypercalls if local APIC isn\u0027t in-kernel\n\nAdvertise support for Hyper-V\u0027s SEND_IPI and SEND_IPI_EX hypercalls if and\nonly if the local API is emulated/virtualized by KVM, and explicitly reject\nsaid hypercalls if the local APIC is emulated in userspace, i.e. don\u0027t rely\non userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.\n\nRejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if\nHyper-V enlightenments are exposed to the guest without an in-kernel local\nAPIC:\n\n dump_stack+0xbe/0xfd\n __kasan_report.cold+0x34/0x84\n kasan_report+0x3a/0x50\n __apic_accept_irq+0x3a/0x5c0\n kvm_hv_send_ipi.isra.0+0x34e/0x820\n kvm_hv_hypercall+0x8d9/0x9d0\n kvm_emulate_hypercall+0x506/0x7e0\n __vmx_handle_exit+0x283/0xb60\n vmx_handle_exit+0x1d/0xd0\n vcpu_enter_guest+0x16b0/0x24c0\n vcpu_run+0xc0/0x550\n kvm_arch_vcpu_ioctl_run+0x170/0x6d0\n kvm_vcpu_ioctl+0x413/0xb20\n __se_sys_ioctl+0x111/0x160\n do_syscal1_64+0x30/0x40\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nNote, checking the sending vCPU is sufficient, as the per-VM irqchip_mode\ncan\u0027t be modified after vCPUs are created, i.e. if one vCPU has an\nin-kernel local APIC, then all vCPUs have an in-kernel local APIC."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:00.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a"
},
{
"url": "https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de"
},
{
"url": "https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690"
},
{
"url": "https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b"
},
{
"url": "https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8"
},
{
"url": "https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074"
},
{
"url": "https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69"
}
],
"title": "KVM: x86: Reject Hyper-V\u0027s SEND_IPI hypercalls if local APIC isn\u0027t in-kernel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21779",
"datePublished": "2025-02-27T02:18:23.001Z",
"dateReserved": "2024-12-29T08:45:45.764Z",
"dateUpdated": "2025-11-03T20:59:24.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49686 (GCVE-0-2022-49686)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: fix list double add in uvcg_video_pump
A panic can occur if the endpoint becomes disabled and the
uvcg_video_pump adds the request back to the req_free list after it has
already been queued to the endpoint. The endpoint complete will add the
request back to the req_free list. Invalidate the local request handle
once it's been queued.
<6>[ 246.796704][T13726] configfs-gadget gadget: uvc: uvc_function_set_alt(1, 0)
<3>[ 246.797078][ T26] list_add double add: new=ffffff878bee5c40, prev=ffffff878bee5c40, next=ffffff878b0f0a90.
<6>[ 246.797213][ T26] ------------[ cut here ]------------
<2>[ 246.797224][ T26] kernel BUG at lib/list_debug.c:31!
<6>[ 246.807073][ T26] Call trace:
<6>[ 246.807180][ T26] uvcg_video_pump+0x364/0x38c
<6>[ 246.807366][ T26] process_one_work+0x2a4/0x544
<6>[ 246.807394][ T26] worker_thread+0x350/0x784
<6>[ 246.807442][ T26] kthread+0x2ac/0x320
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/uvc_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d95ac8b920de1d39525fadc408ce675697626ca6",
"status": "affected",
"version": "f9897ec0f6d34e8b2bc2f4c8ab8789351090f3d2",
"versionType": "git"
},
{
"lessThan": "96163f835e65f8c9897487fac965819f0651d671",
"status": "affected",
"version": "f9897ec0f6d34e8b2bc2f4c8ab8789351090f3d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/uvc_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: fix list double add in uvcg_video_pump\n\nA panic can occur if the endpoint becomes disabled and the\nuvcg_video_pump adds the request back to the req_free list after it has\nalready been queued to the endpoint. The endpoint complete will add the\nrequest back to the req_free list. Invalidate the local request handle\nonce it\u0027s been queued.\n\n\u003c6\u003e[ 246.796704][T13726] configfs-gadget gadget: uvc: uvc_function_set_alt(1, 0)\n\u003c3\u003e[ 246.797078][ T26] list_add double add: new=ffffff878bee5c40, prev=ffffff878bee5c40, next=ffffff878b0f0a90.\n\u003c6\u003e[ 246.797213][ T26] ------------[ cut here ]------------\n\u003c2\u003e[ 246.797224][ T26] kernel BUG at lib/list_debug.c:31!\n\u003c6\u003e[ 246.807073][ T26] Call trace:\n\u003c6\u003e[ 246.807180][ T26] uvcg_video_pump+0x364/0x38c\n\u003c6\u003e[ 246.807366][ T26] process_one_work+0x2a4/0x544\n\u003c6\u003e[ 246.807394][ T26] worker_thread+0x350/0x784\n\u003c6\u003e[ 246.807442][ T26] kthread+0x2ac/0x320"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:18.743Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d95ac8b920de1d39525fadc408ce675697626ca6"
},
{
"url": "https://git.kernel.org/stable/c/96163f835e65f8c9897487fac965819f0651d671"
}
],
"title": "usb: gadget: uvc: fix list double add in uvcg_video_pump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49686",
"datePublished": "2025-02-26T02:24:12.624Z",
"dateReserved": "2025-02-26T02:21:30.441Z",
"dateUpdated": "2025-05-04T08:43:18.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21714 (GCVE-0-2025-21714)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-05-04 07:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix implicit ODP use after free
Prevent double queueing of implicit ODP mr destroy work by using
__xa_cmpxchg() to make sure this is the only time we are destroying this
specific mr.
Without this change, we could try to invalidate this mr twice, which in
turn could result in queuing a MR work destroy twice, and eventually the
second work could execute after the MR was freed due to the first work,
causing a user after free and trace below.
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130
Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]
CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib]
RIP: 0010:refcount_warn_saturate+0x12b/0x130
Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff
RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027
RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0
RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019
R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00
R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0
FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? refcount_warn_saturate+0x12b/0x130
free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib]
process_one_work+0x1cc/0x3c0
worker_thread+0x218/0x3c0
kthread+0xc6/0xf0
ret_from_fork+0x1f/0x30
</TASK>
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:14:41.666348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:30.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7cc8f681f6d4ae4478ae0f60485fc768f2b450da",
"status": "affected",
"version": "5256edcb98a14b11409a2d323f56a70a8b366363",
"versionType": "git"
},
{
"lessThan": "edfb65dbb9ffd3102f3ff4dd21316158e56f1976",
"status": "affected",
"version": "5256edcb98a14b11409a2d323f56a70a8b366363",
"versionType": "git"
},
{
"lessThan": "d3d930411ce390e532470194296658a960887773",
"status": "affected",
"version": "5256edcb98a14b11409a2d323f56a70a8b366363",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP use after free\n\nPrevent double queueing of implicit ODP mr destroy work by using\n__xa_cmpxchg() to make sure this is the only time we are destroying this\nspecific mr.\n\nWithout this change, we could try to invalidate this mr twice, which in\nturn could result in queuing a MR work destroy twice, and eventually the\nsecond work could execute after the MR was freed due to the first work,\ncausing a user after free and trace below.\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130\n Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\n CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib]\n RIP: 0010:refcount_warn_saturate+0x12b/0x130\n Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff \u003c0f\u003e 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff\n RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027\n RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0\n RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019\n R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00\n R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0\n FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ? refcount_warn_saturate+0x12b/0x130\n free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib]\n process_one_work+0x1cc/0x3c0\n worker_thread+0x218/0x3c0\n kthread+0xc6/0xf0\n ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:32.764Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7cc8f681f6d4ae4478ae0f60485fc768f2b450da"
},
{
"url": "https://git.kernel.org/stable/c/edfb65dbb9ffd3102f3ff4dd21316158e56f1976"
},
{
"url": "https://git.kernel.org/stable/c/d3d930411ce390e532470194296658a960887773"
}
],
"title": "RDMA/mlx5: Fix implicit ODP use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21714",
"datePublished": "2025-02-27T02:07:25.570Z",
"dateReserved": "2024-12-29T08:45:45.752Z",
"dateUpdated": "2025-05-04T07:19:32.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29900 (GCVE-0-2022-29900)
Vulnerability from cvelistv5
Published
2022-07-12 15:50
Modified
2024-11-20 16:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- NA
Summary
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AMD | AMD Processors |
Version: Processor Some AMD Processors |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:43.145Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037"
},
{
"name": "FEDORA-2022-a0d7a5eaf2",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/"
},
{
"name": "DSA-5207",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5207"
},
{
"name": "[debian-lts-announce] 20220911 [SECURITY] [DLA 3102-1] linux-5.10 new package",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.secpod.com/blog/retbleed-intel-and-amd-processor-information-disclosure-vulnerability/"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T16:09:18.710200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T16:13:31.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AMD Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "Processor Some AMD Processors"
}
]
}
],
"datePublic": "2022-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NA",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-04T08:06:53.374904",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037"
},
{
"name": "FEDORA-2022-a0d7a5eaf2",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/"
},
{
"name": "DSA-5207",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5207"
},
{
"name": "[debian-lts-announce] 20220911 [SECURITY] [DLA 3102-1] linux-5.10 new package",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html"
},
{
"url": "https://www.secpod.com/blog/retbleed-intel-and-amd-processor-information-disclosure-vulnerability/"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2022-29900",
"datePublished": "2022-07-12T15:50:10.585306Z",
"dateReserved": "2022-04-28T00:00:00",
"dateUpdated": "2024-11-20T16:13:31.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49297 (GCVE-0-2022-49297)
Vulnerability from cvelistv5
Published
2025-02-26 02:01
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: fix io hung while disconnecting device
In our tests, "qemu-nbd" triggers a io hung:
INFO: task qemu-nbd:11445 blocked for more than 368 seconds.
Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000
Call Trace:
<TASK>
__schedule+0x480/0x1050
? _raw_spin_lock_irqsave+0x3e/0xb0
schedule+0x9c/0x1b0
blk_mq_freeze_queue_wait+0x9d/0xf0
? ipi_rseq+0x70/0x70
blk_mq_freeze_queue+0x2b/0x40
nbd_add_socket+0x6b/0x270 [nbd]
nbd_ioctl+0x383/0x510 [nbd]
blkdev_ioctl+0x18e/0x3e0
__x64_sys_ioctl+0xac/0x120
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fd8ff706577
RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577
RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f
RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0
R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d
R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0
"qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following
message was found:
block nbd0: Send disconnect failed -32
Which indicate that something is wrong with the server. Then,
"qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear
requests after commit 2516ab1543fd("nbd: only clear the queue on device
teardown"). And in the meantime, request can't complete through timeout
because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which
means such request will never be completed in this situation.
Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't
complete multiple times, switch back to call nbd_clear_sock() in
nbd_clear_sock_ioctl(), so that inflight requests can be cleared.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc Version: 2516ab1543fdd1f9d08385d73cae51f668a9f3dc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67e403136a0e1a55fef6a05f103a3979a39ad3fd",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
},
{
"lessThan": "62d227f67a8c25d5e16f40e5290607f9306d2188",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
},
{
"lessThan": "69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
},
{
"lessThan": "f72df77600a43e59b3189e53b47f8685739867d3",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
},
{
"lessThan": "c4ba982bd5084fa659ef518aaf159e4dab02ecda",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
},
{
"lessThan": "54b06dc2a206b4d67349bb56b92d4bd32700b7b1",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
},
{
"lessThan": "141318e62db87105b0103fccc59c9c5940da248d",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
},
{
"lessThan": "09dadb5985023e27d4740ebd17e6fea4640110e5",
"status": "affected",
"version": "2516ab1543fdd1f9d08385d73cae51f668a9f3dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix io hung while disconnecting device\n\nIn our tests, \"qemu-nbd\" triggers a io hung:\n\nINFO: task qemu-nbd:11445 blocked for more than 368 seconds.\n Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000\nCall Trace:\n \u003cTASK\u003e\n __schedule+0x480/0x1050\n ? _raw_spin_lock_irqsave+0x3e/0xb0\n schedule+0x9c/0x1b0\n blk_mq_freeze_queue_wait+0x9d/0xf0\n ? ipi_rseq+0x70/0x70\n blk_mq_freeze_queue+0x2b/0x40\n nbd_add_socket+0x6b/0x270 [nbd]\n nbd_ioctl+0x383/0x510 [nbd]\n blkdev_ioctl+0x18e/0x3e0\n __x64_sys_ioctl+0xac/0x120\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fd8ff706577\nRSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577\nRDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f\nRBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0\nR10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d\nR13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0\n\n\"qemu-ndb -d\" will call ioctl \u0027NBD_DISCONNECT\u0027 first, however, following\nmessage was found:\n\nblock nbd0: Send disconnect failed -32\n\nWhich indicate that something is wrong with the server. Then,\n\"qemu-nbd -d\" will call ioctl \u0027NBD_CLEAR_SOCK\u0027, however ioctl can\u0027t clear\nrequests after commit 2516ab1543fd(\"nbd: only clear the queue on device\nteardown\"). And in the meantime, request can\u0027t complete through timeout\nbecause nbd_xmit_timeout() will always return \u0027BLK_EH_RESET_TIMER\u0027, which\nmeans such request will never be completed in this situation.\n\nNow that the flag \u0027NBD_CMD_INFLIGHT\u0027 can make sure requests won\u0027t\ncomplete multiple times, switch back to call nbd_clear_sock() in\nnbd_clear_sock_ioctl(), so that inflight requests can be cleared."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:00.620Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67e403136a0e1a55fef6a05f103a3979a39ad3fd"
},
{
"url": "https://git.kernel.org/stable/c/62d227f67a8c25d5e16f40e5290607f9306d2188"
},
{
"url": "https://git.kernel.org/stable/c/69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd"
},
{
"url": "https://git.kernel.org/stable/c/f72df77600a43e59b3189e53b47f8685739867d3"
},
{
"url": "https://git.kernel.org/stable/c/c4ba982bd5084fa659ef518aaf159e4dab02ecda"
},
{
"url": "https://git.kernel.org/stable/c/54b06dc2a206b4d67349bb56b92d4bd32700b7b1"
},
{
"url": "https://git.kernel.org/stable/c/141318e62db87105b0103fccc59c9c5940da248d"
},
{
"url": "https://git.kernel.org/stable/c/09dadb5985023e27d4740ebd17e6fea4640110e5"
}
],
"title": "nbd: fix io hung while disconnecting device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49297",
"datePublished": "2025-02-26T02:01:26.628Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-10-29T10:50:00.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49563 (GCVE-0-2022-49563)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - add param check for RSA
Reject requests with a source buffer that is bigger than the size of the
key. This is to prevent a possible integer underflow that might happen
when copying the source scatterlist into a linear buffer.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:10.210375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:38.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d6d2adce08788b7667a6e58002682ea1bbf6a79",
"status": "affected",
"version": "a990532023b903b10cf14736241cdd138e4bc92c",
"versionType": "git"
},
{
"lessThan": "f993321e50ba7a8ba4f5b19939e1772a921a1c42",
"status": "affected",
"version": "a990532023b903b10cf14736241cdd138e4bc92c",
"versionType": "git"
},
{
"lessThan": "9714061423b8b24b8afb31b8eb4df977c63f19c4",
"status": "affected",
"version": "a990532023b903b10cf14736241cdd138e4bc92c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for RSA\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:08.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d6d2adce08788b7667a6e58002682ea1bbf6a79"
},
{
"url": "https://git.kernel.org/stable/c/f993321e50ba7a8ba4f5b19939e1772a921a1c42"
},
{
"url": "https://git.kernel.org/stable/c/9714061423b8b24b8afb31b8eb4df977c63f19c4"
}
],
"title": "crypto: qat - add param check for RSA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49563",
"datePublished": "2025-02-26T02:23:10.252Z",
"dateReserved": "2025-02-26T02:08:31.591Z",
"dateUpdated": "2025-10-01T19:46:38.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49055 (GCVE-0-2022-49055)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Check for potential null return of kmalloc_array()
As the kmalloc_array() may return null, the 'event_waiters[i].wait' would lead to null-pointer dereference.
Therefore, it is better to check the return value of kmalloc_array() to avoid this confusion.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb Version: f3a398183f7b9ef78f6b71ee9f7641e046403bcb |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:06.598307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32cf90a521dcc0f136db7ee5ba32bfe5f79e460e",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
},
{
"lessThan": "40bf32dbfef866c83a3e74800b81d79e52b6d20b",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
},
{
"lessThan": "94869bb0de69a812f70231b0eb480bb2f7ae73a6",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
},
{
"lessThan": "c7a268b33882d5feaafd29c1734456f41ba41396",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
},
{
"lessThan": "1d7a5aae884ca727d41c7ed15d4c82fdb67c040c",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
},
{
"lessThan": "f2658d5966bcee8c3eb487875f459756d4f7cdfc",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
},
{
"lessThan": "0a692c625e373fef692ffbc7fc41f8a025f01cb7",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
},
{
"lessThan": "ebbb7bb9e80305820dc2328a371c1b35679f2667",
"status": "affected",
"version": "f3a398183f7b9ef78f6b71ee9f7641e046403bcb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Check for potential null return of kmalloc_array()\n\nAs the kmalloc_array() may return null, the \u0027event_waiters[i].wait\u0027 would lead to null-pointer dereference.\nTherefore, it is better to check the return value of kmalloc_array() to avoid this confusion."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:05.323Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32cf90a521dcc0f136db7ee5ba32bfe5f79e460e"
},
{
"url": "https://git.kernel.org/stable/c/40bf32dbfef866c83a3e74800b81d79e52b6d20b"
},
{
"url": "https://git.kernel.org/stable/c/94869bb0de69a812f70231b0eb480bb2f7ae73a6"
},
{
"url": "https://git.kernel.org/stable/c/c7a268b33882d5feaafd29c1734456f41ba41396"
},
{
"url": "https://git.kernel.org/stable/c/1d7a5aae884ca727d41c7ed15d4c82fdb67c040c"
},
{
"url": "https://git.kernel.org/stable/c/f2658d5966bcee8c3eb487875f459756d4f7cdfc"
},
{
"url": "https://git.kernel.org/stable/c/0a692c625e373fef692ffbc7fc41f8a025f01cb7"
},
{
"url": "https://git.kernel.org/stable/c/ebbb7bb9e80305820dc2328a371c1b35679f2667"
}
],
"title": "drm/amdkfd: Check for potential null return of kmalloc_array()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49055",
"datePublished": "2025-02-26T01:54:27.771Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-10-01T19:57:06.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21858 (GCVE-0-2025-21858)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
geneve: Fix use-after-free in geneve_find_dev().
syzkaller reported a use-after-free in geneve_find_dev() [0]
without repro.
geneve_configure() links struct geneve_dev.next to
net_generic(net, geneve_net_id)->geneve_list.
The net here could differ from dev_net(dev) if IFLA_NET_NS_PID,
IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.
When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally
calls unregister_netdevice_queue() for each dev in the netns,
and later the dev is freed.
However, its geneve_dev.next is still linked to the backend UDP
socket netns.
Then, use-after-free will occur when another geneve dev is created
in the netns.
Let's call geneve_dellink() instead in geneve_destroy_tunnels().
[0]:
BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]
BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343
Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441
CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d
Hardware name: linux,dummy-virt (DT)
Call trace:
show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x16c/0x6f0 mm/kasan/report.c:489
kasan_report+0xc0/0x120 mm/kasan/report.c:602
__asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379
geneve_find_dev drivers/net/geneve.c:1295 [inline]
geneve_configure+0x234/0x858 drivers/net/geneve.c:1343
geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634
rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]
rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:713 [inline]
__sock_sendmsg net/socket.c:728 [inline]
____sys_sendmsg+0x410/0x6f8 net/socket.c:2568
___sys_sendmsg+0x178/0x1d8 net/socket.c:2622
__sys_sendmsg net/socket.c:2654 [inline]
__do_sys_sendmsg net/socket.c:2659 [inline]
__se_sys_sendmsg net/socket.c:2657 [inline]
__arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151
el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600
Allocated by task 13247:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x68 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4298 [inline]
__kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304
__kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645
alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470
rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604
rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]
rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938
netlink_unicast_kernel net/netlink/af_n
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b Version: 2d07dc79fe04a43d82a346ced6bbf07bdb523f1b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T13:19:41.982339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T13:23:48.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:13.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/geneve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5e86e27de0936f3cb0a299ce519d993e9cf3886",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "5a0538ac6826807d6919f6aecbb8996c2865af2c",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "f74f6560146714241c6e167b03165ee77a86e316",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "904e746b2e7fa952ab8801b303ce826a63153d78",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "3ce92ca990cfac88a87c61df3cc0b5880e688ecf",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "da9b0ae47f084014b1e4b3f31f70a0defd047ff3",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "788dbca056a8783ec063da3c9d49a3a71c76c283",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
},
{
"lessThan": "9593172d93b9f91c362baec4643003dc29802929",
"status": "affected",
"version": "2d07dc79fe04a43d82a346ced6bbf07bdb523f1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/geneve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: Fix use-after-free in geneve_find_dev().\n\nsyzkaller reported a use-after-free in geneve_find_dev() [0]\nwithout repro.\n\ngeneve_configure() links struct geneve_dev.next to\nnet_generic(net, geneve_net_id)-\u003egeneve_list.\n\nThe net here could differ from dev_net(dev) if IFLA_NET_NS_PID,\nIFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.\n\nWhen dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally\ncalls unregister_netdevice_queue() for each dev in the netns,\nand later the dev is freed.\n\nHowever, its geneve_dev.next is still linked to the backend UDP\nsocket netns.\n\nThen, use-after-free will occur when another geneve dev is created\nin the netns.\n\nLet\u0027s call geneve_dellink() instead in geneve_destroy_tunnels().\n\n[0]:\nBUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]\nBUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\nRead of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441\n\nCPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x16c/0x6f0 mm/kasan/report.c:489\n kasan_report+0xc0/0x120 mm/kasan/report.c:602\n __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379\n geneve_find_dev drivers/net/geneve.c:1295 [inline]\n geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\n geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634\n rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:713 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568\n ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622\n __sys_sendmsg net/socket.c:2654 [inline]\n __do_sys_sendmsg net/socket.c:2659 [inline]\n __se_sys_sendmsg net/socket.c:2657 [inline]\n __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\n el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600\n\nAllocated by task 13247:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x68 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4298 [inline]\n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304\n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645\n alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470\n rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604\n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_n\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:40.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886"
},
{
"url": "https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c"
},
{
"url": "https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316"
},
{
"url": "https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78"
},
{
"url": "https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf"
},
{
"url": "https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3"
},
{
"url": "https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283"
},
{
"url": "https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929"
}
],
"title": "geneve: Fix use-after-free in geneve_find_dev().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21858",
"datePublished": "2025-03-12T09:42:11.343Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-11-03T19:38:13.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49266 (GCVE-0-2022-49266)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-08-28 14:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix rq-qos breakage from skipping rq_qos_done_bio()
a647a524a467 ("block: don't call rq_qos_ops->done_bio if the bio isn't
tracked") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set.
While this fixed a potential oops, it also broke blk-iocost by skipping the
done_bio callback for merged bios.
Before, whether a bio goes through rq_qos_throttle() or rq_qos_merge(),
rq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED
distinguishing the former from the latter. rq_qos_done_bio() is not called
for bios which wenth through rq_qos_merge(). This royally confuses
blk-iocost as the merged bios never finish and are considered perpetually
in-flight.
One reliably reproducible failure mode is an intermediate cgroup geting
stuck active preventing its children from being activated due to the
leaf-only rule, leading to loss of control. The following is from
resctl-bench protection scenario which emulates isolating a web server like
workload from a memory bomb run on an iocost configuration which should
yield a reasonable level of protection.
# cat /sys/block/nvme2n1/device/model
Samsung SSD 970 PRO 512GB
# cat /sys/fs/cgroup/io.cost.model
259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025
# cat /sys/fs/cgroup/io.cost.qos
259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00
# resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1
...
Memory Hog Summary
==================
IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m
W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m
Isolation and Request Latency Impact Distributions:
min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev
isol% 15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82
lat-imp% 0 0 0 0 0 4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6
Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96%
The isolation result of 58.12% is close to what this device would show
without any IO control.
Fix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and
calling rq_qos_done_bio() on them too. For consistency and clarity, rename
BIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into
rq_qos_done_bio() so that it's next to the code paths that set the flags.
With the patch applied, the above same benchmark shows:
# resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1
...
Memory Hog Summary
==================
IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m
W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m
Isolation and Request Latency Impact Distributions:
min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev
isol% 84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42 2.81
lat-imp% 0 0 0 0 0 2.81 5.73 11.11 13.92 17.53 22.61 4.10 4.68
Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0%
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a647a524a46736786c95cdb553a070322ca096e3 Version: a647a524a46736786c95cdb553a070322ca096e3 Version: a647a524a46736786c95cdb553a070322ca096e3 Version: a647a524a46736786c95cdb553a070322ca096e3 Version: db60edbfff332a6a5477c367af8125f034570989 Version: 004b8f8a691205a93d9e80d98b786b2b97424d6e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bio.c",
"block/blk-iolatency.c",
"block/blk-rq-qos.h",
"include/linux/blk_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af9452dfdba4bf7359ef7645eee2d243a1df0649",
"status": "affected",
"version": "a647a524a46736786c95cdb553a070322ca096e3",
"versionType": "git"
},
{
"lessThan": "dbd20bb904ad5731aaca8d009367a930d6ada111",
"status": "affected",
"version": "a647a524a46736786c95cdb553a070322ca096e3",
"versionType": "git"
},
{
"lessThan": "09737db4c891eba25e6f6383a7c38afd4acc883f",
"status": "affected",
"version": "a647a524a46736786c95cdb553a070322ca096e3",
"versionType": "git"
},
{
"lessThan": "aa1b46dcdc7baaf5fec0be25782ef24b26aa209e",
"status": "affected",
"version": "a647a524a46736786c95cdb553a070322ca096e3",
"versionType": "git"
},
{
"status": "affected",
"version": "db60edbfff332a6a5477c367af8125f034570989",
"versionType": "git"
},
{
"status": "affected",
"version": "004b8f8a691205a93d9e80d98b786b2b97424d6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bio.c",
"block/blk-iolatency.c",
"block/blk-rq-qos.h",
"include/linux/blk_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix rq-qos breakage from skipping rq_qos_done_bio()\n\na647a524a467 (\"block: don\u0027t call rq_qos_ops-\u003edone_bio if the bio isn\u0027t\ntracked\") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set.\nWhile this fixed a potential oops, it also broke blk-iocost by skipping the\ndone_bio callback for merged bios.\n\nBefore, whether a bio goes through rq_qos_throttle() or rq_qos_merge(),\nrq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED\ndistinguishing the former from the latter. rq_qos_done_bio() is not called\nfor bios which wenth through rq_qos_merge(). This royally confuses\nblk-iocost as the merged bios never finish and are considered perpetually\nin-flight.\n\nOne reliably reproducible failure mode is an intermediate cgroup geting\nstuck active preventing its children from being activated due to the\nleaf-only rule, leading to loss of control. The following is from\nresctl-bench protection scenario which emulates isolating a web server like\nworkload from a memory bomb run on an iocost configuration which should\nyield a reasonable level of protection.\n\n # cat /sys/block/nvme2n1/device/model\n Samsung SSD 970 PRO 512GB\n # cat /sys/fs/cgroup/io.cost.model\n 259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025\n # cat /sys/fs/cgroup/io.cost.qos\n 259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00\n # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n ...\n Memory Hog Summary\n ==================\n\n IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m\n W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m\n\n Isolation and Request Latency Impact Distributions:\n\n min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev\n isol% 15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82\n lat-imp% 0 0 0 0 0 4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6\n\n Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96%\n\nThe isolation result of 58.12% is close to what this device would show\nwithout any IO control.\n\nFix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and\ncalling rq_qos_done_bio() on them too. For consistency and clarity, rename\nBIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into\nrq_qos_done_bio() so that it\u0027s next to the code paths that set the flags.\n\nWith the patch applied, the above same benchmark shows:\n\n # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n ...\n Memory Hog Summary\n ==================\n\n IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m\n W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m\n\n Isolation and Request Latency Impact Distributions:\n\n min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev\n isol% 84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42 2.81\n lat-imp% 0 0 0 0 0 2.81 5.73 11.11 13.92 17.53 22.61 4.10 4.68\n\n Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0%"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:42:36.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af9452dfdba4bf7359ef7645eee2d243a1df0649"
},
{
"url": "https://git.kernel.org/stable/c/dbd20bb904ad5731aaca8d009367a930d6ada111"
},
{
"url": "https://git.kernel.org/stable/c/09737db4c891eba25e6f6383a7c38afd4acc883f"
},
{
"url": "https://git.kernel.org/stable/c/aa1b46dcdc7baaf5fec0be25782ef24b26aa209e"
}
],
"title": "block: fix rq-qos breakage from skipping rq_qos_done_bio()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49266",
"datePublished": "2025-02-26T01:56:15.709Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-08-28T14:42:36.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49145 (GCVE-0-2022-49145)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
If the NumEntries field in the _CPC return package is less than 2, do
not attempt to access the "Revision" element of that package, because
it may not be present then.
BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 Version: 337aadff8e4567e39669e07d9a88b789d78458b5 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/cppc_acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3f15609ffa521de12244cd6af24002030dda3f5",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "d208ea44e25b31db5a4d5e8c31df51787a3e9303",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "28d5387c1994f5e1e0d41b30a1f3dd6e1f609252",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "cb249f8c00f40dba83b7da8207ac14ca46e9ec9e",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "e5b681822cac1f8093759b02e16c06b2c64b6788",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "97b5593fd1b182b3fdb180b6bbe64ec09669988b",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "b80b19b32a432c9eee1cd200ef7aaddf608f54d1",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "d7339f2a3938fb56b5f28d53f5345900b5fa0e74",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
},
{
"lessThan": "40d8abf364bcab23bc715a9221a3c8623956257b",
"status": "affected",
"version": "337aadff8e4567e39669e07d9a88b789d78458b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/cppc_acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Avoid out of bounds access when parsing _CPC data\n\nIf the NumEntries field in the _CPC return package is less than 2, do\nnot attempt to access the \"Revision\" element of that package, because\nit may not be present then.\n\nBugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:56.127Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3f15609ffa521de12244cd6af24002030dda3f5"
},
{
"url": "https://git.kernel.org/stable/c/d208ea44e25b31db5a4d5e8c31df51787a3e9303"
},
{
"url": "https://git.kernel.org/stable/c/28d5387c1994f5e1e0d41b30a1f3dd6e1f609252"
},
{
"url": "https://git.kernel.org/stable/c/cb249f8c00f40dba83b7da8207ac14ca46e9ec9e"
},
{
"url": "https://git.kernel.org/stable/c/e5b681822cac1f8093759b02e16c06b2c64b6788"
},
{
"url": "https://git.kernel.org/stable/c/97b5593fd1b182b3fdb180b6bbe64ec09669988b"
},
{
"url": "https://git.kernel.org/stable/c/b80b19b32a432c9eee1cd200ef7aaddf608f54d1"
},
{
"url": "https://git.kernel.org/stable/c/d7339f2a3938fb56b5f28d53f5345900b5fa0e74"
},
{
"url": "https://git.kernel.org/stable/c/40d8abf364bcab23bc715a9221a3c8623956257b"
}
],
"title": "ACPI: CPPC: Avoid out of bounds access when parsing _CPC data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49145",
"datePublished": "2025-02-26T01:55:14.355Z",
"dateReserved": "2025-02-26T01:49:39.270Z",
"dateUpdated": "2025-05-04T08:30:56.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49316 (GCVE-0-2022-49316)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4: Don't hold the layoutget locks across multiple RPC calls
When doing layoutget as part of the open() compound, we have to be
careful to release the layout locks before we can call any further RPC
calls, such as setattr(). The reason is that those calls could trigger
a recall, which could deadlock.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 56f487f8c8fc5d6e582b79a86fc132d050129e15 Version: 56f487f8c8fc5d6e582b79a86fc132d050129e15 Version: 56f487f8c8fc5d6e582b79a86fc132d050129e15 Version: 56f487f8c8fc5d6e582b79a86fc132d050129e15 Version: 56f487f8c8fc5d6e582b79a86fc132d050129e15 Version: 56f487f8c8fc5d6e582b79a86fc132d050129e15 Version: 56f487f8c8fc5d6e582b79a86fc132d050129e15 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:59.003502Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:57.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b3fc1496e7227cd6a39a80bbfb7588ef7c7a010",
"status": "affected",
"version": "56f487f8c8fc5d6e582b79a86fc132d050129e15",
"versionType": "git"
},
{
"lessThan": "a2b3be930e79cc5d9d829f158e31172b2043f0cd",
"status": "affected",
"version": "56f487f8c8fc5d6e582b79a86fc132d050129e15",
"versionType": "git"
},
{
"lessThan": "0ee5b9644f06b4d3cdcd9544f43f63312e425a4c",
"status": "affected",
"version": "56f487f8c8fc5d6e582b79a86fc132d050129e15",
"versionType": "git"
},
{
"lessThan": "d4c2a041ed3ba114502d5ed6ace5b1a48d637a8e",
"status": "affected",
"version": "56f487f8c8fc5d6e582b79a86fc132d050129e15",
"versionType": "git"
},
{
"lessThan": "08d7a26d115cc7892668baa9750f64bd8baca29b",
"status": "affected",
"version": "56f487f8c8fc5d6e582b79a86fc132d050129e15",
"versionType": "git"
},
{
"lessThan": "ea759ae0a9ae5acee677d722129710ac89cc59c1",
"status": "affected",
"version": "56f487f8c8fc5d6e582b79a86fc132d050129e15",
"versionType": "git"
},
{
"lessThan": "6949493884fe88500de4af182588e071cf1544ee",
"status": "affected",
"version": "56f487f8c8fc5d6e582b79a86fc132d050129e15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Don\u0027t hold the layoutget locks across multiple RPC calls\n\nWhen doing layoutget as part of the open() compound, we have to be\ncareful to release the layout locks before we can call any further RPC\ncalls, such as setattr(). The reason is that those calls could trigger\na recall, which could deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:17.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b3fc1496e7227cd6a39a80bbfb7588ef7c7a010"
},
{
"url": "https://git.kernel.org/stable/c/a2b3be930e79cc5d9d829f158e31172b2043f0cd"
},
{
"url": "https://git.kernel.org/stable/c/0ee5b9644f06b4d3cdcd9544f43f63312e425a4c"
},
{
"url": "https://git.kernel.org/stable/c/d4c2a041ed3ba114502d5ed6ace5b1a48d637a8e"
},
{
"url": "https://git.kernel.org/stable/c/08d7a26d115cc7892668baa9750f64bd8baca29b"
},
{
"url": "https://git.kernel.org/stable/c/ea759ae0a9ae5acee677d722129710ac89cc59c1"
},
{
"url": "https://git.kernel.org/stable/c/6949493884fe88500de4af182588e071cf1544ee"
}
],
"title": "NFSv4: Don\u0027t hold the layoutget locks across multiple RPC calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49316",
"datePublished": "2025-02-26T02:10:43.569Z",
"dateReserved": "2025-02-26T02:08:31.537Z",
"dateUpdated": "2025-10-01T19:46:57.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49719 (GCVE-0-2022-49719)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic/realview: Fix refcount leak in realview_gic_of_init
of_find_matching_node_and_match() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 Version: 82b0a434b436f5da69ddd24bd6a6fa5dc4484310 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:06.547256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:44.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-realview.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87da903ce632d5689bef66d56ee5dae700d82104",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
},
{
"lessThan": "486f68f85085d9b16ae097679b1486dcb1b6eb69",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
},
{
"lessThan": "b634af84bc1edece4e63317b0ad95618dd3a8693",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
},
{
"lessThan": "56526c3883fc7a1f5898b1d40a02c8b8685a5d92",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
},
{
"lessThan": "e52a58b79f11755ea7e877015c4a1704303fa55f",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
},
{
"lessThan": "5d38720661a4b9c87705c206a6081177ffb8ec1d",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
},
{
"lessThan": "16b603cb8d34c2d917983918db1f88c8b831baaa",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
},
{
"lessThan": "f4b98e314888cc51486421bcf6d52852452ea48b",
"status": "affected",
"version": "82b0a434b436f5da69ddd24bd6a6fa5dc4484310",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-realview.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.320",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic/realview: Fix refcount leak in realview_gic_of_init\n\nof_find_matching_node_and_match() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:01.952Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87da903ce632d5689bef66d56ee5dae700d82104"
},
{
"url": "https://git.kernel.org/stable/c/486f68f85085d9b16ae097679b1486dcb1b6eb69"
},
{
"url": "https://git.kernel.org/stable/c/b634af84bc1edece4e63317b0ad95618dd3a8693"
},
{
"url": "https://git.kernel.org/stable/c/56526c3883fc7a1f5898b1d40a02c8b8685a5d92"
},
{
"url": "https://git.kernel.org/stable/c/e52a58b79f11755ea7e877015c4a1704303fa55f"
},
{
"url": "https://git.kernel.org/stable/c/5d38720661a4b9c87705c206a6081177ffb8ec1d"
},
{
"url": "https://git.kernel.org/stable/c/16b603cb8d34c2d917983918db1f88c8b831baaa"
},
{
"url": "https://git.kernel.org/stable/c/f4b98e314888cc51486421bcf6d52852452ea48b"
}
],
"title": "irqchip/gic/realview: Fix refcount leak in realview_gic_of_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49719",
"datePublished": "2025-02-26T02:24:33.532Z",
"dateReserved": "2025-02-26T02:21:30.445Z",
"dateUpdated": "2025-10-01T19:36:44.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49133 (GCVE-0-2022-49133)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: svm range restore work deadlock when process exit
kfd_process_notifier_release flush svm_range_restore_work
which calls svm_range_list_lock_and_flush_work to flush deferred_list
work, but if deferred_list work mmput release the last user, it will
call exit_mmap -> notifier_release, it is deadlock with below backtrace.
Move flush svm_range_restore_work to kfd_process_wq_release to avoid
deadlock. Then svm_range_restore_work take task->mm ref to avoid mm is
gone while validating and mapping ranges to GPU.
Workqueue: events svm_range_deferred_list_work [amdgpu]
Call Trace:
wait_for_completion+0x94/0x100
__flush_work+0x12a/0x1e0
__cancel_work_timer+0x10e/0x190
cancel_delayed_work_sync+0x13/0x20
kfd_process_notifier_release+0x98/0x2a0 [amdgpu]
__mmu_notifier_release+0x74/0x1f0
exit_mmap+0x170/0x200
mmput+0x5d/0x130
svm_range_deferred_list_work+0x104/0x230 [amdgpu]
process_one_work+0x220/0x3c0
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_process.c",
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6be83086e91891081e0589e4b4645bf4643e897",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "858822905f4bf44100d63c5e22e263109976f7cb",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "6225bb3a88d22594aacea2485dc28ca12d596721",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_process.c",
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: svm range restore work deadlock when process exit\n\nkfd_process_notifier_release flush svm_range_restore_work\nwhich calls svm_range_list_lock_and_flush_work to flush deferred_list\nwork, but if deferred_list work mmput release the last user, it will\ncall exit_mmap -\u003e notifier_release, it is deadlock with below backtrace.\n\nMove flush svm_range_restore_work to kfd_process_wq_release to avoid\ndeadlock. Then svm_range_restore_work take task-\u003emm ref to avoid mm is\ngone while validating and mapping ranges to GPU.\n\nWorkqueue: events svm_range_deferred_list_work [amdgpu]\nCall Trace:\n wait_for_completion+0x94/0x100\n __flush_work+0x12a/0x1e0\n __cancel_work_timer+0x10e/0x190\n cancel_delayed_work_sync+0x13/0x20\n kfd_process_notifier_release+0x98/0x2a0 [amdgpu]\n __mmu_notifier_release+0x74/0x1f0\n exit_mmap+0x170/0x200\n mmput+0x5d/0x130\n svm_range_deferred_list_work+0x104/0x230 [amdgpu]\n process_one_work+0x220/0x3c0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:42.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6be83086e91891081e0589e4b4645bf4643e897"
},
{
"url": "https://git.kernel.org/stable/c/858822905f4bf44100d63c5e22e263109976f7cb"
},
{
"url": "https://git.kernel.org/stable/c/6225bb3a88d22594aacea2485dc28ca12d596721"
}
],
"title": "drm/amdkfd: svm range restore work deadlock when process exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49133",
"datePublished": "2025-02-26T01:55:07.722Z",
"dateReserved": "2025-02-26T01:49:39.267Z",
"dateUpdated": "2025-05-04T08:30:42.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49233 (GCVE-0-2022-49233)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Call dc_stream_release for remove link enc assignment
[Why]
A porting error resulted in the stream assignment for the link
being retained without being released - a memory leak.
[How]
Fix the porting error by adding back the dc_stream_release() intended
as part of the original patch.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:04.113969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:03.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_link_enc_cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a28b7b6a0c827ce672edcdb5b2b5916b0beebe03",
"status": "affected",
"version": "0bb24555858403671657f6dc025d2931e3e857bb",
"versionType": "git"
},
{
"lessThan": "f2bde8349c35d01d7c50456ea06a5c7d5e0e5ed0",
"status": "affected",
"version": "0bb24555858403671657f6dc025d2931e3e857bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_link_enc_cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Call dc_stream_release for remove link enc assignment\n\n[Why]\nA porting error resulted in the stream assignment for the link\nbeing retained without being released - a memory leak.\n\n[How]\nFix the porting error by adding back the dc_stream_release() intended\nas part of the original patch."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:59.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a28b7b6a0c827ce672edcdb5b2b5916b0beebe03"
},
{
"url": "https://git.kernel.org/stable/c/f2bde8349c35d01d7c50456ea06a5c7d5e0e5ed0"
}
],
"title": "drm/amd/display: Call dc_stream_release for remove link enc assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49233",
"datePublished": "2025-02-26T01:55:59.093Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-10-01T19:47:03.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49352 (GCVE-0-2022-49352)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-06-19 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix warning in ext4_handle_inode_extension
We got issue as follows:
EXT4-fs error (device loop0) in ext4_reserve_inode_write:5741: Out of memory
EXT4-fs error (device loop0): ext4_setattr:5462: inode #13: comm syz-executor.0: mark_inode_dirty error
EXT4-fs error (device loop0) in ext4_setattr:5519: Out of memory
EXT4-fs error (device loop0): ext4_ind_map_blocks:595: inode #13: comm syz-executor.0: Can't allocate blocks for non-extent mapped inodes with bigalloc
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4361 at fs/ext4/file.c:301 ext4_file_write_iter+0x11c9/0x1220
Modules linked in:
CPU: 1 PID: 4361 Comm: syz-executor.0 Not tainted 5.10.0+ #1
RIP: 0010:ext4_file_write_iter+0x11c9/0x1220
RSP: 0018:ffff924d80b27c00 EFLAGS: 00010282
RAX: ffffffff815a3379 RBX: 0000000000000000 RCX: 000000003b000000
RDX: ffff924d81601000 RSI: 00000000000009cc RDI: 00000000000009cd
RBP: 000000000000000d R08: ffffffffbc5a2c6b R09: 0000902e0e52a96f
R10: ffff902e2b7c1b40 R11: ffff902e2b7c1b40 R12: 000000000000000a
R13: 0000000000000001 R14: ffff902e0e52aa10 R15: ffffffffffffff8b
FS: 00007f81a7f65700(0000) GS:ffff902e3bc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 000000012db88001 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
do_iter_readv_writev+0x2e5/0x360
do_iter_write+0x112/0x4c0
do_pwritev+0x1e5/0x390
__x64_sys_pwritev2+0x7e/0xa0
do_syscall_64+0x37/0x50
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Above issue may happen as follows:
Assume
inode.i_size=4096
EXT4_I(inode)->i_disksize=4096
step 1: set inode->i_isize = 8192
ext4_setattr
if (attr->ia_size != inode->i_size)
EXT4_I(inode)->i_disksize = attr->ia_size;
rc = ext4_mark_inode_dirty
ext4_reserve_inode_write
ext4_get_inode_loc
__ext4_get_inode_loc
sb_getblk --> return -ENOMEM
...
if (!error) ->will not update i_size
i_size_write(inode, attr->ia_size);
Now:
inode.i_size=4096
EXT4_I(inode)->i_disksize=8192
step 2: Direct write 4096 bytes
ext4_file_write_iter
ext4_dio_write_iter
iomap_dio_rw ->return error
if (extend)
ext4_handle_inode_extension
WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize);
->Then trigger warning.
To solve above issue, if mark inode dirty failed in ext4_setattr just
set 'EXT4_I(inode)->i_disksize' with old value.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "adf490083ca52ebfb0b2fe64ff1ead00c0452dd7",
"status": "affected",
"version": "b1b4705d54abedfd69dcdf42779c521aa1e0fbd3",
"versionType": "git"
},
{
"lessThan": "b81d2ff6885e38fc745eeaf9565775055778fc0b",
"status": "affected",
"version": "b1b4705d54abedfd69dcdf42779c521aa1e0fbd3",
"versionType": "git"
},
{
"lessThan": "e383c2aa5f02ab571530dc5c5696479672478c25",
"status": "affected",
"version": "b1b4705d54abedfd69dcdf42779c521aa1e0fbd3",
"versionType": "git"
},
{
"lessThan": "1bcce88da60eccc946c0f4ed942b0f08cd565778",
"status": "affected",
"version": "b1b4705d54abedfd69dcdf42779c521aa1e0fbd3",
"versionType": "git"
},
{
"lessThan": "f4534c9fc94d22383f187b9409abb3f9df2e3db3",
"status": "affected",
"version": "b1b4705d54abedfd69dcdf42779c521aa1e0fbd3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix warning in ext4_handle_inode_extension\n\nWe got issue as follows:\nEXT4-fs error (device loop0) in ext4_reserve_inode_write:5741: Out of memory\nEXT4-fs error (device loop0): ext4_setattr:5462: inode #13: comm syz-executor.0: mark_inode_dirty error\nEXT4-fs error (device loop0) in ext4_setattr:5519: Out of memory\nEXT4-fs error (device loop0): ext4_ind_map_blocks:595: inode #13: comm syz-executor.0: Can\u0027t allocate blocks for non-extent mapped inodes with bigalloc\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 4361 at fs/ext4/file.c:301 ext4_file_write_iter+0x11c9/0x1220\nModules linked in:\nCPU: 1 PID: 4361 Comm: syz-executor.0 Not tainted 5.10.0+ #1\nRIP: 0010:ext4_file_write_iter+0x11c9/0x1220\nRSP: 0018:ffff924d80b27c00 EFLAGS: 00010282\nRAX: ffffffff815a3379 RBX: 0000000000000000 RCX: 000000003b000000\nRDX: ffff924d81601000 RSI: 00000000000009cc RDI: 00000000000009cd\nRBP: 000000000000000d R08: ffffffffbc5a2c6b R09: 0000902e0e52a96f\nR10: ffff902e2b7c1b40 R11: ffff902e2b7c1b40 R12: 000000000000000a\nR13: 0000000000000001 R14: ffff902e0e52aa10 R15: ffffffffffffff8b\nFS: 00007f81a7f65700(0000) GS:ffff902e3bc80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffff600400 CR3: 000000012db88001 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n do_iter_readv_writev+0x2e5/0x360\n do_iter_write+0x112/0x4c0\n do_pwritev+0x1e5/0x390\n __x64_sys_pwritev2+0x7e/0xa0\n do_syscall_64+0x37/0x50\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAbove issue may happen as follows:\nAssume\ninode.i_size=4096\nEXT4_I(inode)-\u003ei_disksize=4096\n\nstep 1: set inode-\u003ei_isize = 8192\next4_setattr\n if (attr-\u003eia_size != inode-\u003ei_size)\n EXT4_I(inode)-\u003ei_disksize = attr-\u003eia_size;\n rc = ext4_mark_inode_dirty\n ext4_reserve_inode_write\n ext4_get_inode_loc\n __ext4_get_inode_loc\n sb_getblk --\u003e return -ENOMEM\n ...\n if (!error) -\u003ewill not update i_size\n i_size_write(inode, attr-\u003eia_size);\nNow:\ninode.i_size=4096\nEXT4_I(inode)-\u003ei_disksize=8192\n\nstep 2: Direct write 4096 bytes\next4_file_write_iter\n ext4_dio_write_iter\n iomap_dio_rw -\u003ereturn error\n if (extend)\n ext4_handle_inode_extension\n WARN_ON_ONCE(i_size_read(inode) \u003c EXT4_I(inode)-\u003ei_disksize);\n-\u003eThen trigger warning.\n\nTo solve above issue, if mark inode dirty failed in ext4_setattr just\nset \u0027EXT4_I(inode)-\u003ei_disksize\u0027 with old value."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:19.413Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/adf490083ca52ebfb0b2fe64ff1ead00c0452dd7"
},
{
"url": "https://git.kernel.org/stable/c/b81d2ff6885e38fc745eeaf9565775055778fc0b"
},
{
"url": "https://git.kernel.org/stable/c/e383c2aa5f02ab571530dc5c5696479672478c25"
},
{
"url": "https://git.kernel.org/stable/c/1bcce88da60eccc946c0f4ed942b0f08cd565778"
},
{
"url": "https://git.kernel.org/stable/c/f4534c9fc94d22383f187b9409abb3f9df2e3db3"
}
],
"title": "ext4: fix warning in ext4_handle_inode_extension",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49352",
"datePublished": "2025-02-26T02:11:04.496Z",
"dateReserved": "2025-02-26T02:08:31.544Z",
"dateUpdated": "2025-06-19T12:56:19.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21631 (GCVE-0-2025-21631)
Vulnerability from cvelistv5
Published
2025-01-19 10:17
Modified
2025-11-03 20:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
Our syzkaller report a following UAF for v6.6:
BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726
CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364
print_report+0x3e/0x70 mm/kasan/report.c:475
kasan_report+0xb8/0xf0 mm/kasan/report.c:588
hlist_add_head include/linux/list.h:1023 [inline]
bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
__submit_bio+0xa0/0x6b0 block/blk-core.c:639
__submit_bio_noacct_mq block/blk-core.c:718 [inline]
submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
__ext4_read_bh fs/ext4/super.c:205 [inline]
ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230
__read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567
ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947
ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182
ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660
ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569
iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91
iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80
ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051
ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220
do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811
__do_sys_ioctl fs/ioctl.c:869 [inline]
__se_sys_ioctl+0xae/0x190 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x78/0xe2
Allocated by task 232719:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:768 [inline]
slab_alloc_node mm/slub.c:3492 [inline]
kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537
bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869
bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776
bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938
bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
__submit_bio+0xa0/0x6b0 block/blk-core.c:639
__submit_bio_noacct_mq block/blk-core.c:718 [inline]
submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
__ext4_read_bh fs/ext4/super.c:205 [inline]
ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217
ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242
ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958
__ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671
ext4_lookup_entry fs/ext4/namei.c:1774 [inline]
ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842
ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839
__lookup_slow+0x257/0x480 fs/namei.c:1696
lookup_slow fs/namei.c:1713 [inline]
walk_component+0x454/0x5c0 fs/namei.c:2004
link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331
link_path_walk fs/namei.c:3826 [inline]
path_openat+0x1b9/0x520 fs/namei.c:3826
do_filp_open+0x1b7/0x400 fs/namei.c:3857
do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x148/0x200 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_6
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 63a07379fdb6c72450cb05294461c6016b8b7726 Version: de0456460f2abf921e356ed2bd8da87a376680bd Version: 0780451f03bf518bc032a7c584de8f92e2d39d7f Version: 1ba0403ac6447f2d63914fb760c44a3b19c44eaf Version: 1ba0403ac6447f2d63914fb760c44a3b19c44eaf Version: 0b8bda0ff17156cd3f60944527c9d8c9f99f1583 Version: cae58d19121a70329cf971359e2518c93fec04fe |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:11:59.322368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:21:05.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:58:12.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f587c1ac68956c4703857d650d9b1cd7bb2ac4d7",
"status": "affected",
"version": "63a07379fdb6c72450cb05294461c6016b8b7726",
"versionType": "git"
},
{
"lessThan": "2550149fcdf2934155ff625d76ad4e3d4b25bbc6",
"status": "affected",
"version": "de0456460f2abf921e356ed2bd8da87a376680bd",
"versionType": "git"
},
{
"lessThan": "be3eed59ac01f429ac10aaa46e26f653bcf581ab",
"status": "affected",
"version": "0780451f03bf518bc032a7c584de8f92e2d39d7f",
"versionType": "git"
},
{
"lessThan": "bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed",
"status": "affected",
"version": "1ba0403ac6447f2d63914fb760c44a3b19c44eaf",
"versionType": "git"
},
{
"lessThan": "fcede1f0a043ccefe9bc6ad57f12718e42f63f1d",
"status": "affected",
"version": "1ba0403ac6447f2d63914fb760c44a3b19c44eaf",
"versionType": "git"
},
{
"status": "affected",
"version": "0b8bda0ff17156cd3f60944527c9d8c9f99f1583",
"versionType": "git"
},
{
"status": "affected",
"version": "cae58d19121a70329cf971359e2518c93fec04fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.125",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.177",
"versionStartIncluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.125",
"versionStartIncluding": "6.1.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.72",
"versionStartIncluding": "6.6.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.10",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix waker_bfqq UAF after bfq_split_bfqq()\n\nOur syzkaller report a following UAF for v6.6:\n\nBUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\nRead of size 8 at addr ffff8881b57147d8 by task fsstress/232726\n\nCPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\n print_report+0x3e/0x70 mm/kasan/report.c:475\n kasan_report+0xb8/0xf0 mm/kasan/report.c:588\n hlist_add_head include/linux/list.h:1023 [inline]\n bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\n bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\n bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\n blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\n blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n __submit_bio+0xa0/0x6b0 block/blk-core.c:639\n __submit_bio_noacct_mq block/blk-core.c:718 [inline]\n submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\n submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n __ext4_read_bh fs/ext4/super.c:205 [inline]\n ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230\n __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567\n ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947\n ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182\n ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660\n ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569\n iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91\n iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80\n ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051\n ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220\n do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811\n __do_sys_ioctl fs/ioctl.c:869 [inline]\n __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nAllocated by task 232719:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:768 [inline]\n slab_alloc_node mm/slub.c:3492 [inline]\n kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537\n bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869\n bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776\n bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938\n bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\n bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\n blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\n blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n __submit_bio+0xa0/0x6b0 block/blk-core.c:639\n __submit_bio_noacct_mq block/blk-core.c:718 [inline]\n submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\n submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n __ext4_read_bh fs/ext4/super.c:205 [inline]\n ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217\n ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242\n ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958\n __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671\n ext4_lookup_entry fs/ext4/namei.c:1774 [inline]\n ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842\n ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839\n __lookup_slow+0x257/0x480 fs/namei.c:1696\n lookup_slow fs/namei.c:1713 [inline]\n walk_component+0x454/0x5c0 fs/namei.c:2004\n link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331\n link_path_walk fs/namei.c:3826 [inline]\n path_openat+0x1b9/0x520 fs/namei.c:3826\n do_filp_open+0x1b7/0x400 fs/namei.c:3857\n do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428\n do_sys_open fs/open.c:1443 [inline]\n __do_sys_openat fs/open.c:1459 [inline]\n __se_sys_openat fs/open.c:1454 [inline]\n __x64_sys_openat+0x148/0x200 fs/open.c:1454\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_6\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:05:59.494Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f587c1ac68956c4703857d650d9b1cd7bb2ac4d7"
},
{
"url": "https://git.kernel.org/stable/c/2550149fcdf2934155ff625d76ad4e3d4b25bbc6"
},
{
"url": "https://git.kernel.org/stable/c/be3eed59ac01f429ac10aaa46e26f653bcf581ab"
},
{
"url": "https://git.kernel.org/stable/c/bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed"
},
{
"url": "https://git.kernel.org/stable/c/fcede1f0a043ccefe9bc6ad57f12718e42f63f1d"
}
],
"title": "block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21631",
"datePublished": "2025-01-19T10:17:49.439Z",
"dateReserved": "2024-12-29T08:45:45.726Z",
"dateUpdated": "2025-11-03T20:58:12.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21866 (GCVE-0-2025-21866)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC
Erhard reported the following KASAN hit while booting his PowerMac G4
with a KASAN-enabled kernel 6.13-rc6:
BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8
Write of size 8 at addr f1000000 by task chronyd/1293
CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2
Tainted: [W]=WARN
Hardware name: PowerMac3,6 7455 0x80010303 PowerMac
Call Trace:
[c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)
[c24375b0] [c0504998] print_report+0xdc/0x504
[c2437610] [c050475c] kasan_report+0xf8/0x108
[c2437690] [c0505a3c] kasan_check_range+0x24/0x18c
[c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8
[c24376c0] [c004c014] patch_instructions+0x15c/0x16c
[c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c
[c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac
[c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec
[c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478
[c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14
[c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4
[c24379d0] [c027111c] do_seccomp+0x3dc/0x1890
[c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420
[c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c
--- interrupt: c00 at 0x5a1274
NIP: 005a1274 LR: 006a3b3c CTR: 005296c8
REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4)
MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000
GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932
GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57
GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002
GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001
NIP [005a1274] 0x5a1274
LR [006a3b3c] 0x6a3b3c
--- interrupt: c00
The buggy address belongs to the virtual mapping at
[f1000000, f1002000) created by:
text_area_cpu_up+0x20/0x190
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30
flags: 0x80000000(zone=2)
raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001
raw: 00000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not
initialised hence not supposed to be used yet.
Powerpc text patching infrastructure allocates a virtual memory area
using get_vm_area() and flags it as VM_ALLOC. But that flag is meant
to be used for vmalloc() and vmalloc() allocated memory is not
supposed to be used before a call to __vmalloc_node_range() which is
never called for that area.
That went undetected until commit e4137f08816b ("mm, kasan, kmsan:
instrument copy_from/to_kernel_nofault")
The area allocated by text_area_cpu_up() is not vmalloc memory, it is
mapped directly on demand when needed by map_kernel_page(). There is
no VM flag corresponding to such usage, so just pass no flag. That way
the area will be unpoisonned and usable immediately.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 Version: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:25.349170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:36.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:23.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/lib/code-patching.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97de5852058a299ba447cd9782fe96488d30108b",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
},
{
"lessThan": "f8d4c5b653c1bc0df56e15658bbf64fc359adc4e",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
},
{
"lessThan": "6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
},
{
"lessThan": "c905a3053518212a1017e50bd2be3bee59305bb0",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
},
{
"lessThan": "2d542f13d26344e3452eee77613026ce9b653065",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
},
{
"lessThan": "8d06e9208184b2851fa79a3a39d6860320c8bdf8",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
},
{
"lessThan": "2e6c80423f201405fd65254e52decd21663896f3",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
},
{
"lessThan": "d262a192d38e527faa5984629aabda2e0d1c4f54",
"status": "affected",
"version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/lib/code-patching.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC\n\nErhard reported the following KASAN hit while booting his PowerMac G4\nwith a KASAN-enabled kernel 6.13-rc6:\n\n BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8\n Write of size 8 at addr f1000000 by task chronyd/1293\n\n CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2\n Tainted: [W]=WARN\n Hardware name: PowerMac3,6 7455 0x80010303 PowerMac\n Call Trace:\n [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)\n [c24375b0] [c0504998] print_report+0xdc/0x504\n [c2437610] [c050475c] kasan_report+0xf8/0x108\n [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c\n [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8\n [c24376c0] [c004c014] patch_instructions+0x15c/0x16c\n [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c\n [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac\n [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec\n [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478\n [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14\n [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4\n [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890\n [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420\n [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c\n --- interrupt: c00 at 0x5a1274\n NIP: 005a1274 LR: 006a3b3c CTR: 005296c8\n REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4)\n MSR: 0200f932 \u003cVEC,EE,PR,FP,ME,IR,DR,RI\u003e CR: 24004422 XER: 00000000\n\n GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932\n GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57\n GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002\n GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001\n NIP [005a1274] 0x5a1274\n LR [006a3b3c] 0x6a3b3c\n --- interrupt: c00\n\n The buggy address belongs to the virtual mapping at\n [f1000000, f1002000) created by:\n text_area_cpu_up+0x20/0x190\n\n The buggy address belongs to the physical page:\n page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30\n flags: 0x80000000(zone=2)\n raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001\n raw: 00000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u003ef1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ==================================================================\n\nf8 corresponds to KASAN_VMALLOC_INVALID which means the area is not\ninitialised hence not supposed to be used yet.\n\nPowerpc text patching infrastructure allocates a virtual memory area\nusing get_vm_area() and flags it as VM_ALLOC. But that flag is meant\nto be used for vmalloc() and vmalloc() allocated memory is not\nsupposed to be used before a call to __vmalloc_node_range() which is\nnever called for that area.\n\nThat went undetected until commit e4137f08816b (\"mm, kasan, kmsan:\ninstrument copy_from/to_kernel_nofault\")\n\nThe area allocated by text_area_cpu_up() is not vmalloc memory, it is\nmapped directly on demand when needed by map_kernel_page(). There is\nno VM flag corresponding to such usage, so just pass no flag. That way\nthe area will be unpoisonned and usable immediately."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:49.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b"
},
{
"url": "https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e"
},
{
"url": "https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c"
},
{
"url": "https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0"
},
{
"url": "https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065"
},
{
"url": "https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8"
},
{
"url": "https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3"
},
{
"url": "https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54"
}
],
"title": "powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21866",
"datePublished": "2025-03-12T09:42:22.587Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-11-03T19:38:23.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49083 (GCVE-0-2022-49083)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/omap: Fix regression in probe for NULL pointer dereference
Commit 3f6634d997db ("iommu: Use right way to retrieve iommu_ops") started
triggering a NULL pointer dereference for some omap variants:
__iommu_probe_device from probe_iommu_group+0x2c/0x38
probe_iommu_group from bus_for_each_dev+0x74/0xbc
bus_for_each_dev from bus_iommu_probe+0x34/0x2e8
bus_iommu_probe from bus_set_iommu+0x80/0xc8
bus_set_iommu from omap_iommu_init+0x88/0xcc
omap_iommu_init from do_one_initcall+0x44/0x24
This is caused by omap iommu probe returning 0 instead of ERR_PTR(-ENODEV)
as noted by Jason Gunthorpe <jgg@ziepe.ca>.
Looks like the regression already happened with an earlier commit
6785eb9105e3 ("iommu/omap: Convert to probe/release_device() call-backs")
that changed the function return type and missed converting one place.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/omap-iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd905fed87ce01ac010011bb8f44ed0140116ceb",
"status": "affected",
"version": "6785eb9105e3363aa51408c700a55e8b5f88fcf6",
"versionType": "git"
},
{
"lessThan": "47e239117bd97c8556f9187af7a9a7938db4e021",
"status": "affected",
"version": "6785eb9105e3363aa51408c700a55e8b5f88fcf6",
"versionType": "git"
},
{
"lessThan": "ea518578aa8a9a0280605b53cc33f707e10c8178",
"status": "affected",
"version": "6785eb9105e3363aa51408c700a55e8b5f88fcf6",
"versionType": "git"
},
{
"lessThan": "1d89f2b9eadbcf3ce93c6d7238f68299a1f84968",
"status": "affected",
"version": "6785eb9105e3363aa51408c700a55e8b5f88fcf6",
"versionType": "git"
},
{
"lessThan": "71ff461c3f41f6465434b9e980c01782763e7ad8",
"status": "affected",
"version": "6785eb9105e3363aa51408c700a55e8b5f88fcf6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/omap-iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/omap: Fix regression in probe for NULL pointer dereference\n\nCommit 3f6634d997db (\"iommu: Use right way to retrieve iommu_ops\") started\ntriggering a NULL pointer dereference for some omap variants:\n\n__iommu_probe_device from probe_iommu_group+0x2c/0x38\nprobe_iommu_group from bus_for_each_dev+0x74/0xbc\nbus_for_each_dev from bus_iommu_probe+0x34/0x2e8\nbus_iommu_probe from bus_set_iommu+0x80/0xc8\nbus_set_iommu from omap_iommu_init+0x88/0xcc\nomap_iommu_init from do_one_initcall+0x44/0x24\n\nThis is caused by omap iommu probe returning 0 instead of ERR_PTR(-ENODEV)\nas noted by Jason Gunthorpe \u003cjgg@ziepe.ca\u003e.\n\nLooks like the regression already happened with an earlier commit\n6785eb9105e3 (\"iommu/omap: Convert to probe/release_device() call-backs\")\nthat changed the function return type and missed converting one place."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:21.393Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd905fed87ce01ac010011bb8f44ed0140116ceb"
},
{
"url": "https://git.kernel.org/stable/c/47e239117bd97c8556f9187af7a9a7938db4e021"
},
{
"url": "https://git.kernel.org/stable/c/ea518578aa8a9a0280605b53cc33f707e10c8178"
},
{
"url": "https://git.kernel.org/stable/c/1d89f2b9eadbcf3ce93c6d7238f68299a1f84968"
},
{
"url": "https://git.kernel.org/stable/c/71ff461c3f41f6465434b9e980c01782763e7ad8"
}
],
"title": "iommu/omap: Fix regression in probe for NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49083",
"datePublished": "2025-02-26T01:54:42.582Z",
"dateReserved": "2025-02-26T01:49:39.248Z",
"dateUpdated": "2025-05-04T08:29:21.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49994 (GCVE-0-2024-49994)
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2025-11-03 20:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix integer overflow in BLKSECDISCARD
I independently rediscovered
commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
block: fix overflow in blk_ioctl_discard()
but for secure erase.
Same problem:
uint64_t r[2] = {512, 18446744073709551104ULL};
ioctl(fd, BLKSECDISCARD, r);
will enter near infinite loop inside blkdev_issue_secure_erase():
a.out: attempt to access beyond end of device
loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
bio_check_eod: 3286214 callbacks suppressed
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:30:51.719818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:42.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:42:46.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8476f8428e8b48fd7a0e4258fa2a96a8f4468239",
"status": "affected",
"version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
"versionType": "git"
},
{
"lessThan": "a99bacb35c1416355eef957560e8fcac3a665549",
"status": "affected",
"version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
"versionType": "git"
},
{
"lessThan": "0842ddd83939eb4db940b9af7d39e79722bc41aa",
"status": "affected",
"version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
"versionType": "git"
},
{
"lessThan": "6c9915fa9410cbb9bd75ee283c03120046c56d3d",
"status": "affected",
"version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
"versionType": "git"
},
{
"lessThan": "697ba0b6ec4ae04afb67d3911799b5e2043b4455",
"status": "affected",
"version": "44abff2c0b970ae3d310b97617525dc01f248d7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.128",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.75",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix integer overflow in BLKSECDISCARD\n\nI independently rediscovered\n\n\tcommit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\n\tblock: fix overflow in blk_ioctl_discard()\n\nbut for secure erase.\n\nSame problem:\n\n\tuint64_t r[2] = {512, 18446744073709551104ULL};\n\tioctl(fd, BLKSECDISCARD, r);\n\nwill enter near infinite loop inside blkdev_issue_secure_erase():\n\n\ta.out: attempt to access beyond end of device\n\tloop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048\n\tbio_check_eod: 3286214 callbacks suppressed"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:43:15.743Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8476f8428e8b48fd7a0e4258fa2a96a8f4468239"
},
{
"url": "https://git.kernel.org/stable/c/a99bacb35c1416355eef957560e8fcac3a665549"
},
{
"url": "https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa"
},
{
"url": "https://git.kernel.org/stable/c/6c9915fa9410cbb9bd75ee283c03120046c56d3d"
},
{
"url": "https://git.kernel.org/stable/c/697ba0b6ec4ae04afb67d3911799b5e2043b4455"
}
],
"title": "block: fix integer overflow in BLKSECDISCARD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49994",
"datePublished": "2024-10-21T18:02:35.722Z",
"dateReserved": "2024-10-21T12:17:06.055Z",
"dateUpdated": "2025-11-03T20:42:46.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49349 (GCVE-0-2022-49349)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in ext4_rename_dir_prepare
We got issue as follows:
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478
ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000
ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae
==================================================================
BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220
Read of size 4 at addr ffff88810beee6ae by task rep/1895
CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241
Call Trace:
dump_stack+0xbe/0xf9
print_address_description.constprop.0+0x1e/0x220
kasan_report.cold+0x37/0x7f
ext4_rename_dir_prepare+0x152/0x220
ext4_rename+0xf44/0x1ad0
ext4_rename2+0x11c/0x170
vfs_rename+0xa84/0x1440
do_renameat2+0x683/0x8f0
__x64_sys_renameat+0x53/0x60
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f45a6fc41c9
RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9
RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005
RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080
R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0
R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee
flags: 0x200000000000000()
raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
ext4_rename_dir_prepare: [2] parent_de->inode=3537895424
ext4_rename_dir_prepare: [3] dir=0xffff888124170140
ext4_rename_dir_prepare: [4] ino=2
ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872
Reason is first directory entry which 'rec_len' is 34478, then will get illegal
parent entry. Now, we do not check directory entry after read directory block
in 'ext4_get_first_dir_block'.
To solve this issue, check directory entry in 'ext4_get_first_dir_block'.
[ Trigger an ext4_error() instead of just warning if the directory is
missing a '.' or '..' entry. Also make sure we return an error code
if the file system is corrupted. -TYT ]
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:42.619044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a3a15bf6f9963d755270cbdb282863b84839195",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "97f802a652a749422dede32071d29a53cf4bd034",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "10801095224de0d0ab06ae60698680c1f883a3ae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eaecf7ebfd5dd09038a80b14be46b844f54cfc5c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd887f83ea54aea5b780a84527e23ab95f777fed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "364380c00912bed9b5d99eb485018360b0ecf64f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ff38b99fa075ddd246487a28cb9af049f4ceef1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4a2bea60cf7ff957b3eda0b17750d483876a02fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0be698ecbe4471fcad80e81ec6a05001421041b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_rename_dir_prepare\n\nWe got issue as follows:\nEXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue\next4_get_first_dir_block: bh-\u003eb_data=0xffff88810bee6000 len=34478\next4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh-\u003eb_data=0xffff88810bee6000\next4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae\n==================================================================\nBUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220\nRead of size 4 at addr ffff88810beee6ae by task rep/1895\n\nCPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241\nCall Trace:\n dump_stack+0xbe/0xf9\n print_address_description.constprop.0+0x1e/0x220\n kasan_report.cold+0x37/0x7f\n ext4_rename_dir_prepare+0x152/0x220\n ext4_rename+0xf44/0x1ad0\n ext4_rename2+0x11c/0x170\n vfs_rename+0xa84/0x1440\n do_renameat2+0x683/0x8f0\n __x64_sys_renameat+0x53/0x60\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\nRIP: 0033:0x7f45a6fc41c9\nRSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9\nRDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005\nRBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080\nR10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0\nR13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000\n\nThe buggy address belongs to the page:\npage:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee\nflags: 0x200000000000000()\nraw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000\nraw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\u003effff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n==================================================================\nDisabling lock debugging due to kernel taint\next4_rename_dir_prepare: [2] parent_de-\u003einode=3537895424\next4_rename_dir_prepare: [3] dir=0xffff888124170140\next4_rename_dir_prepare: [4] ino=2\next4_rename_dir_prepare: ent-\u003edir-\u003ei_ino=2 parent=-757071872\n\nReason is first directory entry which \u0027rec_len\u0027 is 34478, then will get illegal\nparent entry. Now, we do not check directory entry after read directory block\nin \u0027ext4_get_first_dir_block\u0027.\nTo solve this issue, check directory entry in \u0027ext4_get_first_dir_block\u0027.\n\n[ Trigger an ext4_error() instead of just warning if the directory is\n missing a \u0027.\u0027 or \u0027..\u0027 entry. Also make sure we return an error code\n if the file system is corrupted. -TYT ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:50.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a3a15bf6f9963d755270cbdb282863b84839195"
},
{
"url": "https://git.kernel.org/stable/c/97f802a652a749422dede32071d29a53cf4bd034"
},
{
"url": "https://git.kernel.org/stable/c/10801095224de0d0ab06ae60698680c1f883a3ae"
},
{
"url": "https://git.kernel.org/stable/c/eaecf7ebfd5dd09038a80b14be46b844f54cfc5c"
},
{
"url": "https://git.kernel.org/stable/c/dd887f83ea54aea5b780a84527e23ab95f777fed"
},
{
"url": "https://git.kernel.org/stable/c/364380c00912bed9b5d99eb485018360b0ecf64f"
},
{
"url": "https://git.kernel.org/stable/c/0ff38b99fa075ddd246487a28cb9af049f4ceef1"
},
{
"url": "https://git.kernel.org/stable/c/4a2bea60cf7ff957b3eda0b17750d483876a02fa"
},
{
"url": "https://git.kernel.org/stable/c/0be698ecbe4471fcad80e81ec6a05001421041b3"
}
],
"title": "ext4: fix use-after-free in ext4_rename_dir_prepare",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49349",
"datePublished": "2025-02-26T02:11:02.993Z",
"dateReserved": "2025-02-26T02:08:31.544Z",
"dateUpdated": "2025-05-04T08:35:50.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49648 (GCVE-0-2022-49648)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/histograms: Fix memory leak problem
This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac.
As commit 46bbe5c671e0 ("tracing: fix double free") said, the
"double free" problem reported by clang static analyzer is:
> In parse_var_defs() if there is a problem allocating
> var_defs.expr, the earlier var_defs.name is freed.
> This free is duplicated by free_var_defs() which frees
> the rest of the list.
However, if there is a problem allocating N-th var_defs.expr:
+ in parse_var_defs(), the freed 'earlier var_defs.name' is
actually the N-th var_defs.name;
+ then in free_var_defs(), the names from 0th to (N-1)-th are freed;
IF ALLOCATING PROBLEM HAPPENED HERE!!! -+
\
|
0th 1th (N-1)-th N-th V
+-------------+-------------+-----+-------------+-----------
var_defs: | name | expr | name | expr | ... | name | expr | name | ///
+-------------+-------------+-----+-------------+-----------
These two frees don't act on same name, so there was no "double free"
problem before. Conversely, after that commit, we get a "memory leak"
problem because the above "N-th var_defs.name" is not freed.
If enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th
var_defs.expr allocated, then execute on shell like:
$ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \
/sys/kernel/debug/tracing/events/kmem/kmalloc/trigger
Then kmemleak reports:
unreferenced object 0xffff8fb100ef3518 (size 8):
comm "bash", pid 196, jiffies 4295681690 (age 28.538s)
hex dump (first 8 bytes):
76 31 00 00 b1 8f ff ff v1......
backtrace:
[<0000000038fe4895>] kstrdup+0x2d/0x60
[<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0
[<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110
[<0000000066737a4c>] event_trigger_write+0x75/0xd0
[<000000007341e40c>] vfs_write+0xbb/0x2a0
[<0000000087fde4c2>] ksys_write+0x59/0xd0
[<00000000581e9cdf>] do_syscall_64+0x3a/0x80
[<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 240dd5118a9e0454f280ffeae63f22bd14735733 Version: e92c490f104993cea35e5f5d5108ac12df1850ac Version: 46bbe5c671e06f070428b9be142cc4ee5cedebac Version: 46bbe5c671e06f070428b9be142cc4ee5cedebac Version: 46bbe5c671e06f070428b9be142cc4ee5cedebac Version: 46bbe5c671e06f070428b9be142cc4ee5cedebac Version: e3a23511638a3dcf0275c1e71a46d1ca2e2e6788 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:48.167860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb622d5580b9e2ff694f62da6410618bd73853cb",
"status": "affected",
"version": "240dd5118a9e0454f280ffeae63f22bd14735733",
"versionType": "git"
},
{
"lessThan": "ecc6dec12c33aa92c086cd702af9f544ddaf3c75",
"status": "affected",
"version": "e92c490f104993cea35e5f5d5108ac12df1850ac",
"versionType": "git"
},
{
"lessThan": "78a1400c42ee11197eb1f0f85ba51df9a4fdfff0",
"status": "affected",
"version": "46bbe5c671e06f070428b9be142cc4ee5cedebac",
"versionType": "git"
},
{
"lessThan": "22eeff55679d9e7c0f768c79bfbd83e2f8142d89",
"status": "affected",
"version": "46bbe5c671e06f070428b9be142cc4ee5cedebac",
"versionType": "git"
},
{
"lessThan": "4d453eb5e1eec89971aa5b3262857ee26cfdffd3",
"status": "affected",
"version": "46bbe5c671e06f070428b9be142cc4ee5cedebac",
"versionType": "git"
},
{
"lessThan": "7edc3945bdce9c39198a10d6129377a5c53559c2",
"status": "affected",
"version": "46bbe5c671e06f070428b9be142cc4ee5cedebac",
"versionType": "git"
},
{
"status": "affected",
"version": "e3a23511638a3dcf0275c1e71a46d1ca2e2e6788",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"versionStartIncluding": "4.19.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "5.4.69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histograms: Fix memory leak problem\n\nThis reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac.\n\nAs commit 46bbe5c671e0 (\"tracing: fix double free\") said, the\n\"double free\" problem reported by clang static analyzer is:\n \u003e In parse_var_defs() if there is a problem allocating\n \u003e var_defs.expr, the earlier var_defs.name is freed.\n \u003e This free is duplicated by free_var_defs() which frees\n \u003e the rest of the list.\n\nHowever, if there is a problem allocating N-th var_defs.expr:\n + in parse_var_defs(), the freed \u0027earlier var_defs.name\u0027 is\n actually the N-th var_defs.name;\n + then in free_var_defs(), the names from 0th to (N-1)-th are freed;\n\n IF ALLOCATING PROBLEM HAPPENED HERE!!! -+\n \\\n |\n 0th 1th (N-1)-th N-th V\n +-------------+-------------+-----+-------------+-----------\nvar_defs: | name | expr | name | expr | ... | name | expr | name | ///\n +-------------+-------------+-----+-------------+-----------\n\nThese two frees don\u0027t act on same name, so there was no \"double free\"\nproblem before. Conversely, after that commit, we get a \"memory leak\"\nproblem because the above \"N-th var_defs.name\" is not freed.\n\nIf enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th\nvar_defs.expr allocated, then execute on shell like:\n $ echo \u0027hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc\u0027 \u003e \\\n/sys/kernel/debug/tracing/events/kmem/kmalloc/trigger\n\nThen kmemleak reports:\n unreferenced object 0xffff8fb100ef3518 (size 8):\n comm \"bash\", pid 196, jiffies 4295681690 (age 28.538s)\n hex dump (first 8 bytes):\n 76 31 00 00 b1 8f ff ff v1......\n backtrace:\n [\u003c0000000038fe4895\u003e] kstrdup+0x2d/0x60\n [\u003c00000000c99c049a\u003e] event_hist_trigger_parse+0x206f/0x20e0\n [\u003c00000000ae70d2cc\u003e] trigger_process_regex+0xc0/0x110\n [\u003c0000000066737a4c\u003e] event_trigger_write+0x75/0xd0\n [\u003c000000007341e40c\u003e] vfs_write+0xbb/0x2a0\n [\u003c0000000087fde4c2\u003e] ksys_write+0x59/0xd0\n [\u003c00000000581e9cdf\u003e] do_syscall_64+0x3a/0x80\n [\u003c00000000cf3b065c\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:02.459Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb622d5580b9e2ff694f62da6410618bd73853cb"
},
{
"url": "https://git.kernel.org/stable/c/ecc6dec12c33aa92c086cd702af9f544ddaf3c75"
},
{
"url": "https://git.kernel.org/stable/c/78a1400c42ee11197eb1f0f85ba51df9a4fdfff0"
},
{
"url": "https://git.kernel.org/stable/c/22eeff55679d9e7c0f768c79bfbd83e2f8142d89"
},
{
"url": "https://git.kernel.org/stable/c/4d453eb5e1eec89971aa5b3262857ee26cfdffd3"
},
{
"url": "https://git.kernel.org/stable/c/7edc3945bdce9c39198a10d6129377a5c53559c2"
}
],
"title": "tracing/histograms: Fix memory leak problem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49648",
"datePublished": "2025-02-26T02:23:52.035Z",
"dateReserved": "2025-02-26T02:21:30.432Z",
"dateUpdated": "2025-10-01T19:36:48.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21754 (GCVE-0-2025-21754)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 07:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix assertion failure when splitting ordered extent after transaction abort
If while we are doing a direct IO write a transaction abort happens, we
mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done
at btrfs_destroy_ordered_extents()), and then after that if we enter
btrfs_split_ordered_extent() and the ordered extent has bytes left
(meaning we have a bio that doesn't cover the whole ordered extent, see
details at btrfs_extract_ordered_extent()), we will fail on the following
assertion at btrfs_split_ordered_extent():
ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS));
because the BTRFS_ORDERED_IOERR flag is set and the definition of
BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the
type of write (regular, nocow, prealloc, compressed, direct IO, encoded).
Fix this by returning an error from btrfs_extract_ordered_extent() if we
find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will
be the error that resulted in the transaction abort or -EIO if no
transaction abort happened.
This was recently reported by syzbot with the following trace:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
fail_dump lib/fault-inject.c:53 [inline]
should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154
should_failslab+0xac/0x100 mm/failslab.c:46
slab_pre_alloc_hook mm/slub.c:4072 [inline]
slab_alloc_node mm/slub.c:4148 [inline]
__do_kmalloc_node mm/slub.c:4297 [inline]
__kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742
reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292
check_system_chunk fs/btrfs/block-group.c:4319 [inline]
do_chunk_alloc fs/btrfs/block-group.c:3891 [inline]
btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187
find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline]
find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579
btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672
btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline]
btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321
btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525
iomap_iter+0x697/0xf60 fs/iomap/iter.c:90
__iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702
btrfs_dio_write fs/btrfs/direct-io.c:775 [inline]
btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880
btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397
do_iter_readv_writev+0x600/0x880
vfs_writev+0x376/0xba0 fs/read_write.c:1050
do_pwritev fs/read_write.c:1146 [inline]
__do_sys_pwritev2 fs/read_write.c:1204 [inline]
__se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1281f85d29
RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29
RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003
R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002
R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328
</TASK>
BTRFS error (device loop0 state A): Transaction aborted (error -12)
BTRFS: error (device loop0 state A
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ordered-data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "927b930f117bbae730a853c1dc43da8afe8380fa",
"status": "affected",
"version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
"versionType": "git"
},
{
"lessThan": "0ff88c2a742a7cbaa4d08507d864737d099b435a",
"status": "affected",
"version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
"versionType": "git"
},
{
"lessThan": "8ea8db4216d1029527ab4666f730650419451e32",
"status": "affected",
"version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
"versionType": "git"
},
{
"lessThan": "0d85f5c2dd91df6b5da454406756f463ba923b69",
"status": "affected",
"version": "52b1fdca23ac0fbcad363a1a5b426bf0d56b715a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ordered-data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion failure when splitting ordered extent after transaction abort\n\nIf while we are doing a direct IO write a transaction abort happens, we\nmark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done\nat btrfs_destroy_ordered_extents()), and then after that if we enter\nbtrfs_split_ordered_extent() and the ordered extent has bytes left\n(meaning we have a bio that doesn\u0027t cover the whole ordered extent, see\ndetails at btrfs_extract_ordered_extent()), we will fail on the following\nassertion at btrfs_split_ordered_extent():\n\n ASSERT(!(flags \u0026 ~BTRFS_ORDERED_TYPE_FLAGS));\n\nbecause the BTRFS_ORDERED_IOERR flag is set and the definition of\nBTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the\ntype of write (regular, nocow, prealloc, compressed, direct IO, encoded).\n\nFix this by returning an error from btrfs_extract_ordered_extent() if we\nfind the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will\nbe the error that resulted in the transaction abort or -EIO if no\ntransaction abort happened.\n\nThis was recently reported by syzbot with the following trace:\n\n FAULT_INJECTION: forcing a failure.\n name failslab, interval 1, probability 0, space 0, times 1\n CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n fail_dump lib/fault-inject.c:53 [inline]\n should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154\n should_failslab+0xac/0x100 mm/failslab.c:46\n slab_pre_alloc_hook mm/slub.c:4072 [inline]\n slab_alloc_node mm/slub.c:4148 [inline]\n __do_kmalloc_node mm/slub.c:4297 [inline]\n __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742\n reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292\n check_system_chunk fs/btrfs/block-group.c:4319 [inline]\n do_chunk_alloc fs/btrfs/block-group.c:3891 [inline]\n btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187\n find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline]\n find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579\n btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672\n btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline]\n btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321\n btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525\n iomap_iter+0x697/0xf60 fs/iomap/iter.c:90\n __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702\n btrfs_dio_write fs/btrfs/direct-io.c:775 [inline]\n btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880\n btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397\n do_iter_readv_writev+0x600/0x880\n vfs_writev+0x376/0xba0 fs/read_write.c:1050\n do_pwritev fs/read_write.c:1146 [inline]\n __do_sys_pwritev2 fs/read_write.c:1204 [inline]\n __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f1281f85d29\n RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148\n RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29\n RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005\n RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003\n R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002\n R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328\n \u003c/TASK\u003e\n BTRFS error (device loop0 state A): Transaction aborted (error -12)\n BTRFS: error (device loop0 state A\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:27.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/927b930f117bbae730a853c1dc43da8afe8380fa"
},
{
"url": "https://git.kernel.org/stable/c/0ff88c2a742a7cbaa4d08507d864737d099b435a"
},
{
"url": "https://git.kernel.org/stable/c/8ea8db4216d1029527ab4666f730650419451e32"
},
{
"url": "https://git.kernel.org/stable/c/0d85f5c2dd91df6b5da454406756f463ba923b69"
}
],
"title": "btrfs: fix assertion failure when splitting ordered extent after transaction abort",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21754",
"datePublished": "2025-02-27T02:12:23.738Z",
"dateReserved": "2024-12-29T08:45:45.760Z",
"dateUpdated": "2025-05-04T07:20:27.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49506 (GCVE-0-2022-49506)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: Add vblank register/unregister callback functions
We encountered a kernel panic issue that callback data will be NULL when
it's using in ovl irq handler. There is a timing issue between
mtk_disp_ovl_irq_handler() and mtk_ovl_disable_vblank().
To resolve this issue, we use the flow to register/unregister vblank cb:
- Register callback function and callback data when crtc creates.
- Unregister callback function and callback data when crtc destroies.
With this solution, we can assure callback data will not be NULL when
vblank is disable.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_disp_drv.h",
"drivers/gpu/drm/mediatek/mtk_disp_ovl.c",
"drivers/gpu/drm/mediatek/mtk_disp_rdma.c",
"drivers/gpu/drm/mediatek/mtk_drm_crtc.c",
"drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c",
"drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a2dbdeccef6de47565638abdf3c25f41cdffc37",
"status": "affected",
"version": "9b0704988b151824a51133dc4c921f4273c5d839",
"versionType": "git"
},
{
"lessThan": "8a265d9838bc3c63579002d55c2b2c655c4f8f26",
"status": "affected",
"version": "9b0704988b151824a51133dc4c921f4273c5d839",
"versionType": "git"
},
{
"lessThan": "3a4027b5971fe2a94e32754f007d9d3c12c68ad1",
"status": "affected",
"version": "9b0704988b151824a51133dc4c921f4273c5d839",
"versionType": "git"
},
{
"lessThan": "b74d921b900b6ce38c6247c0a1c86be9f3746493",
"status": "affected",
"version": "9b0704988b151824a51133dc4c921f4273c5d839",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_disp_drv.h",
"drivers/gpu/drm/mediatek/mtk_disp_ovl.c",
"drivers/gpu/drm/mediatek/mtk_disp_rdma.c",
"drivers/gpu/drm/mediatek/mtk_drm_crtc.c",
"drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c",
"drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add vblank register/unregister callback functions\n\nWe encountered a kernel panic issue that callback data will be NULL when\nit\u0027s using in ovl irq handler. There is a timing issue between\nmtk_disp_ovl_irq_handler() and mtk_ovl_disable_vblank().\n\nTo resolve this issue, we use the flow to register/unregister vblank cb:\n- Register callback function and callback data when crtc creates.\n- Unregister callback function and callback data when crtc destroies.\n\nWith this solution, we can assure callback data will not be NULL when\nvblank is disable."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:24.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a2dbdeccef6de47565638abdf3c25f41cdffc37"
},
{
"url": "https://git.kernel.org/stable/c/8a265d9838bc3c63579002d55c2b2c655c4f8f26"
},
{
"url": "https://git.kernel.org/stable/c/3a4027b5971fe2a94e32754f007d9d3c12c68ad1"
},
{
"url": "https://git.kernel.org/stable/c/b74d921b900b6ce38c6247c0a1c86be9f3746493"
}
],
"title": "drm/mediatek: Add vblank register/unregister callback functions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49506",
"datePublished": "2025-02-26T02:13:38.168Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-05-04T08:39:24.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49514 (GCVE-0-2022-49514)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe
Call of_node_put(platform_node) to avoid refcount leak in
the error path.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 Version: 94319ba10ecabc8f28129566d1f5793e3e7a0a79 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:19.275371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:42.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8173/mt8173-max98090.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a1901f34f775b83ea4b8dbb5ed992147b9b8531",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "1e932aba3c7628c9f880ee9c2cfcc2ae3ba0c01e",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "cc43b9fdca519c5b13be6a717bacbebccd628cf6",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "23f340ed906c758cec6527376768e3bc1474ac30",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "fb66e0512e5ccc093070e21cf88cce8d98c181b5",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "48889eb3cce91d7f58e02bc07277b7f724b7a54a",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "ebd5cb4f1f3f10b839e7575219e0f17b60c23113",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "98d5afe868df998b0244f4c229ab758b4083684a",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
},
{
"lessThan": "4f4e0454e226de3bf4efd7e7924d1edc571c52d5",
"status": "affected",
"version": "94319ba10ecabc8f28129566d1f5793e3e7a0a79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8173/mt8173-max98090.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe\n\nCall of_node_put(platform_node) to avoid refcount leak in\nthe error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:34.738Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a1901f34f775b83ea4b8dbb5ed992147b9b8531"
},
{
"url": "https://git.kernel.org/stable/c/1e932aba3c7628c9f880ee9c2cfcc2ae3ba0c01e"
},
{
"url": "https://git.kernel.org/stable/c/cc43b9fdca519c5b13be6a717bacbebccd628cf6"
},
{
"url": "https://git.kernel.org/stable/c/23f340ed906c758cec6527376768e3bc1474ac30"
},
{
"url": "https://git.kernel.org/stable/c/fb66e0512e5ccc093070e21cf88cce8d98c181b5"
},
{
"url": "https://git.kernel.org/stable/c/48889eb3cce91d7f58e02bc07277b7f724b7a54a"
},
{
"url": "https://git.kernel.org/stable/c/ebd5cb4f1f3f10b839e7575219e0f17b60c23113"
},
{
"url": "https://git.kernel.org/stable/c/98d5afe868df998b0244f4c229ab758b4083684a"
},
{
"url": "https://git.kernel.org/stable/c/4f4e0454e226de3bf4efd7e7924d1edc571c52d5"
}
],
"title": "ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49514",
"datePublished": "2025-02-26T02:13:43.398Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-10-01T19:46:42.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52989 (GCVE-0-2023-52989)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
This patch is fix for Linux kernel v2.6.33 or later.
For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
have had an issue of use-after-free. The subsystem allows multiple
user space listeners to the region, while data of the payload was likely
released before the listeners execute read(2) to access to it for copying
to user space.
The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix
use-after-free regression in FCP handler"). The object of payload is
duplicated in kernel space for each listener. When the listener executes
ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
be released.
However, it causes memory leak since the commit relies on call of
release_request() in drivers/firewire/core-cdev.c. Against the
expectation, the function is never called due to the design of
release_client_resource(). The function delegates release task
to caller when called with non-NULL fourth argument. The implementation
of ioctl_send_response() is the case. It should release the object
explicitly.
This commit fixes the bug.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:23.579210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:04.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firewire/core-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2cd3947d116bb9ba7ff097b5fc747a8956764db",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "356ff89acdbe6a66019154bc7eb2d300f5b15103",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "53785fd9b315583cf029e39f72b73d23704a2253",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "c8bdc88216f09cb7387fedbdf613524367328616",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "531390a243ef47448f8bad01c186c2787666bf4d",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firewire/core-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region\n\nThis patch is fix for Linux kernel v2.6.33 or later.\n\nFor request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem\nhave had an issue of use-after-free. The subsystem allows multiple\nuser space listeners to the region, while data of the payload was likely\nreleased before the listeners execute read(2) to access to it for copying\nto user space.\n\nThe issue was fixed by a commit 281e20323ab7 (\"firewire: core: fix\nuse-after-free regression in FCP handler\"). The object of payload is\nduplicated in kernel space for each listener. When the listener executes\nioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to\nbe released.\n\nHowever, it causes memory leak since the commit relies on call of\nrelease_request() in drivers/firewire/core-cdev.c. Against the\nexpectation, the function is never called due to the design of\nrelease_client_resource(). The function delegates release task\nto caller when called with non-NULL fourth argument. The implementation\nof ioctl_send_response() is the case. It should release the object\nexplicitly.\n\nThis commit fixes the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:01.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db"
},
{
"url": "https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103"
},
{
"url": "https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253"
},
{
"url": "https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee"
},
{
"url": "https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e"
},
{
"url": "https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616"
},
{
"url": "https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d"
}
],
"title": "firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52989",
"datePublished": "2025-03-27T16:43:25.684Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-10-01T20:17:04.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49270 (GCVE-0-2022-49270)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix use-after-free in dm_cleanup_zoned_dev()
dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:
blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
Otherwise, RCU callback may be executed first and
dm_cleanup_zoned_dev() will touch free'd memory:
BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0+0x1f/0x150
? dm_cleanup_zoned_dev+0x33/0xd0
kasan_report.cold+0x7f/0x11b
? dm_cleanup_zoned_dev+0x33/0xd0
dm_cleanup_zoned_dev+0x33/0xd0
__dm_destroy+0x26a/0x400
? dm_blk_ioctl+0x230/0x230
? up_write+0xd8/0x270
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
? table_clear+0x140/0x140
? lock_release+0xb2/0x750
? remove_all+0x40/0x40
? rcu_read_lock_sched_held+0x12/0x70
? lock_downgrade+0x3c0/0x3c0
? rcu_read_lock_sched_held+0x12/0x70
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb6dfa95c27
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:55.271520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:34.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0987f00a76a17aa7213da492c00ed9e5a6210c73",
"status": "affected",
"version": "bb37d77239af25cde59693dbe3fac04dd17d7b29",
"versionType": "git"
},
{
"lessThan": "fdfe414ca28ddfd562c233fb27385cf820de03e8",
"status": "affected",
"version": "bb37d77239af25cde59693dbe3fac04dd17d7b29",
"versionType": "git"
},
{
"lessThan": "43a043aed964659bc69ef81f266912b73c80d837",
"status": "affected",
"version": "bb37d77239af25cde59693dbe3fac04dd17d7b29",
"versionType": "git"
},
{
"lessThan": "588b7f5df0cb64f281290c7672470c006abe7160",
"status": "affected",
"version": "bb37d77239af25cde59693dbe3fac04dd17d7b29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix use-after-free in dm_cleanup_zoned_dev()\n\ndm_cleanup_zoned_dev() uses queue, so it must be called\nbefore blk_cleanup_disk() starts its killing:\n\nblk_cleanup_disk-\u003eblk_cleanup_queue()-\u003ekobject_put()-\u003eblk_release_queue()-\u003e\n-\u003e...RCU...-\u003eblk_free_queue_rcu()-\u003ekmem_cache_free()\n\nOtherwise, RCU callback may be executed first and\ndm_cleanup_zoned_dev() will touch free\u0027d memory:\n\n BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0\n Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681\n\n CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x57/0x7d\n print_address_description.constprop.0+0x1f/0x150\n ? dm_cleanup_zoned_dev+0x33/0xd0\n kasan_report.cold+0x7f/0x11b\n ? dm_cleanup_zoned_dev+0x33/0xd0\n dm_cleanup_zoned_dev+0x33/0xd0\n __dm_destroy+0x26a/0x400\n ? dm_blk_ioctl+0x230/0x230\n ? up_write+0xd8/0x270\n dev_remove+0x156/0x1d0\n ctl_ioctl+0x269/0x530\n ? table_clear+0x140/0x140\n ? lock_release+0xb2/0x750\n ? remove_all+0x40/0x40\n ? rcu_read_lock_sched_held+0x12/0x70\n ? lock_downgrade+0x3c0/0x3c0\n ? rcu_read_lock_sched_held+0x12/0x70\n dm_ctl_ioctl+0xa/0x10\n __x64_sys_ioctl+0xb9/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fb6dfa95c27"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:47.133Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0987f00a76a17aa7213da492c00ed9e5a6210c73"
},
{
"url": "https://git.kernel.org/stable/c/fdfe414ca28ddfd562c233fb27385cf820de03e8"
},
{
"url": "https://git.kernel.org/stable/c/43a043aed964659bc69ef81f266912b73c80d837"
},
{
"url": "https://git.kernel.org/stable/c/588b7f5df0cb64f281290c7672470c006abe7160"
}
],
"title": "dm: fix use-after-free in dm_cleanup_zoned_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49270",
"datePublished": "2025-02-26T01:56:17.683Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:47.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49748 (GCVE-0-2022-49748)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-10-01 17:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/amd: fix potential integer overflow on shift of a int
The left shift of int 32 bit integer constant 1 is evaluated using 32 bit
arithmetic and then passed as a 64 bit function argument. In the case where
i is 32 or more this can lead to an overflow. Avoid this by shifting
using the BIT_ULL macro instead.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d8a6a443ff0aea5893f0a7f2726973b496b76420 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 3512462036dbe44d88e93e75ee8a993781183ddb |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:23:38.004025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:23:40.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbf7b0e4cef3b5470b610f14fb9faa5ee7f63954",
"status": "affected",
"version": "d8a6a443ff0aea5893f0a7f2726973b496b76420",
"versionType": "git"
},
{
"lessThan": "f84c9b72fb200633774704d8020f769c88a4b249",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"lessThan": "14cc13e433e1067557435b1adbf05608d7d47a93",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"lessThan": "a4d01fb87ece45d4164fd725890211ccf9a307a9",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"lessThan": "08245672cdc6505550d1a5020603b0a8d4a6dcc7",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"status": "affected",
"version": "3512462036dbe44d88e93e75ee8a993781183ddb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.4.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: fix potential integer overflow on shift of a int\n\nThe left shift of int 32 bit integer constant 1 is evaluated using 32 bit\narithmetic and then passed as a 64 bit function argument. In the case where\ni is 32 or more this can lead to an overflow. Avoid this by shifting\nusing the BIT_ULL macro instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:12.800Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbf7b0e4cef3b5470b610f14fb9faa5ee7f63954"
},
{
"url": "https://git.kernel.org/stable/c/f84c9b72fb200633774704d8020f769c88a4b249"
},
{
"url": "https://git.kernel.org/stable/c/14cc13e433e1067557435b1adbf05608d7d47a93"
},
{
"url": "https://git.kernel.org/stable/c/a4d01fb87ece45d4164fd725890211ccf9a307a9"
},
{
"url": "https://git.kernel.org/stable/c/08245672cdc6505550d1a5020603b0a8d4a6dcc7"
}
],
"title": "perf/x86/amd: fix potential integer overflow on shift of a int",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49748",
"datePublished": "2025-03-27T16:42:57.784Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-10-01T17:23:40.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52927 (GCVE-0-2023-52927)
Vulnerability from cvelistv5
Published
2025-03-14 14:25
Modified
2025-11-03 19:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: allow exp not to be removed in nf_ct_find_expectation
Currently nf_conntrack_in() calling nf_ct_find_expectation() will
remove the exp from the hash table. However, in some scenario, we
expect the exp not to be removed when the created ct will not be
confirmed, like in OVS and TC conntrack in the following patches.
This patch allows exp not to be removed by setting IPS_CONFIRMED
in the status of the tmpl.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:52.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_expect.h",
"net/netfilter/nf_conntrack_core.c",
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec",
"status": "affected",
"version": "1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e",
"versionType": "git"
},
{
"lessThan": "4914109a8e1e494c6aa9852f9e84ec77a5fc643f",
"status": "affected",
"version": "1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_expect.h",
"net/netfilter/nf_conntrack_core.c",
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: allow exp not to be removed in nf_ct_find_expectation\n\nCurrently nf_conntrack_in() calling nf_ct_find_expectation() will\nremove the exp from the hash table. However, in some scenario, we\nexpect the exp not to be removed when the created ct will not be\nconfirmed, like in OVS and TC conntrack in the following patches.\n\nThis patch allows exp not to be removed by setting IPS_CONFIRMED\nin the status of the tmpl."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T16:51:03.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fa58a6fbd1e9e5682d09cdafb08fba004cb12ec"
},
{
"url": "https://git.kernel.org/stable/c/4914109a8e1e494c6aa9852f9e84ec77a5fc643f"
},
{
"url": "https://seadragnol.github.io/posts/CVE-2023-52927/"
}
],
"title": "netfilter: allow exp not to be removed in nf_ct_find_expectation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52927",
"datePublished": "2025-03-14T14:25:59.166Z",
"dateReserved": "2024-08-21T06:07:11.018Z",
"dateUpdated": "2025-11-03T19:28:52.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53030 (GCVE-0-2023-53030)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Avoid use of GFP_KERNEL in atomic context
Using GFP_KERNEL in preemption disable context, causing below warning
when CONFIG_DEBUG_ATOMIC_SLEEP is enabled.
[ 32.542271] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274
[ 32.550883] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
[ 32.558707] preempt_count: 1, expected: 0
[ 32.562710] RCU nest depth: 0, expected: 0
[ 32.566800] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc2-00269-gae9dcb91c606 #7
[ 32.576188] Hardware name: Marvell CN106XX board (DT)
[ 32.581232] Call trace:
[ 32.583670] dump_backtrace.part.0+0xe0/0xf0
[ 32.587937] show_stack+0x18/0x30
[ 32.591245] dump_stack_lvl+0x68/0x84
[ 32.594900] dump_stack+0x18/0x34
[ 32.598206] __might_resched+0x12c/0x160
[ 32.602122] __might_sleep+0x48/0xa0
[ 32.605689] __kmem_cache_alloc_node+0x2b8/0x2e0
[ 32.610301] __kmalloc+0x58/0x190
[ 32.613610] otx2_sq_aura_pool_init+0x1a8/0x314
[ 32.618134] otx2_open+0x1d4/0x9d0
To avoid use of GFP_ATOMIC for memory allocation, disable preemption
after all memory allocation is done.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2827c4eb429db64befdca11362e2b1c5f524f6ba",
"status": "affected",
"version": "6ea5273c71dd2d07c0a2459594eb34bc087939f7",
"versionType": "git"
},
{
"lessThan": "1eb57b87f106c90cee6b2a56a10f2e29c7a25f3e",
"status": "affected",
"version": "667ce030bdfb62a86266444b2c3fd6ab98b9df9b",
"versionType": "git"
},
{
"lessThan": "87b93b678e95c7d93fe6a55b0e0fbda26d8c7760",
"status": "affected",
"version": "4af1b64f80fbe1275fb02c5f1c0cef099a4a231f",
"versionType": "git"
},
{
"status": "affected",
"version": "b754dc7c933dd9464223f64b10d33d68ab086cc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.91",
"status": "affected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThan": "6.1.8",
"status": "affected",
"version": "6.1.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "6.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Avoid use of GFP_KERNEL in atomic context\n\nUsing GFP_KERNEL in preemption disable context, causing below warning\nwhen CONFIG_DEBUG_ATOMIC_SLEEP is enabled.\n\n[ 32.542271] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274\n[ 32.550883] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n[ 32.558707] preempt_count: 1, expected: 0\n[ 32.562710] RCU nest depth: 0, expected: 0\n[ 32.566800] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc2-00269-gae9dcb91c606 #7\n[ 32.576188] Hardware name: Marvell CN106XX board (DT)\n[ 32.581232] Call trace:\n[ 32.583670] dump_backtrace.part.0+0xe0/0xf0\n[ 32.587937] show_stack+0x18/0x30\n[ 32.591245] dump_stack_lvl+0x68/0x84\n[ 32.594900] dump_stack+0x18/0x34\n[ 32.598206] __might_resched+0x12c/0x160\n[ 32.602122] __might_sleep+0x48/0xa0\n[ 32.605689] __kmem_cache_alloc_node+0x2b8/0x2e0\n[ 32.610301] __kmalloc+0x58/0x190\n[ 32.613610] otx2_sq_aura_pool_init+0x1a8/0x314\n[ 32.618134] otx2_open+0x1d4/0x9d0\n\nTo avoid use of GFP_ATOMIC for memory allocation, disable preemption\nafter all memory allocation is done."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:10.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2827c4eb429db64befdca11362e2b1c5f524f6ba"
},
{
"url": "https://git.kernel.org/stable/c/1eb57b87f106c90cee6b2a56a10f2e29c7a25f3e"
},
{
"url": "https://git.kernel.org/stable/c/87b93b678e95c7d93fe6a55b0e0fbda26d8c7760"
}
],
"title": "octeontx2-pf: Avoid use of GFP_KERNEL in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53030",
"datePublished": "2025-03-27T16:43:58.921Z",
"dateReserved": "2025-03-27T16:40:15.757Z",
"dateUpdated": "2025-05-04T12:50:10.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49213 (GCVE-0-2022-49213)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath10k: Fix error handling in ath10k_setup_msa_resources
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error path.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:44.146053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:05.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/snoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "315772133a4b960859e4f5efe0e738e347188cdc",
"status": "affected",
"version": "727fec790ead3d75e2735f66209949c2163523ea",
"versionType": "git"
},
{
"lessThan": "32939187f254171a5666badc058bc3787fe454af",
"status": "affected",
"version": "727fec790ead3d75e2735f66209949c2163523ea",
"versionType": "git"
},
{
"lessThan": "74b1d41e1b6410eed5c76d00eedb262036e9eff5",
"status": "affected",
"version": "727fec790ead3d75e2735f66209949c2163523ea",
"versionType": "git"
},
{
"lessThan": "4ed37d611ea5d222c3ecb3549e4c2d34b8f3c335",
"status": "affected",
"version": "727fec790ead3d75e2735f66209949c2163523ea",
"versionType": "git"
},
{
"lessThan": "9747a78d5f758a5284751a10aee13c30d02bd5f1",
"status": "affected",
"version": "727fec790ead3d75e2735f66209949c2163523ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/snoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: Fix error handling in ath10k_setup_msa_resources\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:30.220Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/315772133a4b960859e4f5efe0e738e347188cdc"
},
{
"url": "https://git.kernel.org/stable/c/32939187f254171a5666badc058bc3787fe454af"
},
{
"url": "https://git.kernel.org/stable/c/74b1d41e1b6410eed5c76d00eedb262036e9eff5"
},
{
"url": "https://git.kernel.org/stable/c/4ed37d611ea5d222c3ecb3549e4c2d34b8f3c335"
},
{
"url": "https://git.kernel.org/stable/c/9747a78d5f758a5284751a10aee13c30d02bd5f1"
}
],
"title": "ath10k: Fix error handling in ath10k_setup_msa_resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49213",
"datePublished": "2025-02-26T01:55:49.176Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-10-01T19:47:05.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52559 (GCVE-0-2024-52559)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()
The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32
values that come from the user via the submit_lookup_cmds() function.
This addition could lead to an integer wrapping bug so use size_add()
to prevent that.
Patchwork: https://patchwork.freedesktop.org/patch/624696/
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:30:56.189127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:41.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_gem_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b99b2c4621d13bd4374ef384e8f1fc188d0a5df",
"status": "affected",
"version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
"versionType": "git"
},
{
"lessThan": "2f1845e46c41ed500789d53dc45b383b7745c96c",
"status": "affected",
"version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
"versionType": "git"
},
{
"lessThan": "e43a0f1327a1ee70754f8a0de6e0262cfa3e0b87",
"status": "affected",
"version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
"versionType": "git"
},
{
"lessThan": "3a47f4b439beb98e955d501c609dfd12b7836d61",
"status": "affected",
"version": "198725337ef1f73b73e7dc953c6ffb0799f26ffe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_gem_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()\n\nThe \"submit-\u003ecmd[i].size\" and \"submit-\u003ecmd[i].offset\" variables are u32\nvalues that come from the user via the submit_lookup_cmds() function.\nThis addition could lead to an integer wrapping bug so use size_add()\nto prevent that.\n\nPatchwork: https://patchwork.freedesktop.org/patch/624696/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:51:25.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b99b2c4621d13bd4374ef384e8f1fc188d0a5df"
},
{
"url": "https://git.kernel.org/stable/c/2f1845e46c41ed500789d53dc45b383b7745c96c"
},
{
"url": "https://git.kernel.org/stable/c/e43a0f1327a1ee70754f8a0de6e0262cfa3e0b87"
},
{
"url": "https://git.kernel.org/stable/c/3a47f4b439beb98e955d501c609dfd12b7836d61"
}
],
"title": "drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-52559",
"datePublished": "2025-02-27T02:18:07.106Z",
"dateReserved": "2025-02-27T02:16:34.059Z",
"dateUpdated": "2025-10-01T19:36:41.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41077 (GCVE-0-2024-41077)
Vulnerability from cvelistv5
Published
2024-07-29 14:57
Modified
2025-11-03 22:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
null_blk: fix validation of block size
Block size should be between 512 and PAGE_SIZE and be a power of 2. The current
check does not validate this, so update the check.
Without this patch, null_blk would Oops due to a null pointer deref when
loaded with bs=1536 [1].
[axboe: remove unnecessary braces and != 0 check]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:00:34.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:21:17.956039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:59.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9625afe1dd4a158a14bb50f81af9e2dac634c0b1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9b873bdaae64bddade9d8c6df23c8a31948d47d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2772ed2fc075eef7df3789906fc9dae01e4e132e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "08f03186b96e25e3154916a2e70732557c770ea7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f92409a9da02f27d05d713bff5f865e386cef9b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c462ecd659b5fce731f1d592285832fd6ad54053",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:21:34.218Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1"
},
{
"url": "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0"
},
{
"url": "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e"
},
{
"url": "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7"
},
{
"url": "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3"
},
{
"url": "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053"
}
],
"title": "null_blk: fix validation of block size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41077",
"datePublished": "2024-07-29T14:57:36.680Z",
"dateReserved": "2024-07-12T12:17:45.632Z",
"dateUpdated": "2025-11-03T22:00:34.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49459 (GCVE-0-2022-49459)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal/drivers/broadcom: Fix potential NULL dereference in sr_thermal_probe
platform_get_resource() may return NULL, add proper check to
avoid potential NULL dereferencing.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 250e211057c7237dc75634b1372a1a3bd58dcd96 Version: 250e211057c7237dc75634b1372a1a3bd58dcd96 Version: 250e211057c7237dc75634b1372a1a3bd58dcd96 Version: 250e211057c7237dc75634b1372a1a3bd58dcd96 Version: 250e211057c7237dc75634b1372a1a3bd58dcd96 Version: 250e211057c7237dc75634b1372a1a3bd58dcd96 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:13.530698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:47.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/broadcom/sr-thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3461ccaa5d2588568d865faee285512ad448049",
"status": "affected",
"version": "250e211057c7237dc75634b1372a1a3bd58dcd96",
"versionType": "git"
},
{
"lessThan": "79098339ac2065f4b4352ef5921628970b6f47e6",
"status": "affected",
"version": "250e211057c7237dc75634b1372a1a3bd58dcd96",
"versionType": "git"
},
{
"lessThan": "ef1235c6514a58f274246cf4a2d5f4e40af539ce",
"status": "affected",
"version": "250e211057c7237dc75634b1372a1a3bd58dcd96",
"versionType": "git"
},
{
"lessThan": "ee9b6b02e8c140323ed46d6602d805ea735c7719",
"status": "affected",
"version": "250e211057c7237dc75634b1372a1a3bd58dcd96",
"versionType": "git"
},
{
"lessThan": "61621e042c22b47d1eadee617bdd26835294b425",
"status": "affected",
"version": "250e211057c7237dc75634b1372a1a3bd58dcd96",
"versionType": "git"
},
{
"lessThan": "e20d136ec7d6f309989c447638365840d3424c8e",
"status": "affected",
"version": "250e211057c7237dc75634b1372a1a3bd58dcd96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/broadcom/sr-thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/broadcom: Fix potential NULL dereference in sr_thermal_probe\n\nplatform_get_resource() may return NULL, add proper check to\navoid potential NULL dereferencing."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:12.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3461ccaa5d2588568d865faee285512ad448049"
},
{
"url": "https://git.kernel.org/stable/c/79098339ac2065f4b4352ef5921628970b6f47e6"
},
{
"url": "https://git.kernel.org/stable/c/ef1235c6514a58f274246cf4a2d5f4e40af539ce"
},
{
"url": "https://git.kernel.org/stable/c/ee9b6b02e8c140323ed46d6602d805ea735c7719"
},
{
"url": "https://git.kernel.org/stable/c/61621e042c22b47d1eadee617bdd26835294b425"
},
{
"url": "https://git.kernel.org/stable/c/e20d136ec7d6f309989c447638365840d3424c8e"
}
],
"title": "thermal/drivers/broadcom: Fix potential NULL dereference in sr_thermal_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49459",
"datePublished": "2025-02-26T02:13:06.833Z",
"dateReserved": "2025-02-26T02:08:31.574Z",
"dateUpdated": "2025-10-01T19:46:47.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49115 (GCVE-0-2022-49115)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Fix misused goto label
Fix a misused goto label jump since that can result in a memory leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:51.176330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:04.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c657c0694ff690e361a13ce41c36b9dfb433ec8",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "dc9d33b2d8d09e6478e8ef817a81cf26930acc3e",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "70236a0d2d62b081d52076de22d8d017d6cbe99f",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "d3642fc64276b06446290f82fd45630aeaa4b007",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
},
{
"lessThan": "bf8d87c076f55b8b4dfdb6bc6c6b6dc0c2ccb487",
"status": "affected",
"version": "5ebf3fc59bd20d17df3ba26159787d13cf20d362",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix misused goto label\n\nFix a misused goto label jump since that can result in a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:12.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c657c0694ff690e361a13ce41c36b9dfb433ec8"
},
{
"url": "https://git.kernel.org/stable/c/dc9d33b2d8d09e6478e8ef817a81cf26930acc3e"
},
{
"url": "https://git.kernel.org/stable/c/70236a0d2d62b081d52076de22d8d017d6cbe99f"
},
{
"url": "https://git.kernel.org/stable/c/d3642fc64276b06446290f82fd45630aeaa4b007"
},
{
"url": "https://git.kernel.org/stable/c/bf8d87c076f55b8b4dfdb6bc6c6b6dc0c2ccb487"
}
],
"title": "PCI: endpoint: Fix misused goto label",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49115",
"datePublished": "2025-02-26T01:54:58.654Z",
"dateReserved": "2025-02-26T01:49:39.262Z",
"dateUpdated": "2025-10-01T19:57:04.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56703 (GCVE-0-2024-56703)
Vulnerability from cvelistv5
Published
2024-12-28 09:46
Modified
2025-11-03 20:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix soft lockups in fib6_select_path under high next hop churn
Soft lockups have been observed on a cluster of Linux-based edge routers
located in a highly dynamic environment. Using the `bird` service, these
routers continuously update BGP-advertised routes due to frequently
changing nexthop destinations, while also managing significant IPv6
traffic. The lockups occur during the traversal of the multipath
circular linked-list in the `fib6_select_path` function, particularly
while iterating through the siblings in the list. The issue typically
arises when the nodes of the linked list are unexpectedly deleted
concurrently on a different core—indicated by their 'next' and
'previous' elements pointing back to the node itself and their reference
count dropping to zero. This results in an infinite loop, leading to a
soft lockup that triggers a system panic via the watchdog timer.
Apply RCU primitives in the problematic code sections to resolve the
issue. Where necessary, update the references to fib6_siblings to
annotate or use the RCU APIs.
Include a test script that reproduces the issue. The script
periodically updates the routing table while generating a heavy load
of outgoing IPv6 traffic through multiple iperf3 clients. It
consistently induces infinite soft lockups within a couple of minutes.
Kernel log:
0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb
1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3
2 [ffffbd13003e8e58] panic at ffffffff8cef65d4
3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03
4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f
5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756
6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af
7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d
-- <IRQ stack> --
8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb
[exception RIP: fib6_select_path+299]
RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287
RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000
RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618
RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200
R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830
R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c
10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c
11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5
12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47
13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0
14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274
15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474
16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615
17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec
18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3
19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9
20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]
21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]
22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]
23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000
24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581
25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9
26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47
27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30
28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f
29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64
30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:58:51.187430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:07.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:52:52.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c",
"tools/testing/selftests/net/Makefile",
"tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2",
"status": "affected",
"version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
"versionType": "git"
},
{
"lessThan": "52da02521ede55fb86546c3fffd9377b3261b91f",
"status": "affected",
"version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
"versionType": "git"
},
{
"lessThan": "11edcd026012ac18acee0f1514db3ed1b160fc6f",
"status": "affected",
"version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
"versionType": "git"
},
{
"lessThan": "34a949e7a0869dfa31a40416d2a56973fae1807b",
"status": "affected",
"version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
"versionType": "git"
},
{
"lessThan": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"status": "affected",
"version": "66f5d6ce53e665477d2a33e8f539d4fa4ca81c83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c",
"tools/testing/selftests/net/Makefile",
"tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.128",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.75",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix soft lockups in fib6_select_path under high next hop churn\n\nSoft lockups have been observed on a cluster of Linux-based edge routers\nlocated in a highly dynamic environment. Using the `bird` service, these\nrouters continuously update BGP-advertised routes due to frequently\nchanging nexthop destinations, while also managing significant IPv6\ntraffic. The lockups occur during the traversal of the multipath\ncircular linked-list in the `fib6_select_path` function, particularly\nwhile iterating through the siblings in the list. The issue typically\narises when the nodes of the linked list are unexpectedly deleted\nconcurrently on a different core\u2014indicated by their \u0027next\u0027 and\n\u0027previous\u0027 elements pointing back to the node itself and their reference\ncount dropping to zero. This results in an infinite loop, leading to a\nsoft lockup that triggers a system panic via the watchdog timer.\n\nApply RCU primitives in the problematic code sections to resolve the\nissue. Where necessary, update the references to fib6_siblings to\nannotate or use the RCU APIs.\n\nInclude a test script that reproduces the issue. The script\nperiodically updates the routing table while generating a heavy load\nof outgoing IPv6 traffic through multiple iperf3 clients. It\nconsistently induces infinite soft lockups within a couple of minutes.\n\nKernel log:\n\n 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb\n 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3\n 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4\n 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03\n 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f\n 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756\n 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af\n 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d\n-- \u003cIRQ stack\u003e --\n 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb\n [exception RIP: fib6_select_path+299]\n RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287\n RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000\n RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618\n RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830\n R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c\n10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c\n11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5\n12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47\n13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0\n14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274\n15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474\n16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615\n17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec\n18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3\n19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9\n20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]\n21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]\n22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]\n23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000\n24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581\n25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9\n26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47\n27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30\n28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f\n29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64\n30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:02:52.011Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2"
},
{
"url": "https://git.kernel.org/stable/c/52da02521ede55fb86546c3fffd9377b3261b91f"
},
{
"url": "https://git.kernel.org/stable/c/11edcd026012ac18acee0f1514db3ed1b160fc6f"
},
{
"url": "https://git.kernel.org/stable/c/34a949e7a0869dfa31a40416d2a56973fae1807b"
},
{
"url": "https://git.kernel.org/stable/c/d9ccb18f83ea2bb654289b6ecf014fd267cc988b"
}
],
"title": "ipv6: Fix soft lockups in fib6_select_path under high next hop churn",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56703",
"datePublished": "2024-12-28T09:46:24.978Z",
"dateReserved": "2024-12-27T15:00:39.856Z",
"dateUpdated": "2025-11-03T20:52:52.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49075 (GCVE-0-2022-49075)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix qgroup reserve overflow the qgroup limit
We use extent_changeset->bytes_changed in qgroup_reserve_data() to record
how many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the
bytes_changed is set as "unsigned int", and it will overflow if we try to
fallocate a range larger than 4GiB. The result is we reserve less bytes
and eventually break the qgroup limit.
Unlike regular buffered/direct write, which we use one changeset for
each ordered extent, which can never be larger than 256M. For
fallocate, we use one changeset for the whole range, thus it no longer
respects the 256M per extent limit, and caused the problem.
The following example test script reproduces the problem:
$ cat qgroup-overflow.sh
#!/bin/bash
DEV=/dev/sdj
MNT=/mnt/sdj
mkfs.btrfs -f $DEV
mount $DEV $MNT
# Set qgroup limit to 2GiB.
btrfs quota enable $MNT
btrfs qgroup limit 2G $MNT
# Try to fallocate a 3GiB file. This should fail.
echo
echo "Try to fallocate a 3GiB file..."
fallocate -l 3G $MNT/3G.file
# Try to fallocate a 5GiB file.
echo
echo "Try to fallocate a 5GiB file..."
fallocate -l 5G $MNT/5G.file
# See we break the qgroup limit.
echo
sync
btrfs qgroup show -r $MNT
umount $MNT
When running the test:
$ ./qgroup-overflow.sh
(...)
Try to fallocate a 3GiB file...
fallocate: fallocate failed: Disk quota exceeded
Try to fallocate a 5GiB file...
qgroupid rfer excl max_rfer
-------- ---- ---- --------
0/5 5.00GiB 5.00GiB 2.00GiB
Since we have no control of how bytes_changed is used, it's better to
set it to u64.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0355387ea5b02d353c9415613fab908fac5c52a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3d97b22a708bf9e3f3ac2ba232bcefd0b0c136b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "44277c50fdba5019ca25bfad1b71e2561b0de11b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82ae73ac963cee877ce34f7c31b2b456b516e96c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b98799e181b4326a613108cf37acc1f55d21b45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6bfff81286d4491f02dad7814bae5c77c9ad2320",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7941b74ed49b6db25efbef2256ebef843c11a010",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b642b52d0b50f4d398cb4293f64992d0eed2e2ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix qgroup reserve overflow the qgroup limit\n\nWe use extent_changeset-\u003ebytes_changed in qgroup_reserve_data() to record\nhow many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the\nbytes_changed is set as \"unsigned int\", and it will overflow if we try to\nfallocate a range larger than 4GiB. The result is we reserve less bytes\nand eventually break the qgroup limit.\n\nUnlike regular buffered/direct write, which we use one changeset for\neach ordered extent, which can never be larger than 256M. For\nfallocate, we use one changeset for the whole range, thus it no longer\nrespects the 256M per extent limit, and caused the problem.\n\nThe following example test script reproduces the problem:\n\n $ cat qgroup-overflow.sh\n #!/bin/bash\n\n DEV=/dev/sdj\n MNT=/mnt/sdj\n\n mkfs.btrfs -f $DEV\n mount $DEV $MNT\n\n # Set qgroup limit to 2GiB.\n btrfs quota enable $MNT\n btrfs qgroup limit 2G $MNT\n\n # Try to fallocate a 3GiB file. This should fail.\n echo\n echo \"Try to fallocate a 3GiB file...\"\n fallocate -l 3G $MNT/3G.file\n\n # Try to fallocate a 5GiB file.\n echo\n echo \"Try to fallocate a 5GiB file...\"\n fallocate -l 5G $MNT/5G.file\n\n # See we break the qgroup limit.\n echo\n sync\n btrfs qgroup show -r $MNT\n\n umount $MNT\n\nWhen running the test:\n\n $ ./qgroup-overflow.sh\n (...)\n\n Try to fallocate a 3GiB file...\n fallocate: fallocate failed: Disk quota exceeded\n\n Try to fallocate a 5GiB file...\n\n qgroupid\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rfer\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 excl\u00a0\u00a0\u00a0\u00a0 max_rfer\n --------\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ----\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ----\u00a0\u00a0\u00a0\u00a0 --------\n 0/5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5.00GiB\u00a0\u00a0\u00a0\u00a0\u00a0 5.00GiB\u00a0\u00a0\u00a0\u00a0\u00a0 2.00GiB\n\nSince we have no control of how bytes_changed is used, it\u0027s better to\nset it to u64."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:11.296Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0355387ea5b02d353c9415613fab908fac5c52a6"
},
{
"url": "https://git.kernel.org/stable/c/f3d97b22a708bf9e3f3ac2ba232bcefd0b0c136b"
},
{
"url": "https://git.kernel.org/stable/c/44277c50fdba5019ca25bfad1b71e2561b0de11b"
},
{
"url": "https://git.kernel.org/stable/c/82ae73ac963cee877ce34f7c31b2b456b516e96c"
},
{
"url": "https://git.kernel.org/stable/c/4b98799e181b4326a613108cf37acc1f55d21b45"
},
{
"url": "https://git.kernel.org/stable/c/6bfff81286d4491f02dad7814bae5c77c9ad2320"
},
{
"url": "https://git.kernel.org/stable/c/7941b74ed49b6db25efbef2256ebef843c11a010"
},
{
"url": "https://git.kernel.org/stable/c/b642b52d0b50f4d398cb4293f64992d0eed2e2ce"
}
],
"title": "btrfs: fix qgroup reserve overflow the qgroup limit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49075",
"datePublished": "2025-02-26T01:54:38.757Z",
"dateReserved": "2025-02-26T01:49:39.245Z",
"dateUpdated": "2025-05-04T08:29:11.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49187 (GCVE-0-2022-49187)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: Fix clk_hw_get_clk() when dev is NULL
Any registered clk_core structure can have a NULL pointer in its dev
field. While never actually documented, this is evidenced by the wide
usage of clk_register and clk_hw_register with a NULL device pointer,
and the fact that the core of_clk_hw_register() function also passes a
NULL device pointer.
A call to clk_hw_get_clk() on a clk_hw struct whose clk_core is in that
case will result in a NULL pointer derefence when it calls dev_name() on
that NULL device pointer.
Add a test for this case and use NULL as the dev_id if the device
pointer is NULL.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:18.677759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:56:59.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/clk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4be3e4c05d8dd1b83b75652cad88c9e752ec7054",
"status": "affected",
"version": "30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2",
"versionType": "git"
},
{
"lessThan": "d183f20cf5a7b546d4108e796b98210ceb317579",
"status": "affected",
"version": "30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2",
"versionType": "git"
},
{
"lessThan": "23f89fe005b105f0dcc55034c13eb89f9b570fac",
"status": "affected",
"version": "30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2",
"versionType": "git"
},
{
"lessThan": "0c1b56df451716ba207bbf59f303473643eee4fd",
"status": "affected",
"version": "30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/clk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix clk_hw_get_clk() when dev is NULL\n\nAny registered clk_core structure can have a NULL pointer in its dev\nfield. While never actually documented, this is evidenced by the wide\nusage of clk_register and clk_hw_register with a NULL device pointer,\nand the fact that the core of_clk_hw_register() function also passes a\nNULL device pointer.\n\nA call to clk_hw_get_clk() on a clk_hw struct whose clk_core is in that\ncase will result in a NULL pointer derefence when it calls dev_name() on\nthat NULL device pointer.\n\nAdd a test for this case and use NULL as the dev_id if the device\npointer is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:51.828Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4be3e4c05d8dd1b83b75652cad88c9e752ec7054"
},
{
"url": "https://git.kernel.org/stable/c/d183f20cf5a7b546d4108e796b98210ceb317579"
},
{
"url": "https://git.kernel.org/stable/c/23f89fe005b105f0dcc55034c13eb89f9b570fac"
},
{
"url": "https://git.kernel.org/stable/c/0c1b56df451716ba207bbf59f303473643eee4fd"
}
],
"title": "clk: Fix clk_hw_get_clk() when dev is NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49187",
"datePublished": "2025-02-26T01:55:36.094Z",
"dateReserved": "2025-02-26T01:49:39.286Z",
"dateUpdated": "2025-10-01T19:56:59.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49091 (GCVE-0-2022-49091)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/imx: Fix memory leak in imx_pd_connector_get_modes
Avoid leaking the display mode variable if of_get_drm_display_mode
fails.
Addresses-Coverity-ID: 1443943 ("Resource leak")
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b Version: 76ecd9c9fb24b014a6f33fbb1287ede3be12158b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/parallel-display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2c2758cfb0262637fd93350bdc8ad485fb1dd61",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "38bf605bd8c83d942c8dcffaef3633b7d8b37549",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "41624d7c0c3df71dee170c610744aaa5909327b8",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "c539a6a5896ed92bfb91494e46996d013f3d5967",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "f8b0ef0a5889890b50482b6593bd8de544736351",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "31e449302ed00c38d4068443cf0243279701ab28",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "bc23c327e1a23cc3555fa1e86288e13288515442",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "7526102d908ec5ae777aa77723d52fce12916093",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
},
{
"lessThan": "bce81feb03a20fca7bbdd1c4af16b4e9d5c0e1d3",
"status": "affected",
"version": "76ecd9c9fb24b014a6f33fbb1287ede3be12158b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/parallel-display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imx: Fix memory leak in imx_pd_connector_get_modes\n\nAvoid leaking the display mode variable if of_get_drm_display_mode\nfails.\n\nAddresses-Coverity-ID: 1443943 (\"Resource leak\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:31.995Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2c2758cfb0262637fd93350bdc8ad485fb1dd61"
},
{
"url": "https://git.kernel.org/stable/c/38bf605bd8c83d942c8dcffaef3633b7d8b37549"
},
{
"url": "https://git.kernel.org/stable/c/41624d7c0c3df71dee170c610744aaa5909327b8"
},
{
"url": "https://git.kernel.org/stable/c/c539a6a5896ed92bfb91494e46996d013f3d5967"
},
{
"url": "https://git.kernel.org/stable/c/f8b0ef0a5889890b50482b6593bd8de544736351"
},
{
"url": "https://git.kernel.org/stable/c/31e449302ed00c38d4068443cf0243279701ab28"
},
{
"url": "https://git.kernel.org/stable/c/bc23c327e1a23cc3555fa1e86288e13288515442"
},
{
"url": "https://git.kernel.org/stable/c/7526102d908ec5ae777aa77723d52fce12916093"
},
{
"url": "https://git.kernel.org/stable/c/bce81feb03a20fca7bbdd1c4af16b4e9d5c0e1d3"
}
],
"title": "drm/imx: Fix memory leak in imx_pd_connector_get_modes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49091",
"datePublished": "2025-02-26T01:54:46.701Z",
"dateReserved": "2025-02-26T01:49:39.249Z",
"dateUpdated": "2025-05-04T08:29:31.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49130 (GCVE-0-2022-49130)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: mhi: use mhi_sync_power_up()
If amss.bin was missing ath11k would crash during 'rmmod ath11k_pci'. The
reason for that was that we were using mhi_async_power_up() which does not
check any errors. But mhi_sync_power_up() on the other hand does check for
errors so let's use that to fix the crash.
I was not able to find a reason why an async version was used.
ath11k_mhi_start() (which enables state ATH11K_MHI_POWER_ON) is called from
ath11k_hif_power_up(), which can sleep. So sync version should be safe to use
here.
[ 145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI
[ 145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G W 5.16.0-wt-ath+ #567
[ 145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021
[ 145.569956] RIP: 0010:ath11k_hal_srng_access_begin+0xb5/0x2b0 [ath11k]
[ 145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <0f> b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08
[ 145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246
[ 145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455
[ 145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80
[ 145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497
[ 145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000
[ 145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8
[ 145.570465] FS: 00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000
[ 145.570519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0
[ 145.570623] Call Trace:
[ 145.570675] <TASK>
[ 145.570727] ? ath11k_ce_tx_process_cb+0x34b/0x860 [ath11k]
[ 145.570797] ath11k_ce_tx_process_cb+0x356/0x860 [ath11k]
[ 145.570864] ? tasklet_init+0x150/0x150
[ 145.570919] ? ath11k_ce_alloc_pipes+0x280/0x280 [ath11k]
[ 145.570986] ? tasklet_clear_sched+0x42/0xe0
[ 145.571042] ? tasklet_kill+0xe9/0x1b0
[ 145.571095] ? tasklet_clear_sched+0xe0/0xe0
[ 145.571148] ? irq_has_action+0x120/0x120
[ 145.571202] ath11k_ce_cleanup_pipes+0x45a/0x580 [ath11k]
[ 145.571270] ? ath11k_pci_stop+0x10e/0x170 [ath11k_pci]
[ 145.571345] ath11k_core_stop+0x8a/0xc0 [ath11k]
[ 145.571434] ath11k_core_deinit+0x9e/0x150 [ath11k]
[ 145.571499] ath11k_pci_remove+0xd2/0x260 [ath11k_pci]
[ 145.571553] pci_device_remove+0x9a/0x1c0
[ 145.571605] __device_release_driver+0x332/0x660
[ 145.571659] driver_detach+0x1e7/0x2c0
[ 145.571712] bus_remove_driver+0xe2/0x2d0
[ 145.571772] pci_unregister_driver+0x21/0x250
[ 145.571826] __do_sys_delete_module+0x30a/0x4b0
[ 145.571879] ? free_module+0xac0/0xac0
[ 145.571933] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370
[ 145.571986] ? syscall_enter_from_user_mode+0x1d/0x50
[ 145.572039] ? lockdep_hardirqs_on+0x79/0x100
[ 145.572097] do_syscall_64+0x3b/0x90
[ 145.572153] entry_SYSCALL_64_after_hwframe+0x44/0xae
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:20.645584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:03.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mhi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "339bd0b55ecdd0f7f341e9357c4cfde799de9418",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "20d01a11efde2e05e47d5c66101f5c26eaca68e2",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "3fd7d50384c3808b7f7fa135aa9bb5feb1cb9849",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "646d533af2911be1184eaee8c900b7eb8ecc4396",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "3df6d74aedfdca919cca475d15dfdbc8b05c9e5d",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mhi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: mhi: use mhi_sync_power_up()\n\nIf amss.bin was missing ath11k would crash during \u0027rmmod ath11k_pci\u0027. The\nreason for that was that we were using mhi_async_power_up() which does not\ncheck any errors. But mhi_sync_power_up() on the other hand does check for\nerrors so let\u0027s use that to fix the crash.\n\nI was not able to find a reason why an async version was used.\nath11k_mhi_start() (which enables state ATH11K_MHI_POWER_ON) is called from\nath11k_hif_power_up(), which can sleep. So sync version should be safe to use\nhere.\n\n[ 145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI\n[ 145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G W 5.16.0-wt-ath+ #567\n[ 145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 145.569956] RIP: 0010:ath11k_hal_srng_access_begin+0xb5/0x2b0 [ath11k]\n[ 145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 \u003c0f\u003e b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08\n[ 145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246\n[ 145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455\n[ 145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80\n[ 145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497\n[ 145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000\n[ 145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8\n[ 145.570465] FS: 00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000\n[ 145.570519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0\n[ 145.570623] Call Trace:\n[ 145.570675] \u003cTASK\u003e\n[ 145.570727] ? ath11k_ce_tx_process_cb+0x34b/0x860 [ath11k]\n[ 145.570797] ath11k_ce_tx_process_cb+0x356/0x860 [ath11k]\n[ 145.570864] ? tasklet_init+0x150/0x150\n[ 145.570919] ? ath11k_ce_alloc_pipes+0x280/0x280 [ath11k]\n[ 145.570986] ? tasklet_clear_sched+0x42/0xe0\n[ 145.571042] ? tasklet_kill+0xe9/0x1b0\n[ 145.571095] ? tasklet_clear_sched+0xe0/0xe0\n[ 145.571148] ? irq_has_action+0x120/0x120\n[ 145.571202] ath11k_ce_cleanup_pipes+0x45a/0x580 [ath11k]\n[ 145.571270] ? ath11k_pci_stop+0x10e/0x170 [ath11k_pci]\n[ 145.571345] ath11k_core_stop+0x8a/0xc0 [ath11k]\n[ 145.571434] ath11k_core_deinit+0x9e/0x150 [ath11k]\n[ 145.571499] ath11k_pci_remove+0xd2/0x260 [ath11k_pci]\n[ 145.571553] pci_device_remove+0x9a/0x1c0\n[ 145.571605] __device_release_driver+0x332/0x660\n[ 145.571659] driver_detach+0x1e7/0x2c0\n[ 145.571712] bus_remove_driver+0xe2/0x2d0\n[ 145.571772] pci_unregister_driver+0x21/0x250\n[ 145.571826] __do_sys_delete_module+0x30a/0x4b0\n[ 145.571879] ? free_module+0xac0/0xac0\n[ 145.571933] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[ 145.571986] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 145.572039] ? lockdep_hardirqs_on+0x79/0x100\n[ 145.572097] do_syscall_64+0x3b/0x90\n[ 145.572153] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:38.266Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/339bd0b55ecdd0f7f341e9357c4cfde799de9418"
},
{
"url": "https://git.kernel.org/stable/c/20d01a11efde2e05e47d5c66101f5c26eaca68e2"
},
{
"url": "https://git.kernel.org/stable/c/3fd7d50384c3808b7f7fa135aa9bb5feb1cb9849"
},
{
"url": "https://git.kernel.org/stable/c/646d533af2911be1184eaee8c900b7eb8ecc4396"
},
{
"url": "https://git.kernel.org/stable/c/3df6d74aedfdca919cca475d15dfdbc8b05c9e5d"
}
],
"title": "ath11k: mhi: use mhi_sync_power_up()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49130",
"datePublished": "2025-02-26T01:55:06.124Z",
"dateReserved": "2025-02-26T01:49:39.267Z",
"dateUpdated": "2025-10-01T19:57:03.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49726 (GCVE-0-2022-49726)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clocksource: hyper-v: unexport __init-annotated hv_init_clocksource()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the only in-tree call-site,
arch/x86/kernel/cpu/mshyperv.c is never compiled as modular.
(CONFIG_HYPERVISOR_GUEST is boolean)
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clocksource/hyperv_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cff3a7ce6e81418b6e8bac941779bbf5d342d626",
"status": "affected",
"version": "dd2cb348613b44f9d948b068775e159aad298599",
"versionType": "git"
},
{
"lessThan": "db965e2757d95f695e606856418cd84003dd036d",
"status": "affected",
"version": "dd2cb348613b44f9d948b068775e159aad298599",
"versionType": "git"
},
{
"lessThan": "0414eab7c78f3518143d383e448d44fc573ac6d2",
"status": "affected",
"version": "dd2cb348613b44f9d948b068775e159aad298599",
"versionType": "git"
},
{
"lessThan": "937fcbb55a1e48a6422e87e8f49422c92265f102",
"status": "affected",
"version": "dd2cb348613b44f9d948b068775e159aad298599",
"versionType": "git"
},
{
"lessThan": "245b993d8f6c4e25f19191edfbd8080b645e12b1",
"status": "affected",
"version": "dd2cb348613b44f9d948b068775e159aad298599",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clocksource/hyperv_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource: hyper-v: unexport __init-annotated hv_init_clocksource()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\narch/x86/kernel/cpu/mshyperv.c is never compiled as modular.\n(CONFIG_HYPERVISOR_GUEST is boolean)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:10.038Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cff3a7ce6e81418b6e8bac941779bbf5d342d626"
},
{
"url": "https://git.kernel.org/stable/c/db965e2757d95f695e606856418cd84003dd036d"
},
{
"url": "https://git.kernel.org/stable/c/0414eab7c78f3518143d383e448d44fc573ac6d2"
},
{
"url": "https://git.kernel.org/stable/c/937fcbb55a1e48a6422e87e8f49422c92265f102"
},
{
"url": "https://git.kernel.org/stable/c/245b993d8f6c4e25f19191edfbd8080b645e12b1"
}
],
"title": "clocksource: hyper-v: unexport __init-annotated hv_init_clocksource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49726",
"datePublished": "2025-02-26T02:24:38.003Z",
"dateReserved": "2025-02-26T02:21:30.448Z",
"dateUpdated": "2025-05-04T08:44:10.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49276 (GCVE-0-2022-49276)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jffs2: fix memory leak in jffs2_scan_medium
If an error is returned in jffs2_scan_eraseblock() and some memory
has been added to the jffs2_summary *s, we can observe the following
kmemleak report:
--------------------------------------------
unreferenced object 0xffff88812b889c40 (size 64):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.
00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................
backtrace:
[<ffffffffae93a3a3>] __kmalloc+0x613/0x910
[<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0
[<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794
[<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267
[<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0
[<ffffffffb0315d64>] mtd_get_sb+0x254/0x400
[<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0
[<ffffffffb0316478>] get_tree_mtd+0x498/0x840
[<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30
[<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0
[<ffffffffaea7a98f>] path_mount+0x50f/0x1e50
[<ffffffffaea7c3d7>] do_mount+0x107/0x130
[<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0
[<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160
[<ffffffffb10142f5>] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............
00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90
[<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794
[...]
unreferenced object 0xffff888114b57280 (size 32):
comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
hex dump (first 32 bytes):
10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............
00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90
[<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794
[...]
unreferenced object 0xffff8881116cd510 (size 16):
comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
hex dump (first 16 bytes):
00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90
[<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794
[...]
--------------------------------------------
Therefore, we should call jffs2_sum_reset_collected(s) on exit to
release the memory added in s. In addition, a new tag "out_buf" is
added to prevent the NULL pointer reference caused by s being NULL.
(thanks to Zhang Yi for this analysis)
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:34.710725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:01.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jffs2/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b0c69182f09b70779817af4dcf89780955d5c4c",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "b36bccb04e14cc0c1e2d0e92d477fe220314fad6",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "e711913463af916d777a4873068f415f1fe2ad33",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "455f4a23490bfcbedc8e5c245c463a59b19e5ddd",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "51dbb5e36d59f62e34d462b801c1068248149cfe",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "52ba0ab4f0a606f02a6163493378989faa1ec10a",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "b26bbc0c122cad038831f226a4cb4de702225e16",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "82462324bf35b6b553400af1c1aa265069cee28f",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jffs2/scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_scan_medium\n\nIf an error is returned in jffs2_scan_eraseblock() and some memory\nhas been added to the jffs2_summary *s, we can observe the following\nkmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff88812b889c40 (size 64):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.\n 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................\n backtrace:\n [\u003cffffffffae93a3a3\u003e] __kmalloc+0x613/0x910\n [\u003cffffffffaf423b9c\u003e] jffs2_sum_add_dirent_mem+0x5c/0xa0\n [\u003cffffffffb0f3afa8\u003e] jffs2_scan_medium.cold+0x36e5/0x4794\n [\u003cffffffffb0f3dbe1\u003e] jffs2_do_mount_fs.cold+0xa7/0x2267\n [\u003cffffffffaf40acf3\u003e] jffs2_do_fill_super+0x383/0xc30\n [\u003cffffffffaf40c00a\u003e] jffs2_fill_super+0x2ea/0x4c0\n [\u003cffffffffb0315d64\u003e] mtd_get_sb+0x254/0x400\n [\u003cffffffffb0315f5f\u003e] mtd_get_sb_by_nr+0x4f/0xd0\n [\u003cffffffffb0316478\u003e] get_tree_mtd+0x498/0x840\n [\u003cffffffffaf40bd15\u003e] jffs2_get_tree+0x25/0x30\n [\u003cffffffffae9f358d\u003e] vfs_get_tree+0x8d/0x2e0\n [\u003cffffffffaea7a98f\u003e] path_mount+0x50f/0x1e50\n [\u003cffffffffaea7c3d7\u003e] do_mount+0x107/0x130\n [\u003cffffffffaea7c5c5\u003e] __se_sys_mount+0x1c5/0x2f0\n [\u003cffffffffaea7c917\u003e] __x64_sys_mount+0xc7/0x160\n [\u003cffffffffb10142f5\u003e] do_syscall_64+0x45/0x70\nunreferenced object 0xffff888114b54840 (size 32):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............\n 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.\n backtrace:\n [\u003cffffffffae93be24\u003e] kmem_cache_alloc_trace+0x584/0x880\n [\u003cffffffffaf423b04\u003e] jffs2_sum_add_inode_mem+0x54/0x90\n [\u003cffffffffb0f3bd44\u003e] jffs2_scan_medium.cold+0x4481/0x4794\n [...]\nunreferenced object 0xffff888114b57280 (size 32):\n comm \"mount\", pid 692, jiffies 4294838393 (age 34.357s)\n hex dump (first 32 bytes):\n 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............\n 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.\n backtrace:\n [\u003cffffffffae93be24\u003e] kmem_cache_alloc_trace+0x584/0x880\n [\u003cffffffffaf423c34\u003e] jffs2_sum_add_xattr_mem+0x54/0x90\n [\u003cffffffffb0f3a24f\u003e] jffs2_scan_medium.cold+0x298c/0x4794\n [...]\nunreferenced object 0xffff8881116cd510 (size 16):\n comm \"mount\", pid 692, jiffies 4294838395 (age 34.355s)\n hex dump (first 16 bytes):\n 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.\n backtrace:\n [\u003cffffffffae93be24\u003e] kmem_cache_alloc_trace+0x584/0x880\n [\u003cffffffffaf423cc4\u003e] jffs2_sum_add_xref_mem+0x54/0x90\n [\u003cffffffffb0f3b2e3\u003e] jffs2_scan_medium.cold+0x3a20/0x4794\n [...]\n--------------------------------------------\n\nTherefore, we should call jffs2_sum_reset_collected(s) on exit to\nrelease the memory added in s. In addition, a new tag \"out_buf\" is\nadded to prevent the NULL pointer reference caused by s being NULL.\n(thanks to Zhang Yi for this analysis)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:59.667Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b0c69182f09b70779817af4dcf89780955d5c4c"
},
{
"url": "https://git.kernel.org/stable/c/b36bccb04e14cc0c1e2d0e92d477fe220314fad6"
},
{
"url": "https://git.kernel.org/stable/c/e711913463af916d777a4873068f415f1fe2ad33"
},
{
"url": "https://git.kernel.org/stable/c/455f4a23490bfcbedc8e5c245c463a59b19e5ddd"
},
{
"url": "https://git.kernel.org/stable/c/51dbb5e36d59f62e34d462b801c1068248149cfe"
},
{
"url": "https://git.kernel.org/stable/c/52ba0ab4f0a606f02a6163493378989faa1ec10a"
},
{
"url": "https://git.kernel.org/stable/c/b26bbc0c122cad038831f226a4cb4de702225e16"
},
{
"url": "https://git.kernel.org/stable/c/82462324bf35b6b553400af1c1aa265069cee28f"
},
{
"url": "https://git.kernel.org/stable/c/9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df"
}
],
"title": "jffs2: fix memory leak in jffs2_scan_medium",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49276",
"datePublished": "2025-02-26T01:56:20.559Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-10-01T19:47:01.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26873 (GCVE-0-2024-26873)
Vulnerability from cvelistv5
Published
2024-04-17 10:27
Modified
2025-05-04 08:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: hisi_sas: Fix a deadlock issue related to automatic dump
If we issue a disabling PHY command, the device attached with it will go
offline, if a 2 bit ECC error occurs at the same time, a hung task may be
found:
[ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds.
[ 4613.666297] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 4613.674809] task:kworker/u256:0 state:D stack: 0 pid:165233 ppid: 2 flags:0x00000208
[ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas]
[ 4613.691518] Call trace:
[ 4613.694678] __switch_to+0xf8/0x17c
[ 4613.698872] __schedule+0x660/0xee0
[ 4613.703063] schedule+0xac/0x240
[ 4613.706994] schedule_timeout+0x500/0x610
[ 4613.711705] __down+0x128/0x36c
[ 4613.715548] down+0x240/0x2d0
[ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main]
[ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas]
[ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas]
[ 4613.739504] hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main]
[ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main]
[ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas]
[ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas]
[ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas]
[ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas]
[ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas]
[ 4613.784716] process_one_work+0x248/0x950
[ 4613.789424] worker_thread+0x318/0x934
[ 4613.793878] kthread+0x190/0x200
[ 4613.797810] ret_from_fork+0x10/0x18
[ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds.
[ 4613.816026] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 4613.824538] task:kworker/u256:4 state:D stack: 0 pid:316722 ppid: 2 flags:0x00000208
[ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main]
[ 4613.841491] Call trace:
[ 4613.844647] __switch_to+0xf8/0x17c
[ 4613.848852] __schedule+0x660/0xee0
[ 4613.853052] schedule+0xac/0x240
[ 4613.856984] schedule_timeout+0x500/0x610
[ 4613.861695] __down+0x128/0x36c
[ 4613.865542] down+0x240/0x2d0
[ 4613.869216] hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main]
[ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main]
[ 4613.883019] process_one_work+0x248/0x950
[ 4613.887732] worker_thread+0x318/0x934
[ 4613.892204] kthread+0x190/0x200
[ 4613.896118] ret_from_fork+0x10/0x18
[ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds.
[ 4613.914341] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 4613.922852] task:kworker/u256:1 state:D stack: 0 pid:348985 ppid: 2 flags:0x00000208
[ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas]
[ 4613.939549] Call trace:
[ 4613.942702] __switch_to+0xf8/0x17c
[ 4613.946892] __schedule+0x660/0xee0
[ 4613.951083] schedule+0xac/0x240
[ 4613.955015] schedule_timeout+0x500/0x610
[ 4613.959725] wait_for_common+0x200/0x610
[ 4613.964349] wait_for_completion+0x3c/0x5c
[ 4613.969146] flush_workqueue+0x198/0x790
[ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas]
[ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas]
[ 4613.985708] process_one_work+0x248/0x950
[ 4613.990420] worker_thread+0x318/0x934
[ 4613.994868] kthread+0x190/0x200
[ 4613.998800] ret_from_fork+0x10/0x18
This is because when the device goes offline, we obtain the hisi_hba
semaphore and send the ABORT_DEV command to the device. However, the
internal abort timed out due to the 2 bit ECC error and triggers automatic
dump. In addition, since the hisi_hba semaphore has been obtained, the dump
cannot be executed and the controller cannot be reset.
Therefore, the deadlocks occur on the following circular dependencies
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T14:02:10.417549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:43.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:04.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e022dd3b875315a2d2001a512e98d1dc8c991f4a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/85c98073ffcfe9e46abfb9c66f3364467119d563"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3c4f53b2c341ec6428b98cb51a89a09b025d0953"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a47f0b03149af538af4442ff0702eac430ace1cb",
"status": "affected",
"version": "91e035e98fa1383ca90d774c29bb14c3c5ed2d8c",
"versionType": "git"
},
{
"lessThan": "e022dd3b875315a2d2001a512e98d1dc8c991f4a",
"status": "affected",
"version": "2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde",
"versionType": "git"
},
{
"lessThan": "85c98073ffcfe9e46abfb9c66f3364467119d563",
"status": "affected",
"version": "2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde",
"versionType": "git"
},
{
"lessThan": "3c4f53b2c341ec6428b98cb51a89a09b025d0953",
"status": "affected",
"version": "2ff07b5c6fe9173e7a7de3b23f300d71ad4d8fde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Fix a deadlock issue related to automatic dump\n\nIf we issue a disabling PHY command, the device attached with it will go\noffline, if a 2 bit ECC error occurs at the same time, a hung task may be\nfound:\n\n[ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds.\n[ 4613.666297] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.674809] task:kworker/u256:0 state:D stack: 0 pid:165233 ppid: 2 flags:0x00000208\n[ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas]\n[ 4613.691518] Call trace:\n[ 4613.694678] __switch_to+0xf8/0x17c\n[ 4613.698872] __schedule+0x660/0xee0\n[ 4613.703063] schedule+0xac/0x240\n[ 4613.706994] schedule_timeout+0x500/0x610\n[ 4613.711705] __down+0x128/0x36c\n[ 4613.715548] down+0x240/0x2d0\n[ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main]\n[ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas]\n[ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas]\n[ 4613.739504] hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main]\n[ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main]\n[ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas]\n[ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas]\n[ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas]\n[ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas]\n[ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas]\n[ 4613.784716] process_one_work+0x248/0x950\n[ 4613.789424] worker_thread+0x318/0x934\n[ 4613.793878] kthread+0x190/0x200\n[ 4613.797810] ret_from_fork+0x10/0x18\n[ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds.\n[ 4613.816026] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.824538] task:kworker/u256:4 state:D stack: 0 pid:316722 ppid: 2 flags:0x00000208\n[ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main]\n[ 4613.841491] Call trace:\n[ 4613.844647] __switch_to+0xf8/0x17c\n[ 4613.848852] __schedule+0x660/0xee0\n[ 4613.853052] schedule+0xac/0x240\n[ 4613.856984] schedule_timeout+0x500/0x610\n[ 4613.861695] __down+0x128/0x36c\n[ 4613.865542] down+0x240/0x2d0\n[ 4613.869216] hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main]\n[ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main]\n[ 4613.883019] process_one_work+0x248/0x950\n[ 4613.887732] worker_thread+0x318/0x934\n[ 4613.892204] kthread+0x190/0x200\n[ 4613.896118] ret_from_fork+0x10/0x18\n[ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds.\n[ 4613.914341] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.922852] task:kworker/u256:1 state:D stack: 0 pid:348985 ppid: 2 flags:0x00000208\n[ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas]\n[ 4613.939549] Call trace:\n[ 4613.942702] __switch_to+0xf8/0x17c\n[ 4613.946892] __schedule+0x660/0xee0\n[ 4613.951083] schedule+0xac/0x240\n[ 4613.955015] schedule_timeout+0x500/0x610\n[ 4613.959725] wait_for_common+0x200/0x610\n[ 4613.964349] wait_for_completion+0x3c/0x5c\n[ 4613.969146] flush_workqueue+0x198/0x790\n[ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas]\n[ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas]\n[ 4613.985708] process_one_work+0x248/0x950\n[ 4613.990420] worker_thread+0x318/0x934\n[ 4613.994868] kthread+0x190/0x200\n[ 4613.998800] ret_from_fork+0x10/0x18\n\nThis is because when the device goes offline, we obtain the hisi_hba\nsemaphore and send the ABORT_DEV command to the device. However, the\ninternal abort timed out due to the 2 bit ECC error and triggers automatic\ndump. In addition, since the hisi_hba semaphore has been obtained, the dump\ncannot be executed and the controller cannot be reset.\n\nTherefore, the deadlocks occur on the following circular dependencies\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:58:34.180Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a47f0b03149af538af4442ff0702eac430ace1cb"
},
{
"url": "https://git.kernel.org/stable/c/e022dd3b875315a2d2001a512e98d1dc8c991f4a"
},
{
"url": "https://git.kernel.org/stable/c/85c98073ffcfe9e46abfb9c66f3364467119d563"
},
{
"url": "https://git.kernel.org/stable/c/3c4f53b2c341ec6428b98cb51a89a09b025d0953"
}
],
"title": "scsi: hisi_sas: Fix a deadlock issue related to automatic dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26873",
"datePublished": "2024-04-17T10:27:32.647Z",
"dateReserved": "2024-02-19T14:20:24.184Z",
"dateUpdated": "2025-05-04T08:58:34.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49502 (GCVE-0-2022-49502)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rga: fix possible memory leak in rga_probe
rga->m2m_dev needs to be freed when rga_probe fails.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:32.735953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:42.899Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rga/rga.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ddc89437ccefa18279918c19a61fd81527f40b9",
"status": "affected",
"version": "f7e7b48e6d796da85d99b318def20d9313ef61df",
"versionType": "git"
},
{
"lessThan": "eeb4819e94aa69767b9e5591e70c63e8b7c5786a",
"status": "affected",
"version": "f7e7b48e6d796da85d99b318def20d9313ef61df",
"versionType": "git"
},
{
"lessThan": "b7bbca4d08471bc8404a946bab1aa017dd05199b",
"status": "affected",
"version": "f7e7b48e6d796da85d99b318def20d9313ef61df",
"versionType": "git"
},
{
"lessThan": "1cdc768468c25d6b10ab83ec1efd4a8554532d69",
"status": "affected",
"version": "f7e7b48e6d796da85d99b318def20d9313ef61df",
"versionType": "git"
},
{
"lessThan": "a71eb6025305192e646040cd76ccacb5bd48a1b5",
"status": "affected",
"version": "f7e7b48e6d796da85d99b318def20d9313ef61df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rga/rga.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rga: fix possible memory leak in rga_probe\n\nrga-\u003em2m_dev needs to be freed when rga_probe fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:18.785Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ddc89437ccefa18279918c19a61fd81527f40b9"
},
{
"url": "https://git.kernel.org/stable/c/eeb4819e94aa69767b9e5591e70c63e8b7c5786a"
},
{
"url": "https://git.kernel.org/stable/c/b7bbca4d08471bc8404a946bab1aa017dd05199b"
},
{
"url": "https://git.kernel.org/stable/c/1cdc768468c25d6b10ab83ec1efd4a8554532d69"
},
{
"url": "https://git.kernel.org/stable/c/a71eb6025305192e646040cd76ccacb5bd48a1b5"
}
],
"title": "media: rga: fix possible memory leak in rga_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49502",
"datePublished": "2025-02-26T02:13:35.528Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-10-01T19:46:42.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49712 (GCVE-0-2022-49712)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
of_node_put() will check NULL pointer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 Version: 24a28e4283510dcd58890379a42b8a7d3201d9d3 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:26.147841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:45.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/lpc32xx_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d85e4e6284a91aa2d1ab004e9d84b9c09b4aa203",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
},
{
"lessThan": "0ef6917c0524da5b88496b9706628ffef108b9bb",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
},
{
"lessThan": "2a598da14856ead80c726b38ba426c68637d9211",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
},
{
"lessThan": "b75bddfcc18170ce8e3fb695a76ec2dec4ce0ea5",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
},
{
"lessThan": "57901c658f77d9ea2e772f35cb38e47efb54c558",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
},
{
"lessThan": "46da1e4a8b6329479433b2a4056941dfdd7f3efd",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
},
{
"lessThan": "727c82d003e0ec64411fd1257a9a57de4ad7a99a",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
},
{
"lessThan": "4757c9ade34178b351580133771f510b5ffcf9c8",
"status": "affected",
"version": "24a28e4283510dcd58890379a42b8a7d3201d9d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/lpc32xx_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.320",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\nof_node_put() will check NULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:52.603Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d85e4e6284a91aa2d1ab004e9d84b9c09b4aa203"
},
{
"url": "https://git.kernel.org/stable/c/0ef6917c0524da5b88496b9706628ffef108b9bb"
},
{
"url": "https://git.kernel.org/stable/c/2a598da14856ead80c726b38ba426c68637d9211"
},
{
"url": "https://git.kernel.org/stable/c/b75bddfcc18170ce8e3fb695a76ec2dec4ce0ea5"
},
{
"url": "https://git.kernel.org/stable/c/57901c658f77d9ea2e772f35cb38e47efb54c558"
},
{
"url": "https://git.kernel.org/stable/c/46da1e4a8b6329479433b2a4056941dfdd7f3efd"
},
{
"url": "https://git.kernel.org/stable/c/727c82d003e0ec64411fd1257a9a57de4ad7a99a"
},
{
"url": "https://git.kernel.org/stable/c/4757c9ade34178b351580133771f510b5ffcf9c8"
}
],
"title": "usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49712",
"datePublished": "2025-02-26T02:24:28.888Z",
"dateReserved": "2025-02-26T02:21:30.444Z",
"dateUpdated": "2025-10-01T19:36:45.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21892 (GCVE-0-2025-21892)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix the recovery flow of the UMR QP
This patch addresses an issue in the recovery flow of the UMR QP,
ensuring tasks do not get stuck, as highlighted by the call trace [1].
During recovery, before transitioning the QP to the RESET state, the
software must wait for all outstanding WRs to complete.
Failing to do so can cause the firmware to skip sending some flushed
CQEs with errors and simply discard them upon the RESET, as per the IB
specification.
This race condition can result in lost CQEs and tasks becoming stuck.
To resolve this, the patch sends a final WR which serves only as a
barrier before moving the QP state to RESET.
Once a CQE is received for that final WR, it guarantees that no
outstanding WRs remain, making it safe to transition the QP to RESET and
subsequently back to RTS, restoring proper functionality.
Note:
For the barrier WR, we simply reuse the failed and ready WR.
Since the QP is in an error state, it will only receive
IB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't
care about its status.
[1]
INFO: task rdma_resource_l:1922 blocked for more than 120 seconds.
Tainted: G W 6.12.0-rc7+ #1626
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369
flags:0x00004004
Call Trace:
<TASK>
__schedule+0x420/0xd30
schedule+0x47/0x130
schedule_timeout+0x280/0x300
? mark_held_locks+0x48/0x80
? lockdep_hardirqs_on_prepare+0xe5/0x1a0
wait_for_completion+0x75/0x130
mlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib]
? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib]
mlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib]
__mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib]
? _raw_spin_unlock_irq+0x24/0x40
? wait_for_completion+0xfe/0x130
? rdma_restrack_put+0x63/0xe0 [ib_core]
ib_dereg_mr_user+0x5f/0x120 [ib_core]
? lock_release+0xc6/0x280
destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]
uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]
uobj_destroy+0x3f/0x70 [ib_uverbs]
ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]
? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]
? __lock_acquire+0x64e/0x2080
? mark_held_locks+0x48/0x80
? find_held_lock+0x2d/0xa0
? lock_acquire+0xc1/0x2f0
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
? __fget_files+0xc3/0x1b0
ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
__x64_sys_ioctl+0x1b0/0xa70
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f99c918b17b
RSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX:
00007f99c918b17b
RDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI:
0000000000000003
RBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09:
000000000000bd7e
R10: 00007f99c94c1c70 R11: 0000000000000246 R12:
00007ffc766d0530
R13: 000000000000001c R14: 0000000040246a80 R15:
0000000000000000
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/umr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e3bf255992cc02404e9d209b127c1c9944239cf",
"status": "affected",
"version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
"versionType": "git"
},
{
"lessThan": "1d2b84d8d054313deed2b2fcafe1168bbcb9e99f",
"status": "affected",
"version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
"versionType": "git"
},
{
"lessThan": "d97505baea64d93538b16baf14ce7b8c1fbad746",
"status": "affected",
"version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
"versionType": "git"
},
{
"status": "affected",
"version": "d8f7bff9a42627d37f4ecffeb01e44db42167175",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/umr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix the recovery flow of the UMR QP\n\nThis patch addresses an issue in the recovery flow of the UMR QP,\nensuring tasks do not get stuck, as highlighted by the call trace [1].\n\nDuring recovery, before transitioning the QP to the RESET state, the\nsoftware must wait for all outstanding WRs to complete.\n\nFailing to do so can cause the firmware to skip sending some flushed\nCQEs with errors and simply discard them upon the RESET, as per the IB\nspecification.\n\nThis race condition can result in lost CQEs and tasks becoming stuck.\n\nTo resolve this, the patch sends a final WR which serves only as a\nbarrier before moving the QP state to RESET.\n\nOnce a CQE is received for that final WR, it guarantees that no\noutstanding WRs remain, making it safe to transition the QP to RESET and\nsubsequently back to RTS, restoring proper functionality.\n\nNote:\nFor the barrier WR, we simply reuse the failed and ready WR.\nSince the QP is in an error state, it will only receive\nIB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don\u0027t\ncare about its status.\n\n[1]\nINFO: task rdma_resource_l:1922 blocked for more than 120 seconds.\nTainted: G W 6.12.0-rc7+ #1626\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369\n flags:0x00004004\nCall Trace:\n\u003cTASK\u003e\n__schedule+0x420/0xd30\nschedule+0x47/0x130\nschedule_timeout+0x280/0x300\n? mark_held_locks+0x48/0x80\n? lockdep_hardirqs_on_prepare+0xe5/0x1a0\nwait_for_completion+0x75/0x130\nmlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib]\n? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib]\nmlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? __lock_acquire+0x64e/0x2080\n? mark_held_locks+0x48/0x80\n? find_held_lock+0x2d/0xa0\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? __fget_files+0xc3/0x1b0\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f99c918b17b\nRSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX:\n 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX:\n 00007f99c918b17b\nRDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI:\n 0000000000000003\nRBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09:\n 000000000000bd7e\nR10: 00007f99c94c1c70 R11: 0000000000000246 R12:\n 00007ffc766d0530\nR13: 000000000000001c R14: 0000000040246a80 R15:\n 0000000000000000\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:41.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e3bf255992cc02404e9d209b127c1c9944239cf"
},
{
"url": "https://git.kernel.org/stable/c/1d2b84d8d054313deed2b2fcafe1168bbcb9e99f"
},
{
"url": "https://git.kernel.org/stable/c/d97505baea64d93538b16baf14ce7b8c1fbad746"
}
],
"title": "RDMA/mlx5: Fix the recovery flow of the UMR QP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21892",
"datePublished": "2025-03-27T14:57:17.885Z",
"dateReserved": "2024-12-29T08:45:45.783Z",
"dateUpdated": "2025-05-04T13:06:41.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49652 (GCVE-0-2022-49652)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not needed anymore.
Add missing of_node_put() in to fix this.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e Version: ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:41.629010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "452b9dfd7aca96befce22634fadb111737f22bbe",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
},
{
"lessThan": "61b4ef19c346dc21ab1d4f39f5c412e3037b2bdc",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
},
{
"lessThan": "3bd66010398871807c1cebacee07d60ded1b1402",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
},
{
"lessThan": "b31ab132561c7f1b6459039152b8d09e44eb3565",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
},
{
"lessThan": "37147e22cd8dfc0412495cb361708836157a4486",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
},
{
"lessThan": "cb9813d7eae917acd34436160a278b8b5d48ca53",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
},
{
"lessThan": "b5a817f8d62e9e13280928f3756e54854ae4962e",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
},
{
"lessThan": "c132fe78ad7b4ce8b5d49a501a15c29d08eeb23a",
"status": "affected",
"version": "ec9bfa1e1a796ef7acc2e55917c9b8be5a79e70e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ti/dma-crossbar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.288",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.323",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.288",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.252",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.205",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.130",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not needed anymore.\n\nAdd missing of_node_put() in to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:37.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/452b9dfd7aca96befce22634fadb111737f22bbe"
},
{
"url": "https://git.kernel.org/stable/c/61b4ef19c346dc21ab1d4f39f5c412e3037b2bdc"
},
{
"url": "https://git.kernel.org/stable/c/3bd66010398871807c1cebacee07d60ded1b1402"
},
{
"url": "https://git.kernel.org/stable/c/b31ab132561c7f1b6459039152b8d09e44eb3565"
},
{
"url": "https://git.kernel.org/stable/c/37147e22cd8dfc0412495cb361708836157a4486"
},
{
"url": "https://git.kernel.org/stable/c/cb9813d7eae917acd34436160a278b8b5d48ca53"
},
{
"url": "https://git.kernel.org/stable/c/b5a817f8d62e9e13280928f3756e54854ae4962e"
},
{
"url": "https://git.kernel.org/stable/c/c132fe78ad7b4ce8b5d49a501a15c29d08eeb23a"
}
],
"title": "dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49652",
"datePublished": "2025-02-26T02:23:53.995Z",
"dateReserved": "2025-02-26T02:21:30.433Z",
"dateUpdated": "2025-10-01T19:36:48.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53006 (GCVE-0-2023-53006)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix oops due to uncleared server->smbd_conn in reconnect
In smbd_destroy(), clear the server->smbd_conn pointer after freeing the
smbd_connection struct that it points to so that reconnection doesn't get
confused.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9640c0b268405f2540e8203a545e930ea88bb7d",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "91be54849d5392050f5b847b42bd5e6221551ac8",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "e037baee16e0b9ace7e730888fcae9cec11daff2",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "4b83bc6f87eedab4599b0123e572a422689444be",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "5109607a4ece7cd8536172bf7549eb4dce1f3576",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "b7ab9161cf5ddc42a288edf9d1a61f3bdffe17c7",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix oops due to uncleared server-\u003esmbd_conn in reconnect\n\nIn smbd_destroy(), clear the server-\u003esmbd_conn pointer after freeing the\nsmbd_connection struct that it points to so that reconnection doesn\u0027t get\nconfused."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:22.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9640c0b268405f2540e8203a545e930ea88bb7d"
},
{
"url": "https://git.kernel.org/stable/c/91be54849d5392050f5b847b42bd5e6221551ac8"
},
{
"url": "https://git.kernel.org/stable/c/e037baee16e0b9ace7e730888fcae9cec11daff2"
},
{
"url": "https://git.kernel.org/stable/c/4b83bc6f87eedab4599b0123e572a422689444be"
},
{
"url": "https://git.kernel.org/stable/c/5109607a4ece7cd8536172bf7549eb4dce1f3576"
},
{
"url": "https://git.kernel.org/stable/c/b7ab9161cf5ddc42a288edf9d1a61f3bdffe17c7"
}
],
"title": "cifs: Fix oops due to uncleared server-\u003esmbd_conn in reconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53006",
"datePublished": "2025-03-27T16:43:37.225Z",
"dateReserved": "2025-03-27T16:40:15.745Z",
"dateUpdated": "2025-05-04T07:47:22.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49112 (GCVE-0-2022-49112)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: fix monitor mode crash with sdio driver
mt7921s driver may receive frames with fragment buffers. If there is a
CTS packet received in monitor mode, the payload is 10 bytes only and
need 6 bytes header padding after RXD buffer. However, only RXD in the
first linear buffer, if we pull buffer size RXD-size+6 bytes with
skb_pull(), that would trigger "BUG_ON(skb->len < skb->data_len)" in
__skb_pull().
To avoid the nonlinear buffer issue, enlarge the RXD size from 128 to
256 to make sure all MCU operation in linear buffer.
[ 52.007562] kernel BUG at include/linux/skbuff.h:2313!
[ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 52.007987] pc : skb_pull+0x48/0x4c
[ 52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common]
[ 52.008361] Call trace:
[ 52.008377] skb_pull+0x48/0x4c
[ 52.008400] mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c]
[ 52.008431] __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917]
[ 52.008449] kthread+0x148/0x3ac
[ 52.008466] ret_from_fork+0x10/0x30
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13946d5a68efd11dd6af2f6ef4c908f6b00158a5",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "c37b4cab3d97ef64b206fca4d9daabd9aff7356e",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "95e2af01669c7a3cb7a933cefa06361f9db15059",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "123bc712b1de0805f9d683687e17b1ec2aba0b68",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix monitor mode crash with sdio driver\n\nmt7921s driver may receive frames with fragment buffers. If there is a\nCTS packet received in monitor mode, the payload is 10 bytes only and\nneed 6 bytes header padding after RXD buffer. However, only RXD in the\nfirst linear buffer, if we pull buffer size RXD-size+6 bytes with\nskb_pull(), that would trigger \"BUG_ON(skb-\u003elen \u003c skb-\u003edata_len)\" in\n__skb_pull().\n\nTo avoid the nonlinear buffer issue, enlarge the RXD size from 128 to\n256 to make sure all MCU operation in linear buffer.\n\n[ 52.007562] kernel BUG at include/linux/skbuff.h:2313!\n[ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 52.007987] pc : skb_pull+0x48/0x4c\n[ 52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common]\n[ 52.008361] Call trace:\n[ 52.008377] skb_pull+0x48/0x4c\n[ 52.008400] mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c]\n[ 52.008431] __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917]\n[ 52.008449] kthread+0x148/0x3ac\n[ 52.008466] ret_from_fork+0x10/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:08.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13946d5a68efd11dd6af2f6ef4c908f6b00158a5"
},
{
"url": "https://git.kernel.org/stable/c/c37b4cab3d97ef64b206fca4d9daabd9aff7356e"
},
{
"url": "https://git.kernel.org/stable/c/95e2af01669c7a3cb7a933cefa06361f9db15059"
},
{
"url": "https://git.kernel.org/stable/c/123bc712b1de0805f9d683687e17b1ec2aba0b68"
}
],
"title": "mt76: fix monitor mode crash with sdio driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49112",
"datePublished": "2025-02-26T01:54:57.109Z",
"dateReserved": "2025-02-26T01:49:39.261Z",
"dateUpdated": "2025-05-04T08:30:08.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49192 (GCVE-0-2022-49192)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool
cpsw_ethtool_begin directly returns the result of pm_runtime_get_sync
when successful.
pm_runtime_get_sync returns -error code on failure and 0 on successful
resume but also 1 when the device is already active. So the common case
for cpsw_ethtool_begin is to return 1. That leads to inconsistent calls
to pm_runtime_put in the call-chain so that pm_runtime_put is called
one too many times and as result leaving the cpsw dev behind suspended.
The suspended cpsw dev leads to an access violation later on by
different parts of the cpsw driver.
Fix this by calling the return-friendly pm_runtime_resume_and_get
function.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "585dc196a08fccdcd1b7fcf473cf566b34c4b840",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "459080fab12b23c0526026e5cedbf3fabb5457cc",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "30ad11bff021a94aff6dab1ec9236fdfd884fbff",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "2844e2434385819f674d1fb4130c308c50ba681e",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool\n\ncpsw_ethtool_begin directly returns the result of pm_runtime_get_sync\nwhen successful.\npm_runtime_get_sync returns -error code on failure and 0 on successful\nresume but also 1 when the device is already active. So the common case\nfor cpsw_ethtool_begin is to return 1. That leads to inconsistent calls\nto pm_runtime_put in the call-chain so that pm_runtime_put is called\none too many times and as result leaving the cpsw dev behind suspended.\n\nThe suspended cpsw dev leads to an access violation later on by\ndifferent parts of the cpsw driver.\n\nFix this by calling the return-friendly pm_runtime_resume_and_get\nfunction."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:58.822Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/585dc196a08fccdcd1b7fcf473cf566b34c4b840"
},
{
"url": "https://git.kernel.org/stable/c/459080fab12b23c0526026e5cedbf3fabb5457cc"
},
{
"url": "https://git.kernel.org/stable/c/30ad11bff021a94aff6dab1ec9236fdfd884fbff"
},
{
"url": "https://git.kernel.org/stable/c/2844e2434385819f674d1fb4130c308c50ba681e"
}
],
"title": "drivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49192",
"datePublished": "2025-02-26T01:55:38.609Z",
"dateReserved": "2025-02-26T01:49:39.287Z",
"dateUpdated": "2025-05-04T08:31:58.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49164 (GCVE-0-2022-49164)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/tm: Fix more userspace r13 corruption
Commit cf13435b730a ("powerpc/tm: Fix userspace r13 corruption") fixes a
problem in treclaim where a SLB miss can occur on the
thread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13
value, clobbering it with the kernel r13 and ultimately resulting in
kernel r13 being stored in ckpt_regs.
There is an equivalent problem in trechkpt where the user r13 value is
loaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss
could occur on ckpt_regs accesses after that, which will result in r13
being clobbered with a kernel value and that will get recheckpointed and
then restored to user registers.
The same memory page is accessed right before this critical window where
a SLB miss could cause corruption, so hitting the bug requires the SLB
entry be removed within a small window of instructions, which is
possible if a SLB related MCE hits there. PAPR also permits the
hypervisor to discard this SLB entry (because slb_shadow->persistent is
only set to SLB_NUM_BOLTED) although it's not known whether any
implementations would do this (KVM does not). So this is an extremely
unlikely bug, only found by inspection.
Fix this by also storing user r13 in a temporary location on the kernel
stack and don't change the r13 register from kernel r13 until the RI=0
critical section that does not fault.
The SCRATCH0 change is not strictly part of the fix, it's only used in
the RI=0 section so it does not have the same problem as the previous
SCRATCH0 bug.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/tm.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5dce84f475d13b773a1a4c823581cab25044d86a",
"status": "affected",
"version": "98ae22e15b430bfed5def01ac1a88ec9396284c8",
"versionType": "git"
},
{
"lessThan": "73d8082c90f17dfba57cad4ca94db5cae323f1b1",
"status": "affected",
"version": "98ae22e15b430bfed5def01ac1a88ec9396284c8",
"versionType": "git"
},
{
"lessThan": "9d71165d3934e607070c4e48458c0cf161b1baea",
"status": "affected",
"version": "98ae22e15b430bfed5def01ac1a88ec9396284c8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/tm.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/tm: Fix more userspace r13 corruption\n\nCommit cf13435b730a (\"powerpc/tm: Fix userspace r13 corruption\") fixes a\nproblem in treclaim where a SLB miss can occur on the\nthread_struct-\u003eckpt_regs while SCRATCH0 is live with the saved user r13\nvalue, clobbering it with the kernel r13 and ultimately resulting in\nkernel r13 being stored in ckpt_regs.\n\nThere is an equivalent problem in trechkpt where the user r13 value is\nloaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss\ncould occur on ckpt_regs accesses after that, which will result in r13\nbeing clobbered with a kernel value and that will get recheckpointed and\nthen restored to user registers.\n\nThe same memory page is accessed right before this critical window where\na SLB miss could cause corruption, so hitting the bug requires the SLB\nentry be removed within a small window of instructions, which is\npossible if a SLB related MCE hits there. PAPR also permits the\nhypervisor to discard this SLB entry (because slb_shadow-\u003epersistent is\nonly set to SLB_NUM_BOLTED) although it\u0027s not known whether any\nimplementations would do this (KVM does not). So this is an extremely\nunlikely bug, only found by inspection.\n\nFix this by also storing user r13 in a temporary location on the kernel\nstack and don\u0027t change the r13 register from kernel r13 until the RI=0\ncritical section that does not fault.\n\nThe SCRATCH0 change is not strictly part of the fix, it\u0027s only used in\nthe RI=0 section so it does not have the same problem as the previous\nSCRATCH0 bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:22.171Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5dce84f475d13b773a1a4c823581cab25044d86a"
},
{
"url": "https://git.kernel.org/stable/c/73d8082c90f17dfba57cad4ca94db5cae323f1b1"
},
{
"url": "https://git.kernel.org/stable/c/9d71165d3934e607070c4e48458c0cf161b1baea"
}
],
"title": "powerpc/tm: Fix more userspace r13 corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49164",
"datePublished": "2025-02-26T01:55:24.540Z",
"dateReserved": "2025-02-26T01:49:39.277Z",
"dateUpdated": "2025-05-04T08:31:22.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49330 (GCVE-0-2022-49330)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd
syzbot got a new report [1] finally pointing to a very old bug,
added in initial support for MTU probing.
tcp_mtu_probe() has checks about starting an MTU probe if
tcp_snd_cwnd(tp) >= 11.
But nothing prevents tcp_snd_cwnd(tp) to be reduced later
and before the MTU probe succeeds.
This bug would lead to potential zero-divides.
Debugging added in commit 40570375356c ("tcp: add accessors
to read/set tp->snd_cwnd") has paid off :)
While we are at it, address potential overflows in this code.
[1]
WARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
Modules linked in:
CPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]
RIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
Code: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff
RSP: 0018:ffffc900079e70f8 EFLAGS: 00010287
RAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000
RDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f
RBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520
R10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50
R13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000
FS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356
tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861
tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973
tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476
sk_backlog_rcv include/net/sock.h:1061 [inline]
__release_sock+0x1d8/0x4c0 net/core/sock.c:2849
release_sock+0x5d/0x1c0 net/core/sock.c:3404
sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145
tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410
tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
__sys_sendto+0x439/0x5c0 net/socket.c:2119
__do_sys_sendto net/socket.c:2131 [inline]
__se_sys_sendto net/socket.c:2127 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2127
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6431289109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109
RDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a
RBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee Version: 5d424d5a674f782d0659a3b66d951f412901faee |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29e13f6b38f0816af2012e0725507754e8f4569c",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "42726877453afdbe1508a8a96884ea907741d9a7",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "f2845e1504a3bc4f3381394f057e8b63cb5f3f7a",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "602b338e3c3cd7f935f3f5011882961d074e5ac1",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "9ba2b4ac35935f05ac98cff722f36ba07d62270e",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "aa7f333efd1138a68517a6a6a69ae540dd59d800",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "38ca71a24cd4845021eed35fd2594d89dba9a5a8",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
},
{
"lessThan": "11825765291a93d8e7f44230da67b9f607c777bf",
"status": "affected",
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_mtup_probe_success vs wrong snd_cwnd\n\nsyzbot got a new report [1] finally pointing to a very old bug,\nadded in initial support for MTU probing.\n\ntcp_mtu_probe() has checks about starting an MTU probe if\ntcp_snd_cwnd(tp) \u003e= 11.\n\nBut nothing prevents tcp_snd_cwnd(tp) to be reduced later\nand before the MTU probe succeeds.\n\nThis bug would lead to potential zero-divides.\n\nDebugging added in commit 40570375356c (\"tcp: add accessors\nto read/set tp-\u003esnd_cwnd\") has paid off :)\n\nWhile we are at it, address potential overflows in this code.\n\n[1]\nWARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nModules linked in:\nCPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]\nRIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nCode: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 \u003c0f\u003e 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff\nRSP: 0018:ffffc900079e70f8 EFLAGS: 00010287\nRAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000\nRDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f\nRBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520\nR10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50\nR13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000\nFS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356\n tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861\n tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973\n tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476\n sk_backlog_rcv include/net/sock.h:1061 [inline]\n __release_sock+0x1d8/0x4c0 net/core/sock.c:2849\n release_sock+0x5d/0x1c0 net/core/sock.c:3404\n sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145\n tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410\n tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n __sys_sendto+0x439/0x5c0 net/socket.c:2119\n __do_sys_sendto net/socket.c:2131 [inline]\n __se_sys_sendto net/socket.c:2127 [inline]\n __x64_sys_sendto+0xda/0xf0 net/socket.c:2127\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f6431289109\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109\nRDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a\nRBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:20.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29e13f6b38f0816af2012e0725507754e8f4569c"
},
{
"url": "https://git.kernel.org/stable/c/42726877453afdbe1508a8a96884ea907741d9a7"
},
{
"url": "https://git.kernel.org/stable/c/f2845e1504a3bc4f3381394f057e8b63cb5f3f7a"
},
{
"url": "https://git.kernel.org/stable/c/602b338e3c3cd7f935f3f5011882961d074e5ac1"
},
{
"url": "https://git.kernel.org/stable/c/9ba2b4ac35935f05ac98cff722f36ba07d62270e"
},
{
"url": "https://git.kernel.org/stable/c/90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc"
},
{
"url": "https://git.kernel.org/stable/c/aa7f333efd1138a68517a6a6a69ae540dd59d800"
},
{
"url": "https://git.kernel.org/stable/c/38ca71a24cd4845021eed35fd2594d89dba9a5a8"
},
{
"url": "https://git.kernel.org/stable/c/11825765291a93d8e7f44230da67b9f607c777bf"
}
],
"title": "tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49330",
"datePublished": "2025-02-26T02:10:50.554Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-05-04T08:35:20.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49530 (GCVE-0-2022-49530)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: fix double free in si_parse_power_table()
In function si_parse_power_table(), array adev->pm.dpm.ps and its member
is allocated. If the allocation of each member fails, the array itself
is freed and returned with an error code. However, the array is later
freed again in si_dpm_fini() function which is called when the function
returns an error.
This leads to potential double free of the array adev->pm.dpm.ps, as
well as leak of its array members, since the members are not freed in
the allocation function and the array is not nulled when freed.
In addition adev->pm.dpm.num_ps, which keeps track of the allocated
array member, is not updated until the member allocation is
successfully finished, this could also lead to either use after free,
or uninitialized variable access in si_dpm_fini().
Fix this by postponing the free of the array until si_dpm_fini() and
increment adev->pm.dpm.num_ps everytime the array member is allocated.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:58.672887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:41.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2615464854505188f909d0c07c37a6623693b5c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c5bdaa1325be7f04b79ea992ab216739192d342",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0e811c4ccf3b42705976285e3a94cc82dea7300",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af832028af6f44c6c45645757079c4ed6884ade5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca1ce206894dd976275c78ee38dbc19873f22de9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5ce7051db044290b1a95045ff03c249005a3aa4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd2eff8b9dcbe469c3b7bbbc7083ab5ed94de07b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43eb9b667b95f2a31c63e8949b0d2161b9be59c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix double free in si_parse_power_table()\n\nIn function si_parse_power_table(), array adev-\u003epm.dpm.ps and its member\nis allocated. If the allocation of each member fails, the array itself\nis freed and returned with an error code. However, the array is later\nfreed again in si_dpm_fini() function which is called when the function\nreturns an error.\n\nThis leads to potential double free of the array adev-\u003epm.dpm.ps, as\nwell as leak of its array members, since the members are not freed in\nthe allocation function and the array is not nulled when freed.\nIn addition adev-\u003epm.dpm.num_ps, which keeps track of the allocated\narray member, is not updated until the member allocation is\nsuccessfully finished, this could also lead to either use after free,\nor uninitialized variable access in si_dpm_fini().\n\nFix this by postponing the free of the array until si_dpm_fini() and\nincrement adev-\u003epm.dpm.num_ps everytime the array member is allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:54.660Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2615464854505188f909d0c07c37a6623693b5c7"
},
{
"url": "https://git.kernel.org/stable/c/6c5bdaa1325be7f04b79ea992ab216739192d342"
},
{
"url": "https://git.kernel.org/stable/c/c0e811c4ccf3b42705976285e3a94cc82dea7300"
},
{
"url": "https://git.kernel.org/stable/c/af832028af6f44c6c45645757079c4ed6884ade5"
},
{
"url": "https://git.kernel.org/stable/c/ca1ce206894dd976275c78ee38dbc19873f22de9"
},
{
"url": "https://git.kernel.org/stable/c/a5ce7051db044290b1a95045ff03c249005a3aa4"
},
{
"url": "https://git.kernel.org/stable/c/fd2eff8b9dcbe469c3b7bbbc7083ab5ed94de07b"
},
{
"url": "https://git.kernel.org/stable/c/43eb9b667b95f2a31c63e8949b0d2161b9be59c3"
},
{
"url": "https://git.kernel.org/stable/c/f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd"
}
],
"title": "drm/amd/pm: fix double free in si_parse_power_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49530",
"datePublished": "2025-02-26T02:13:51.057Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-10-01T19:46:41.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49250 (GCVE-0-2022-49250)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: rx-macro: fix accessing compander for aux
AUX interpolator does not have compander, so check before accessing
compander data for this.
Without this checkan array of out bounds access will be made in
comp_enabled[] array.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9208ecc703b5ed5b12d7ea13c79207f4c8456638",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "87a2b44cb3005d30c3a72234d1e47b03ae3bb29a",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "6aa8ef9535dbd561293406608ebe791627b10196",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "42c709c4e1ce4c136891530646c9abd5dff3524f",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: rx-macro: fix accessing compander for aux\n\nAUX interpolator does not have compander, so check before accessing\ncompander data for this.\n\nWithout this checkan array of out bounds access will be made in\ncomp_enabled[] array."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:21.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9208ecc703b5ed5b12d7ea13c79207f4c8456638"
},
{
"url": "https://git.kernel.org/stable/c/87a2b44cb3005d30c3a72234d1e47b03ae3bb29a"
},
{
"url": "https://git.kernel.org/stable/c/6aa8ef9535dbd561293406608ebe791627b10196"
},
{
"url": "https://git.kernel.org/stable/c/42c709c4e1ce4c136891530646c9abd5dff3524f"
}
],
"title": "ASoC: codecs: rx-macro: fix accessing compander for aux",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49250",
"datePublished": "2025-02-26T01:56:07.719Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:21.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49625 (GCVE-0-2022-49625)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sfc: fix kernel panic when creating VF
When creating VFs a kernel panic can happen when calling to
efx_ef10_try_update_nic_stats_vf.
When releasing a DMA coherent buffer, sometimes, I don't know in what
specific circumstances, it has to unmap memory with vunmap. It is
disallowed to do that in IRQ context or with BH disabled. Otherwise, we
hit this line in vunmap, causing the crash:
BUG_ON(in_interrupt());
This patch reenables BH to release the buffer.
Log messages when the bug is hit:
kernel BUG at mm/vmalloc.c:2727!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1
Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020
RIP: 0010:vunmap+0x2e/0x30
...skip...
Call Trace:
__iommu_dma_free+0x96/0x100
efx_nic_free_buffer+0x2b/0x40 [sfc]
efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc]
efx_ef10_update_stats_vf+0x18/0x40 [sfc]
efx_start_all+0x15e/0x1d0 [sfc]
efx_net_open+0x5a/0xe0 [sfc]
__dev_open+0xe7/0x1a0
__dev_change_flags+0x1d7/0x240
dev_change_flags+0x21/0x60
...skip...
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d778819609a27efd5358da8151a0ad3507243e19 Version: d778819609a27efd5358da8151a0ad3507243e19 Version: d778819609a27efd5358da8151a0ad3507243e19 Version: d778819609a27efd5358da8151a0ad3507243e19 Version: d778819609a27efd5358da8151a0ad3507243e19 Version: d778819609a27efd5358da8151a0ad3507243e19 Version: d778819609a27efd5358da8151a0ad3507243e19 Version: d778819609a27efd5358da8151a0ad3507243e19 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9840212a9c00507347c703f4fdeda16400407e0",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
},
{
"lessThan": "b9072305270579a9d6afc9b926166231e5b1a7c8",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
},
{
"lessThan": "82bcb730f856086f033e6c04082eb4503d4c2fa4",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
},
{
"lessThan": "da346adcf5573fd8663cabfdfe8371009629a906",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
},
{
"lessThan": "b82e4ad58a7fb72456503958a93060f87896e629",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
},
{
"lessThan": "68e5f32f0de9594629ff9e599294d9801c6187de",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
},
{
"lessThan": "16662524ec5da801fb78a1afcaf6e782f1cf103a",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
},
{
"lessThan": "ada74c5539eba06cf8b47d068f92e0b3963a9a6e",
"status": "affected",
"version": "d778819609a27efd5358da8151a0ad3507243e19",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.324",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.289",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix kernel panic when creating VF\n\nWhen creating VFs a kernel panic can happen when calling to\nefx_ef10_try_update_nic_stats_vf.\n\nWhen releasing a DMA coherent buffer, sometimes, I don\u0027t know in what\nspecific circumstances, it has to unmap memory with vunmap. It is\ndisallowed to do that in IRQ context or with BH disabled. Otherwise, we\nhit this line in vunmap, causing the crash:\n BUG_ON(in_interrupt());\n\nThis patch reenables BH to release the buffer.\n\nLog messages when the bug is hit:\n kernel BUG at mm/vmalloc.c:2727!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1\n Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020\n RIP: 0010:vunmap+0x2e/0x30\n ...skip...\n Call Trace:\n __iommu_dma_free+0x96/0x100\n efx_nic_free_buffer+0x2b/0x40 [sfc]\n efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc]\n efx_ef10_update_stats_vf+0x18/0x40 [sfc]\n efx_start_all+0x15e/0x1d0 [sfc]\n efx_net_open+0x5a/0xe0 [sfc]\n __dev_open+0xe7/0x1a0\n __dev_change_flags+0x1d7/0x240\n dev_change_flags+0x21/0x60\n ...skip..."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:04.336Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9840212a9c00507347c703f4fdeda16400407e0"
},
{
"url": "https://git.kernel.org/stable/c/b9072305270579a9d6afc9b926166231e5b1a7c8"
},
{
"url": "https://git.kernel.org/stable/c/82bcb730f856086f033e6c04082eb4503d4c2fa4"
},
{
"url": "https://git.kernel.org/stable/c/da346adcf5573fd8663cabfdfe8371009629a906"
},
{
"url": "https://git.kernel.org/stable/c/b82e4ad58a7fb72456503958a93060f87896e629"
},
{
"url": "https://git.kernel.org/stable/c/68e5f32f0de9594629ff9e599294d9801c6187de"
},
{
"url": "https://git.kernel.org/stable/c/16662524ec5da801fb78a1afcaf6e782f1cf103a"
},
{
"url": "https://git.kernel.org/stable/c/ada74c5539eba06cf8b47d068f92e0b3963a9a6e"
}
],
"title": "sfc: fix kernel panic when creating VF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49625",
"datePublished": "2025-02-26T02:23:40.786Z",
"dateReserved": "2025-02-26T02:21:30.421Z",
"dateUpdated": "2025-05-04T08:42:04.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21723 (GCVE-0-2025-21723)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Fix possible crash when setting up bsg fails
If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value.
Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)"
will not be satisfied, preventing execution from entering
bsg_remove_queue(), which could lead to the following crash:
BUG: kernel NULL pointer dereference, address: 000000000000041c
Call Trace:
<TASK>
mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr]
mpi3mr_remove+0x6f/0x340 [mpi3mr]
pci_device_remove+0x3f/0xb0
device_release_driver_internal+0x19d/0x220
unbind_store+0xa4/0xb0
kernfs_fop_write_iter+0x11f/0x200
vfs_write+0x1fc/0x3e0
ksys_write+0x67/0xe0
do_syscall_64+0x38/0x80
entry_SYSCALL_64_after_hwframe+0x78/0xe2
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:33.491666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:05.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19b248069d1b1424982723a2bf3941ad864d5204",
"status": "affected",
"version": "4268fa7513655a83d5492705591fdac6c65db48a",
"versionType": "git"
},
{
"lessThan": "832b8f95a2832321b8200ae478ed988b25faaef4",
"status": "affected",
"version": "4268fa7513655a83d5492705591fdac6c65db48a",
"versionType": "git"
},
{
"lessThan": "295006f6e8c17212d3098811166e29627d19e05c",
"status": "affected",
"version": "4268fa7513655a83d5492705591fdac6c65db48a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix possible crash when setting up bsg fails\n\nIf bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value.\nConsequently, in mpi3mr_bsg_exit(), the condition \"if(!mrioc-\u003ebsg_queue)\"\nwill not be satisfied, preventing execution from entering\nbsg_remove_queue(), which could lead to the following crash:\n\nBUG: kernel NULL pointer dereference, address: 000000000000041c\nCall Trace:\n \u003cTASK\u003e\n mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr]\n mpi3mr_remove+0x6f/0x340 [mpi3mr]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x19d/0x220\n unbind_store+0xa4/0xb0\n kernfs_fop_write_iter+0x11f/0x200\n vfs_write+0x1fc/0x3e0\n ksys_write+0x67/0xe0\n do_syscall_64+0x38/0x80\n entry_SYSCALL_64_after_hwframe+0x78/0xe2"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:47.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19b248069d1b1424982723a2bf3941ad864d5204"
},
{
"url": "https://git.kernel.org/stable/c/832b8f95a2832321b8200ae478ed988b25faaef4"
},
{
"url": "https://git.kernel.org/stable/c/295006f6e8c17212d3098811166e29627d19e05c"
}
],
"title": "scsi: mpi3mr: Fix possible crash when setting up bsg fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21723",
"datePublished": "2025-02-27T02:07:30.985Z",
"dateReserved": "2024-12-29T08:45:45.754Z",
"dateUpdated": "2025-10-01T20:17:05.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21877 (GCVE-0-2025-21877)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: gl620a: fix endpoint checking in genelink_bind()
Syzbot reports [1] a warning in usb_submit_urb() triggered by
inconsistencies between expected and actually present endpoints
in gl620a driver. Since genelink_bind() does not properly
verify whether specified eps are in fact provided by the device,
in this case, an artificially manufactured one, one may get a
mismatch.
Fix the issue by resorting to a usbnet utility function
usbnet_get_endpoints(), usually reserved for this very problem.
Check for endpoints and return early before proceeding further if
any are missing.
[1] Syzbot report:
usb 5-1: Manufacturer: syz
usb 5-1: SerialNumber: syz
usb 5-1: config 0 descriptor??
gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...
------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
...
Call Trace:
<TASK>
usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467
__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
netdev_start_xmit include/linux/netdevice.h:5011 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606
sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400
dev_queue_xmit include/linux/netdevice.h:3168 [inline]
neigh_resolve_output net/core/neighbour.c:1514 [inline]
neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494
neigh_output include/net/neighbour.h:539 [inline]
ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141
__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819
mld_send_cr net/ipv6/mcast.c:2120 [inline]
mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:34.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/gl620a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f2dbabbce04b1ffcd6d8d07564adb94db577536",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "24dd971104057c8828d420a48e0a5af6e6f30d3e",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "67ebc3391c8377738e97a43374054d9718fdb6e4",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "a2ee5e55b50a97d13617c8653482c0ad4decff8c",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "4e8b8d43373bf837be159366f0192502f97ec7a5",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "ded25730c96949cb8b048b29c557e38569124943",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "1cf9631d836b289bd5490776551961c883ae8a4f",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/gl620a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: gl620a: fix endpoint checking in genelink_bind()\n\nSyzbot reports [1] a warning in usb_submit_urb() triggered by\ninconsistencies between expected and actually present endpoints\nin gl620a driver. Since genelink_bind() does not properly\nverify whether specified eps are in fact provided by the device,\nin this case, an artificially manufactured one, one may get a\nmismatch.\n\nFix the issue by resorting to a usbnet utility function\nusbnet_get_endpoints(), usually reserved for this very problem.\nCheck for endpoints and return early before proceeding further if\nany are missing.\n\n[1] Syzbot report:\nusb 5-1: Manufacturer: syz\nusb 5-1: SerialNumber: syz\nusb 5-1: config 0 descriptor??\ngl620a 5-1:0.23 usb0: register \u0027gl620a\u0027 at usb-dummy_hcd.0-1, ...\n------------[ cut here ]------------\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nModules linked in:\nCPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \u003cTASK\u003e\n usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:3827 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_resolve_output net/core/neighbour.c:1514 [inline]\n neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494\n neigh_output include/net/neighbour.h:539 [inline]\n ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819\n mld_send_cr net/ipv6/mcast.c:2120 [inline]\n mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651\n process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:09.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536"
},
{
"url": "https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e"
},
{
"url": "https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc"
},
{
"url": "https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4"
},
{
"url": "https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c"
},
{
"url": "https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5"
},
{
"url": "https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943"
},
{
"url": "https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f"
}
],
"title": "usbnet: gl620a: fix endpoint checking in genelink_bind()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21877",
"datePublished": "2025-03-27T14:57:07.462Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-11-03T19:38:34.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58051 (GCVE-0-2024-58051)
Vulnerability from cvelistv5
Published
2025-03-06 15:53
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi: ipmb: Add check devm_kasprintf() returned value
devm_kasprintf() can return a NULL pointer on failure but this
returned value is not checked.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 51bd6f291583684f495ea498984dfc22049d7fd2 Version: 51bd6f291583684f495ea498984dfc22049d7fd2 Version: 51bd6f291583684f495ea498984dfc22049d7fd2 Version: 51bd6f291583684f495ea498984dfc22049d7fd2 Version: 51bd6f291583684f495ea498984dfc22049d7fd2 Version: 51bd6f291583684f495ea498984dfc22049d7fd2 Version: 51bd6f291583684f495ea498984dfc22049d7fd2 Version: 51bd6f291583684f495ea498984dfc22049d7fd2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:43.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmb_dev_int.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a8a17c5ce9cb5a82797602bff9819ac732d2ff5",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
},
{
"lessThan": "caac520350546e736894d14e051b64a9edb3600c",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
},
{
"lessThan": "eb288ab33fd87579789cb331209ff09e988ff4f7",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
},
{
"lessThan": "312a6445036d692bc5665307eeafa4508c33c4b5",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
},
{
"lessThan": "4c9caf86d04dcb10e9fd8cd9db8eb79b5bfcc4d8",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
},
{
"lessThan": "e529fbcf1f35f5fc3c839df7f06c3e3d02579715",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
},
{
"lessThan": "a63284d415d4d114abd8be6e66a9558f3ca0702d",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
},
{
"lessThan": "2378bd0b264ad3a1f76bd957caf33ee0c7945351",
"status": "affected",
"version": "51bd6f291583684f495ea498984dfc22049d7fd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmb_dev_int.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: ipmb: Add check devm_kasprintf() returned value\n\ndevm_kasprintf() can return a NULL pointer on failure but this\nreturned value is not checked."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:44.123Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a8a17c5ce9cb5a82797602bff9819ac732d2ff5"
},
{
"url": "https://git.kernel.org/stable/c/caac520350546e736894d14e051b64a9edb3600c"
},
{
"url": "https://git.kernel.org/stable/c/eb288ab33fd87579789cb331209ff09e988ff4f7"
},
{
"url": "https://git.kernel.org/stable/c/312a6445036d692bc5665307eeafa4508c33c4b5"
},
{
"url": "https://git.kernel.org/stable/c/4c9caf86d04dcb10e9fd8cd9db8eb79b5bfcc4d8"
},
{
"url": "https://git.kernel.org/stable/c/e529fbcf1f35f5fc3c839df7f06c3e3d02579715"
},
{
"url": "https://git.kernel.org/stable/c/a63284d415d4d114abd8be6e66a9558f3ca0702d"
},
{
"url": "https://git.kernel.org/stable/c/2378bd0b264ad3a1f76bd957caf33ee0c7945351"
}
],
"title": "ipmi: ipmb: Add check devm_kasprintf() returned value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58051",
"datePublished": "2025-03-06T15:53:56.175Z",
"dateReserved": "2025-03-06T15:52:09.178Z",
"dateUpdated": "2025-11-03T19:33:43.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49475 (GCVE-0-2022-49475)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-fsl-qspi: check return value after calling platform_get_resource_byname()
It will cause null-ptr-deref if platform_get_resource_byname() returns NULL,
we need check the return value.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:39.524948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:45.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "560dcbe1c7a78f597f2167371ebdbe2bca3d0735",
"status": "affected",
"version": "858e26a515c28df3ef542d9c09493b54a329d6cf",
"versionType": "git"
},
{
"lessThan": "10f537219629769498ecb8515e096be213224c24",
"status": "affected",
"version": "858e26a515c28df3ef542d9c09493b54a329d6cf",
"versionType": "git"
},
{
"lessThan": "33dda87d04598ac5d9a849218a373443f7d3de66",
"status": "affected",
"version": "858e26a515c28df3ef542d9c09493b54a329d6cf",
"versionType": "git"
},
{
"lessThan": "9d9c84825c3ec359b165c762a424cfdefe87fdd7",
"status": "affected",
"version": "858e26a515c28df3ef542d9c09493b54a329d6cf",
"versionType": "git"
},
{
"lessThan": "a2b331ac11e1cac56f5b7d367e9f3c5796deaaed",
"status": "affected",
"version": "858e26a515c28df3ef542d9c09493b54a329d6cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-qspi: check return value after calling platform_get_resource_byname()\n\nIt will cause null-ptr-deref if platform_get_resource_byname() returns NULL,\nwe need check the return value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:31.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/560dcbe1c7a78f597f2167371ebdbe2bca3d0735"
},
{
"url": "https://git.kernel.org/stable/c/10f537219629769498ecb8515e096be213224c24"
},
{
"url": "https://git.kernel.org/stable/c/33dda87d04598ac5d9a849218a373443f7d3de66"
},
{
"url": "https://git.kernel.org/stable/c/9d9c84825c3ec359b165c762a424cfdefe87fdd7"
},
{
"url": "https://git.kernel.org/stable/c/a2b331ac11e1cac56f5b7d367e9f3c5796deaaed"
}
],
"title": "spi: spi-fsl-qspi: check return value after calling platform_get_resource_byname()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49475",
"datePublished": "2025-02-26T02:13:17.353Z",
"dateReserved": "2025-02-26T02:08:31.580Z",
"dateUpdated": "2025-10-01T19:46:45.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49359 (GCVE-0-2022-49359)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panfrost: Job should reference MMU not file_priv
For a while now it's been allowed for a MMU context to outlive it's
corresponding panfrost_priv, however the job structure still references
panfrost_priv to get hold of the MMU context. If panfrost_priv has been
freed this is a use-after-free which I've been able to trigger resulting
in a splat.
To fix this, drop the reference to panfrost_priv in the job structure
and add a direct reference to the MMU structure which is what's actually
needed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212 Version: 7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212 Version: 7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212 Version: c29485e34e63198dca6289639aa711f99d88e76e Version: 626adede2642f00c8918999a2451bd0a644ab9b7 Version: cf461fa9250a634e8afc4433d82ae0decea8136e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:38.134749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panfrost/panfrost_drv.c",
"drivers/gpu/drm/panfrost/panfrost_job.c",
"drivers/gpu/drm/panfrost/panfrost_job.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c8e8cc91a6ffc79865108279a74fd57d9070a17",
"status": "affected",
"version": "7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212",
"versionType": "git"
},
{
"lessThan": "472dd7ea5e19a1aeabf1711ddc756777e05ee7c2",
"status": "affected",
"version": "7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212",
"versionType": "git"
},
{
"lessThan": "6e516faf04317db2c46cbec4e3b78b4653a5b109",
"status": "affected",
"version": "7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212",
"versionType": "git"
},
{
"status": "affected",
"version": "c29485e34e63198dca6289639aa711f99d88e76e",
"versionType": "git"
},
{
"status": "affected",
"version": "626adede2642f00c8918999a2451bd0a644ab9b7",
"versionType": "git"
},
{
"status": "affected",
"version": "cf461fa9250a634e8afc4433d82ae0decea8136e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panfrost/panfrost_drv.c",
"drivers/gpu/drm/panfrost/panfrost_job.c",
"drivers/gpu/drm/panfrost/panfrost_job.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Job should reference MMU not file_priv\n\nFor a while now it\u0027s been allowed for a MMU context to outlive it\u0027s\ncorresponding panfrost_priv, however the job structure still references\npanfrost_priv to get hold of the MMU context. If panfrost_priv has been\nfreed this is a use-after-free which I\u0027ve been able to trigger resulting\nin a splat.\n\nTo fix this, drop the reference to panfrost_priv in the job structure\nand add a direct reference to the MMU structure which is what\u0027s actually\nneeded."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:30.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c8e8cc91a6ffc79865108279a74fd57d9070a17"
},
{
"url": "https://git.kernel.org/stable/c/472dd7ea5e19a1aeabf1711ddc756777e05ee7c2"
},
{
"url": "https://git.kernel.org/stable/c/6e516faf04317db2c46cbec4e3b78b4653a5b109"
}
],
"title": "drm/panfrost: Job should reference MMU not file_priv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49359",
"datePublished": "2025-02-26T02:11:07.930Z",
"dateReserved": "2025-02-26T02:08:31.546Z",
"dateUpdated": "2025-05-04T12:44:30.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52983 (GCVE-0-2023-52983)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix uaf for bfqq in bic_set_bfqq()
After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"),
bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
bic->bfqq.
Fix the problem by always freeing bfqq after bic_set_bfqq().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:42.552227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c",
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f77f3dab5066a7c9da73d72d1eee895ff84a8d5",
"status": "affected",
"version": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a",
"versionType": "git"
},
{
"lessThan": "511c922c5bf6c8a166bea826e702336bc2424140",
"status": "affected",
"version": "094f3d9314d67691cb21ba091c1b528f6e3c4893",
"versionType": "git"
},
{
"lessThan": "cb1876fc33af26d00efdd473311f1b664c77c44e",
"status": "affected",
"version": "761564d93c8265f65543acf0a576b32d66bfa26a",
"versionType": "git"
},
{
"lessThan": "b600de2d7d3a16f9007fad1bdae82a3951a26af2",
"status": "affected",
"version": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab",
"versionType": "git"
},
{
"status": "affected",
"version": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c",
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.93",
"status": "affected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThan": "6.1.11",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for bfqq in bic_set_bfqq()\n\nAfter commit 64dc8c732f5c (\"block, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\"),\nbic-\u003ebfqq will be accessed in bic_set_bfqq(), however, in some context\nbic-\u003ebfqq will be freed, and bic_set_bfqq() is called with the freed\nbic-\u003ebfqq.\n\nFix the problem by always freeing bfqq after bic_set_bfqq()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:01.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f77f3dab5066a7c9da73d72d1eee895ff84a8d5"
},
{
"url": "https://git.kernel.org/stable/c/511c922c5bf6c8a166bea826e702336bc2424140"
},
{
"url": "https://git.kernel.org/stable/c/cb1876fc33af26d00efdd473311f1b664c77c44e"
},
{
"url": "https://git.kernel.org/stable/c/b600de2d7d3a16f9007fad1bdae82a3951a26af2"
}
],
"title": "block, bfq: fix uaf for bfqq in bic_set_bfqq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52983",
"datePublished": "2025-03-27T16:43:21.372Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-05-04T12:50:01.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29901 (GCVE-0-2022-29901)
Vulnerability from cvelistv5
Published
2022-07-12 00:00
Modified
2024-08-03 06:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure
Summary
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intel | Intel Microprocessors |
Version: generations 6 to 8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:43.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://comsec.ethz.ch/retbleed"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html"
},
{
"name": "[oss-security] 20220712 Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/12/2"
},
{
"name": "[oss-security] 20220712 Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/12/4"
},
{
"name": "[oss-security] 20220712 Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/12/5"
},
{
"name": "[oss-security] 20220713 Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/13/1"
},
{
"name": "FEDORA-2022-c69ef9c1dd",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/"
},
{
"name": "FEDORA-2022-8aab5b5cde",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/"
},
{
"name": "DSA-5207",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5207"
},
{
"name": "[debian-lts-announce] 20220911 [SECURITY] [DLA 3102-1] linux-5.10 new package",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221007-0007/"
},
{
"name": "[debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.secpod.com/blog/retbleed-intel-and-amd-processor-information-disclosure-vulnerability/"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Intel Microprocessors",
"vendor": "Intel",
"versions": [
{
"status": "affected",
"version": "generations 6 to 8"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Johannes Wikner - ETH Z\u00fcrich"
},
{
"lang": "en",
"value": "Kaveh Razavi - ETH Z\u00fcrich"
}
],
"descriptions": [
{
"lang": "en",
"value": "Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-04T08:06:41.365488",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"url": "https://comsec.ethz.ch/retbleed"
},
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html"
},
{
"name": "[oss-security] 20220712 Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/12/2"
},
{
"name": "[oss-security] 20220712 Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/12/4"
},
{
"name": "[oss-security] 20220712 Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/12/5"
},
{
"name": "[oss-security] 20220713 Re: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/07/13/1"
},
{
"name": "FEDORA-2022-c69ef9c1dd",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/"
},
{
"name": "FEDORA-2022-8aab5b5cde",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/"
},
{
"name": "DSA-5207",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5207"
},
{
"name": "[debian-lts-announce] 20220911 [SECURITY] [DLA 3102-1] linux-5.10 new package",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221007-0007/"
},
{
"name": "[debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
},
{
"url": "https://www.secpod.com/blog/retbleed-intel-and-amd-processor-information-disclosure-vulnerability/"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary Memory Disclosure through CPU Side-Channel Attacks (Retbleed)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2022-29901",
"datePublished": "2022-07-12T00:00:00",
"dateReserved": "2022-04-28T00:00:00",
"dateUpdated": "2024-08-03T06:33:43.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49416 (GCVE-0-2022-49416)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix use-after-free in chanctx code
In ieee80211_vif_use_reserved_context(), when we have an
old context and the new context's replace_state is set to
IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
in ieee80211_vif_use_reserved_reassign(). Therefore, we
cannot check the old_ctx anymore, so we should set it to
NULL after this point.
However, since the new_ctx replace state is clearly not
IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
anything else in this function and can just return to
avoid accessing the freed old_ctx.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f Version: 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:18.774528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/chan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88cc8f963febe192d6ded9df7217f92f380b449a",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "4ba81e794f0fad6234f644c2da1ae14d5b95e1c4",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "9f1e5cc85ad77e52f54049a94db0407445ae2a34",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "265bec4779a38b65e86a25120370f200822dfa76",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "6118bbdf69f4718b02d26bbcf2e497eb66004331",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "b79110f2bf6022e60e590d2e094728a8eec3e79e",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "82c8e7bbdd06c7ed58e22450cc5b37f33a25bb2c",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
},
{
"lessThan": "2965c4cdf7ad9ce0796fac5e57debb9519ea721e",
"status": "affected",
"version": "5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/chan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix use-after-free in chanctx code\n\nIn ieee80211_vif_use_reserved_context(), when we have an\nold context and the new context\u0027s replace_state is set to\nIEEE80211_CHANCTX_REPLACE_NONE, we free the old context\nin ieee80211_vif_use_reserved_reassign(). Therefore, we\ncannot check the old_ctx anymore, so we should set it to\nNULL after this point.\n\nHowever, since the new_ctx replace state is clearly not\nIEEE80211_CHANCTX_REPLACES_OTHER, we\u0027re not going to do\nanything else in this function and can just return to\navoid accessing the freed old_ctx."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:12.553Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88cc8f963febe192d6ded9df7217f92f380b449a"
},
{
"url": "https://git.kernel.org/stable/c/4ba81e794f0fad6234f644c2da1ae14d5b95e1c4"
},
{
"url": "https://git.kernel.org/stable/c/9f1e5cc85ad77e52f54049a94db0407445ae2a34"
},
{
"url": "https://git.kernel.org/stable/c/265bec4779a38b65e86a25120370f200822dfa76"
},
{
"url": "https://git.kernel.org/stable/c/6118bbdf69f4718b02d26bbcf2e497eb66004331"
},
{
"url": "https://git.kernel.org/stable/c/b79110f2bf6022e60e590d2e094728a8eec3e79e"
},
{
"url": "https://git.kernel.org/stable/c/82c8e7bbdd06c7ed58e22450cc5b37f33a25bb2c"
},
{
"url": "https://git.kernel.org/stable/c/4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c"
},
{
"url": "https://git.kernel.org/stable/c/2965c4cdf7ad9ce0796fac5e57debb9519ea721e"
}
],
"title": "wifi: mac80211: fix use-after-free in chanctx code",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49416",
"datePublished": "2025-02-26T02:12:37.173Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-05-04T08:37:12.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49538 (GCVE-0-2022-49538)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: jack: Access input_dev under mutex
It is possible when using ASoC that input_dev is unregistered while
calling snd_jack_report, which causes NULL pointer dereference.
In order to prevent this serialize access to input_dev using mutex lock.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:42.496605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:40.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/sound/jack.h",
"sound/core/jack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74bab3bcf422593c582e47130aa8eb41ebb2dc09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8487a88136d54a1a4d3f26f1399685db648ab879",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c093b62c40027c21d649c5534ad7aa3605a99b00",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f68bed124c7699e23ffb4ce4fcc84671e9193cde",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e2b8681769f6e205382f026b907d28aa5ec9d59a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5cc6f623f4818c7d7e9e966a45ebf324901ca9c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e6a73b0c0f2014eb89249fb1640c5a3d58221c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "582aea6084cc59fec881204f026816d1219f2348",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b6a6fc5280e97559287b61eade2d4b363e836f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/sound/jack.h",
"sound/core/jack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: jack: Access input_dev under mutex\n\nIt is possible when using ASoC that input_dev is unregistered while\ncalling snd_jack_report, which causes NULL pointer dereference.\nIn order to prevent this serialize access to input_dev using mutex lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:05.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74bab3bcf422593c582e47130aa8eb41ebb2dc09"
},
{
"url": "https://git.kernel.org/stable/c/8487a88136d54a1a4d3f26f1399685db648ab879"
},
{
"url": "https://git.kernel.org/stable/c/c093b62c40027c21d649c5534ad7aa3605a99b00"
},
{
"url": "https://git.kernel.org/stable/c/f68bed124c7699e23ffb4ce4fcc84671e9193cde"
},
{
"url": "https://git.kernel.org/stable/c/e2b8681769f6e205382f026b907d28aa5ec9d59a"
},
{
"url": "https://git.kernel.org/stable/c/5cc6f623f4818c7d7e9e966a45ebf324901ca9c5"
},
{
"url": "https://git.kernel.org/stable/c/9e6a73b0c0f2014eb89249fb1640c5a3d58221c4"
},
{
"url": "https://git.kernel.org/stable/c/582aea6084cc59fec881204f026816d1219f2348"
},
{
"url": "https://git.kernel.org/stable/c/1b6a6fc5280e97559287b61eade2d4b363e836f2"
}
],
"title": "ALSA: jack: Access input_dev under mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49538",
"datePublished": "2025-02-26T02:13:55.036Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-10-01T19:46:40.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47647 (GCVE-0-2021-47647)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: ipq8074: fix PCI-E clock oops
Fix PCI-E clock related kernel oops that are caused by a missing clock
parent.
pcie0_rchng_clk_src has num_parents set to 2 but only one parent is
actually set via parent_hws, it should also have "XO" defined.
This will cause the kernel to panic on a NULL pointer in
clk_core_get_parent_by_index().
So, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent
data.
Since there is already an existing static const char * const gcc_xo_gpll0[]
used to provide the same parents via parent_names convert those users to
clk_parent_data as well.
Without this earlycon is needed to even catch the OOPS as it will reset
the board before serial is initialized with the following:
[ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000
[ 0.232322] Mem abort info:
[ 0.239094] ESR = 0x96000004
[ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.244908] SET = 0, FnV = 0
[ 0.250377] EA = 0, S1PTW = 0
[ 0.253236] FSC = 0x04: level 0 translation fault
[ 0.256277] Data abort info:
[ 0.261141] ISV = 0, ISS = 0x00000004
[ 0.264262] CM = 0, WnR = 0
[ 0.267820] [0000a00000000000] address between user and kernel address ranges
[ 0.270954] Internal error: Oops: 96000004 [#1] SMP
[ 0.278067] Modules linked in:
[ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0
[ 0.285882] Hardware name: Xiaomi AX3600 (DT)
[ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec
[ 0.303067] lr : __clk_register+0x1d8/0x820
[ 0.308273] sp : ffffffc01111b7d0
[ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040
[ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800
[ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828
[ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020
[ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a
[ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006
[ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000
[ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06
[ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001
[ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700
[ 0.379982] Call trace:
[ 0.387091] clk_core_get_parent_by_index+0x68/0xec
[ 0.389351] __clk_register+0x1d8/0x820
[ 0.394210] devm_clk_hw_register+0x5c/0xe0
[ 0.398030] devm_clk_register_regmap+0x44/0x8c
[ 0.402198] qcom_cc_really_probe+0x17c/0x1d0
[ 0.406711] qcom_cc_probe+0x34/0x44
[ 0.411224] gcc_ipq8074_probe+0x18/0x30
[ 0.414869] platform_probe+0x68/0xe0
[ 0.418776] really_probe.part.0+0x9c/0x30c
[ 0.422336] __driver_probe_device+0x98/0x144
[ 0.426329] driver_probe_device+0x44/0x11c
[ 0.430842] __device_attach_driver+0xb4/0x120
[ 0.434836] bus_for_each_drv+0x68/0xb0
[ 0.439349] __device_attach+0xb0/0x170
[ 0.443081] device_initial_probe+0x14/0x20
[ 0.446901] bus_probe_device+0x9c/0xa4
[ 0.451067] device_add+0x35c/0x834
[ 0.454886] of_device_add+0x54/0x64
[ 0.458360] of_platform_device_create_pdata+0xc0/0x100
[ 0.462181] of_platform_bus_create+0x114/0x370
[ 0.467128] of_platform_bus_create+0x15c/0x370
[ 0.471641] of_platform_populate+0x50/0xcc
[ 0.476155] of_platform_default_populate_init+0xa8/0xc8
[ 0.480324] do_one_initcall+0x50/0x1b0
[ 0.485877] kernel_init_freeable+0x234/0x29c
[ 0.489436] kernel_init+0x24/0x120
[ 0.493948] ret_from_fork+0x10/0x20
[ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042)
[ 0.501079] ---[ end trace 4ca7e1129da2abce ]---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/gcc-ipq8074.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b89c9e68a01a19a1dd689a42aa65d545e931899",
"status": "affected",
"version": "f0cfcf1ade201dcfd3365f231efc90e846fa46df",
"versionType": "git"
},
{
"lessThan": "41e360fa73a4c2f5b78f5ded78a5375b08c206a5",
"status": "affected",
"version": "f0cfcf1ade201dcfd3365f231efc90e846fa46df",
"versionType": "git"
},
{
"lessThan": "d02b3d4a8c525068bc5cfb4341e0023d8eb82ace",
"status": "affected",
"version": "f0cfcf1ade201dcfd3365f231efc90e846fa46df",
"versionType": "git"
},
{
"lessThan": "5a5576ad405c3c89fc9afb245c4dcc3e412b0aa9",
"status": "affected",
"version": "f0cfcf1ade201dcfd3365f231efc90e846fa46df",
"versionType": "git"
},
{
"lessThan": "bf8f5182b8f59309809b41c1d1730ed9ca6134b1",
"status": "affected",
"version": "f0cfcf1ade201dcfd3365f231efc90e846fa46df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/gcc-ipq8074.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: ipq8074: fix PCI-E clock oops\n\nFix PCI-E clock related kernel oops that are caused by a missing clock\nparent.\n\npcie0_rchng_clk_src has num_parents set to 2 but only one parent is\nactually set via parent_hws, it should also have \"XO\" defined.\nThis will cause the kernel to panic on a NULL pointer in\nclk_core_get_parent_by_index().\n\nSo, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent\ndata.\nSince there is already an existing static const char * const gcc_xo_gpll0[]\nused to provide the same parents via parent_names convert those users to\nclk_parent_data as well.\n\nWithout this earlycon is needed to even catch the OOPS as it will reset\nthe board before serial is initialized with the following:\n\n[ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000\n[ 0.232322] Mem abort info:\n[ 0.239094] ESR = 0x96000004\n[ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.244908] SET = 0, FnV = 0\n[ 0.250377] EA = 0, S1PTW = 0\n[ 0.253236] FSC = 0x04: level 0 translation fault\n[ 0.256277] Data abort info:\n[ 0.261141] ISV = 0, ISS = 0x00000004\n[ 0.264262] CM = 0, WnR = 0\n[ 0.267820] [0000a00000000000] address between user and kernel address ranges\n[ 0.270954] Internal error: Oops: 96000004 [#1] SMP\n[ 0.278067] Modules linked in:\n[ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0\n[ 0.285882] Hardware name: Xiaomi AX3600 (DT)\n[ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec\n[ 0.303067] lr : __clk_register+0x1d8/0x820\n[ 0.308273] sp : ffffffc01111b7d0\n[ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040\n[ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800\n[ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828\n[ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020\n[ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a\n[ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006\n[ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000\n[ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06\n[ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001\n[ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700\n[ 0.379982] Call trace:\n[ 0.387091] clk_core_get_parent_by_index+0x68/0xec\n[ 0.389351] __clk_register+0x1d8/0x820\n[ 0.394210] devm_clk_hw_register+0x5c/0xe0\n[ 0.398030] devm_clk_register_regmap+0x44/0x8c\n[ 0.402198] qcom_cc_really_probe+0x17c/0x1d0\n[ 0.406711] qcom_cc_probe+0x34/0x44\n[ 0.411224] gcc_ipq8074_probe+0x18/0x30\n[ 0.414869] platform_probe+0x68/0xe0\n[ 0.418776] really_probe.part.0+0x9c/0x30c\n[ 0.422336] __driver_probe_device+0x98/0x144\n[ 0.426329] driver_probe_device+0x44/0x11c\n[ 0.430842] __device_attach_driver+0xb4/0x120\n[ 0.434836] bus_for_each_drv+0x68/0xb0\n[ 0.439349] __device_attach+0xb0/0x170\n[ 0.443081] device_initial_probe+0x14/0x20\n[ 0.446901] bus_probe_device+0x9c/0xa4\n[ 0.451067] device_add+0x35c/0x834\n[ 0.454886] of_device_add+0x54/0x64\n[ 0.458360] of_platform_device_create_pdata+0xc0/0x100\n[ 0.462181] of_platform_bus_create+0x114/0x370\n[ 0.467128] of_platform_bus_create+0x15c/0x370\n[ 0.471641] of_platform_populate+0x50/0xcc\n[ 0.476155] of_platform_default_populate_init+0xa8/0xc8\n[ 0.480324] do_one_initcall+0x50/0x1b0\n[ 0.485877] kernel_init_freeable+0x234/0x29c\n[ 0.489436] kernel_init+0x24/0x120\n[ 0.493948] ret_from_fork+0x10/0x20\n[ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042)\n[ 0.501079] ---[ end trace 4ca7e1129da2abce ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:28.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b89c9e68a01a19a1dd689a42aa65d545e931899"
},
{
"url": "https://git.kernel.org/stable/c/41e360fa73a4c2f5b78f5ded78a5375b08c206a5"
},
{
"url": "https://git.kernel.org/stable/c/d02b3d4a8c525068bc5cfb4341e0023d8eb82ace"
},
{
"url": "https://git.kernel.org/stable/c/5a5576ad405c3c89fc9afb245c4dcc3e412b0aa9"
},
{
"url": "https://git.kernel.org/stable/c/bf8f5182b8f59309809b41c1d1730ed9ca6134b1"
}
],
"title": "clk: qcom: ipq8074: fix PCI-E clock oops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47647",
"datePublished": "2025-02-26T01:54:15.635Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-05-04T07:15:28.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49444 (GCVE-0-2022-49444)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
module: fix [e_shstrndx].sh_size=0 OOB access
It is trivial to craft a module to trigger OOB access in this line:
if (info->secstrings[strhdr->sh_size - 1] != '\0') {
BUG: unable to handle page fault for address: ffffc90000aa0fff
PGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
RIP: 0010:load_module+0x19b/0x2391
[rebased patch onto modules-next]
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ec2a29593c83ed71a7f16e3243941ebfcf75fdf6 Version: ec2a29593c83ed71a7f16e3243941ebfcf75fdf6 Version: ec2a29593c83ed71a7f16e3243941ebfcf75fdf6 Version: ec2a29593c83ed71a7f16e3243941ebfcf75fdf6 Version: 05d891e76dde3e430c707dae7d85139794eeadbd Version: d802672c7f00963613f289579073ac519f0d306c Version: 214aa69cac91a723239118bbbfe77d5654ddff6b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/module/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09cb6663618a74fe5572a4931ecbf098832e79ec",
"status": "affected",
"version": "ec2a29593c83ed71a7f16e3243941ebfcf75fdf6",
"versionType": "git"
},
{
"lessThan": "921630e2e5124a04158129a8f22f4b425e61a858",
"status": "affected",
"version": "ec2a29593c83ed71a7f16e3243941ebfcf75fdf6",
"versionType": "git"
},
{
"lessThan": "45a76414b6d8b8b39c23fea53b9d20e831ae72a0",
"status": "affected",
"version": "ec2a29593c83ed71a7f16e3243941ebfcf75fdf6",
"versionType": "git"
},
{
"lessThan": "391e982bfa632b8315235d8be9c0a81374c6a19c",
"status": "affected",
"version": "ec2a29593c83ed71a7f16e3243941ebfcf75fdf6",
"versionType": "git"
},
{
"status": "affected",
"version": "05d891e76dde3e430c707dae7d85139794eeadbd",
"versionType": "git"
},
{
"status": "affected",
"version": "d802672c7f00963613f289579073ac519f0d306c",
"versionType": "git"
},
{
"status": "affected",
"version": "214aa69cac91a723239118bbbfe77d5654ddff6b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/module/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: fix [e_shstrndx].sh_size=0 OOB access\n\nIt is trivial to craft a module to trigger OOB access in this line:\n\n\tif (info-\u003esecstrings[strhdr-\u003esh_size - 1] != \u0027\\0\u0027) {\n\nBUG: unable to handle page fault for address: ffffc90000aa0fff\nPGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014\nRIP: 0010:load_module+0x19b/0x2391\n\n[rebased patch onto modules-next]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:49.062Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09cb6663618a74fe5572a4931ecbf098832e79ec"
},
{
"url": "https://git.kernel.org/stable/c/921630e2e5124a04158129a8f22f4b425e61a858"
},
{
"url": "https://git.kernel.org/stable/c/45a76414b6d8b8b39c23fea53b9d20e831ae72a0"
},
{
"url": "https://git.kernel.org/stable/c/391e982bfa632b8315235d8be9c0a81374c6a19c"
}
],
"title": "module: fix [e_shstrndx].sh_size=0 OOB access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49444",
"datePublished": "2025-02-26T02:12:56.606Z",
"dateReserved": "2025-02-26T02:08:31.571Z",
"dateUpdated": "2025-05-04T12:44:49.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49392 (GCVE-0-2022-49392)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe
platform_get_resource() may fail and return NULL, so we should
better check it's return value to avoid a NULL pointer dereference.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49392",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:31.347786Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:50.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_aspeed_vuart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "923d34ce069e8e51a4d003caa6b66a8cd6ecd0ed",
"status": "affected",
"version": "54da3e381c2b55289b220601f403f17df7b20597",
"versionType": "git"
},
{
"lessThan": "90a6b6fc52bfdcfe9698454bf5bea26112abbcd1",
"status": "affected",
"version": "54da3e381c2b55289b220601f403f17df7b20597",
"versionType": "git"
},
{
"lessThan": "d5f1275f101e0e8a172d300d897f5a12e87e3485",
"status": "affected",
"version": "54da3e381c2b55289b220601f403f17df7b20597",
"versionType": "git"
},
{
"lessThan": "0e0fd55719fa081de6f9e5d9e6cef48efb04d34a",
"status": "affected",
"version": "54da3e381c2b55289b220601f403f17df7b20597",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_aspeed_vuart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe\n\nplatform_get_resource() may fail and return NULL, so we should\nbetter check it\u0027s return value to avoid a NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:42.055Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/923d34ce069e8e51a4d003caa6b66a8cd6ecd0ed"
},
{
"url": "https://git.kernel.org/stable/c/90a6b6fc52bfdcfe9698454bf5bea26112abbcd1"
},
{
"url": "https://git.kernel.org/stable/c/d5f1275f101e0e8a172d300d897f5a12e87e3485"
},
{
"url": "https://git.kernel.org/stable/c/0e0fd55719fa081de6f9e5d9e6cef48efb04d34a"
}
],
"title": "serial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49392",
"datePublished": "2025-02-26T02:11:24.258Z",
"dateReserved": "2025-02-26T02:08:31.562Z",
"dateUpdated": "2025-10-01T19:46:50.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56751 (GCVE-0-2024-56751)
Vulnerability from cvelistv5
Published
2024-12-29 11:30
Modified
2025-11-03 20:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: release nexthop on device removal
The CI is hitting some aperiodic hangup at device removal time in the
pmtu.sh self-test:
unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
dst_init+0x84/0x4a0
dst_alloc+0x97/0x150
ip6_dst_alloc+0x23/0x90
ip6_rt_pcpu_alloc+0x1e6/0x520
ip6_pol_route+0x56f/0x840
fib6_rule_lookup+0x334/0x630
ip6_route_output_flags+0x259/0x480
ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
ip6_dst_lookup_flow+0x88/0x190
udp_tunnel6_dst_lookup+0x2a7/0x4c0
vxlan_xmit_one+0xbde/0x4a50 [vxlan]
vxlan_xmit+0x9ad/0xf20 [vxlan]
dev_hard_start_xmit+0x10e/0x360
__dev_queue_xmit+0xf95/0x18c0
arp_solicit+0x4a2/0xe00
neigh_probe+0xaa/0xf0
While the first suspect is the dst_cache, explicitly tracking the dst
owing the last device reference via probes proved such dst is held by
the nexthop in the originating fib6_info.
Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
removal"), we need to explicitly release the originating fib info when
disconnecting a to-be-removed device from a live ipv6 dst: move the
fib6_info cleanup into ip6_dst_ifdown().
Tested running:
./pmtu.sh cleanup_ipv6_exception
in a tight loop for more than 400 iterations with no spat, running an
unpatched kernel I observed a splat every ~10 iterations.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 Version: f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:53:42.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77aa9855a878fb43f547ddfbda3127a1e88ad31a",
"status": "affected",
"version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
"versionType": "git"
},
{
"lessThan": "b2f26a27ea3f72f75d18330f76f5d1007c791848",
"status": "affected",
"version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
"versionType": "git"
},
{
"lessThan": "43e25adc80269f917d2a195f0d59f74cdd182955",
"status": "affected",
"version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
"versionType": "git"
},
{
"lessThan": "a3c3f8a4d025acc8c857246ec2b812c59102487a",
"status": "affected",
"version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
"versionType": "git"
},
{
"lessThan": "0e4c6faaef8a24b762a24ffb767280e263ef8e10",
"status": "affected",
"version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
"versionType": "git"
},
{
"lessThan": "eb02688c5c45c3e7af7e71f036a7144f5639cbfe",
"status": "affected",
"version": "f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: release nexthop on device removal\n\nThe CI is hitting some aperiodic hangup at device removal time in the\npmtu.sh self-test:\n\nunregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6\nref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at\n\tdst_init+0x84/0x4a0\n\tdst_alloc+0x97/0x150\n\tip6_dst_alloc+0x23/0x90\n\tip6_rt_pcpu_alloc+0x1e6/0x520\n\tip6_pol_route+0x56f/0x840\n\tfib6_rule_lookup+0x334/0x630\n\tip6_route_output_flags+0x259/0x480\n\tip6_dst_lookup_tail.constprop.0+0x5c2/0x940\n\tip6_dst_lookup_flow+0x88/0x190\n\tudp_tunnel6_dst_lookup+0x2a7/0x4c0\n\tvxlan_xmit_one+0xbde/0x4a50 [vxlan]\n\tvxlan_xmit+0x9ad/0xf20 [vxlan]\n\tdev_hard_start_xmit+0x10e/0x360\n\t__dev_queue_xmit+0xf95/0x18c0\n\tarp_solicit+0x4a2/0xe00\n\tneigh_probe+0xaa/0xf0\n\nWhile the first suspect is the dst_cache, explicitly tracking the dst\nowing the last device reference via probes proved such dst is held by\nthe nexthop in the originating fib6_info.\n\nSimilar to commit f5b51fe804ec (\"ipv6: route: purge exception on\nremoval\"), we need to explicitly release the originating fib info when\ndisconnecting a to-be-removed device from a live ipv6 dst: move the\nfib6_info cleanup into ip6_dst_ifdown().\n\nTested running:\n\n./pmtu.sh cleanup_ipv6_exception\n\nin a tight loop for more than 400 iterations with no spat, running an\nunpatched kernel I observed a splat every ~10 iterations."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:03:52.312Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77aa9855a878fb43f547ddfbda3127a1e88ad31a"
},
{
"url": "https://git.kernel.org/stable/c/b2f26a27ea3f72f75d18330f76f5d1007c791848"
},
{
"url": "https://git.kernel.org/stable/c/43e25adc80269f917d2a195f0d59f74cdd182955"
},
{
"url": "https://git.kernel.org/stable/c/a3c3f8a4d025acc8c857246ec2b812c59102487a"
},
{
"url": "https://git.kernel.org/stable/c/0e4c6faaef8a24b762a24ffb767280e263ef8e10"
},
{
"url": "https://git.kernel.org/stable/c/eb02688c5c45c3e7af7e71f036a7144f5639cbfe"
}
],
"title": "ipv6: release nexthop on device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56751",
"datePublished": "2024-12-29T11:30:16.805Z",
"dateReserved": "2024-12-29T11:26:39.759Z",
"dateUpdated": "2025-11-03T20:53:42.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53025 (GCVE-0-2023-53025)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-06-05T14:53:39.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53025",
"datePublished": "2025-03-27T16:43:50.536Z",
"dateRejected": "2025-06-05T14:53:39.739Z",
"dateReserved": "2025-03-27T16:40:15.755Z",
"dateUpdated": "2025-06-05T14:53:39.739Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49676 (GCVE-0-2022-49676)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
This function doesn't call of_node_put() in some error paths.
To unify the structure, Add put_node label and goto it on errors.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:15.517428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:47.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/memory/samsung/exynos5422-dmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "889aad2203e09eed2071ca8985c25e9d6aea5735",
"status": "affected",
"version": "6e7674c3c6df565ab47d02b4f2e608e3477cdf86",
"versionType": "git"
},
{
"lessThan": "cde4480b5ab06195b9164184b0c02ced71e601b4",
"status": "affected",
"version": "6e7674c3c6df565ab47d02b4f2e608e3477cdf86",
"versionType": "git"
},
{
"lessThan": "bb2a481778c60f912c363e271ae46b55ff8132db",
"status": "affected",
"version": "6e7674c3c6df565ab47d02b4f2e608e3477cdf86",
"versionType": "git"
},
{
"lessThan": "1332661e09304b7b8e84e5edc11811ba08d12abe",
"status": "affected",
"version": "6e7674c3c6df565ab47d02b4f2e608e3477cdf86",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/memory/samsung/exynos5422-dmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nThis function doesn\u0027t call of_node_put() in some error paths.\nTo unify the structure, Add put_node label and goto it on errors."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:06.325Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/889aad2203e09eed2071ca8985c25e9d6aea5735"
},
{
"url": "https://git.kernel.org/stable/c/cde4480b5ab06195b9164184b0c02ced71e601b4"
},
{
"url": "https://git.kernel.org/stable/c/bb2a481778c60f912c363e271ae46b55ff8132db"
},
{
"url": "https://git.kernel.org/stable/c/1332661e09304b7b8e84e5edc11811ba08d12abe"
}
],
"title": "memory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49676",
"datePublished": "2025-02-26T02:24:07.905Z",
"dateReserved": "2025-02-26T02:21:30.438Z",
"dateUpdated": "2025-10-01T19:36:47.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49096 (GCVE-0-2022-49096)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sfc: add missing xdp queue reinitialization
After rx/tx ring buffer size is changed, kernel panic occurs when
it acts XDP_TX or XDP_REDIRECT.
When tx/rx ring buffer size is changed(ethtool -G), sfc driver
reallocates and reinitializes rx and tx queues and their buffer
(tx_queue->buffer).
But it misses reinitializing xdp queues(efx->xdp_tx_queues).
So, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized
tx_queue->buffer.
A new function efx_set_xdp_channels() is separated from efx_set_channels()
to handle only xdp queues.
Splat looks like:
BUG: kernel NULL pointer dereference, address: 000000000000002a
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#4] PREEMPT SMP NOPTI
RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]
CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.17.0+ #55 e8beeee8289528f11357029357cf
Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80
RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297
RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]
RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870
RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0
RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000
R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040
R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0
FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80
CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0
RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297
PKRU: 55555554
RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870
RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700
RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000
R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040
R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700
FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0
PKRU: 55555554
Call Trace:
<IRQ>
efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
__efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
? enqueue_task_fair+0x95/0x550
efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:29.340028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:05.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/efx_channels.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed7a824fda8732578d1014fad1f7fb0363705090",
"status": "affected",
"version": "3990a8fffbdad5765f47ea593f9de66c91762059",
"versionType": "git"
},
{
"lessThan": "b8c46bc358d84701e7f7ffa054037db25f25da0e",
"status": "affected",
"version": "3990a8fffbdad5765f47ea593f9de66c91762059",
"versionType": "git"
},
{
"lessThan": "dcc85e1593686e42c6749ef3d356db34759d59e8",
"status": "affected",
"version": "3990a8fffbdad5765f47ea593f9de66c91762059",
"versionType": "git"
},
{
"lessThan": "059a47f1da93811d37533556d67e72f2261b1127",
"status": "affected",
"version": "3990a8fffbdad5765f47ea593f9de66c91762059",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/efx_channels.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sfc: add missing xdp queue reinitialization\n\nAfter rx/tx ring buffer size is changed, kernel panic occurs when\nit acts XDP_TX or XDP_REDIRECT.\n\nWhen tx/rx ring buffer size is changed(ethtool -G), sfc driver\nreallocates and reinitializes rx and tx queues and their buffer\n(tx_queue-\u003ebuffer).\nBut it misses reinitializing xdp queues(efx-\u003exdp_tx_queues).\nSo, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized\ntx_queue-\u003ebuffer.\n\nA new function efx_set_xdp_channels() is separated from efx_set_channels()\nto handle only xdp queues.\n\nSplat looks like:\n BUG: kernel NULL pointer dereference, address: 000000000000002a\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#4] PREEMPT SMP NOPTI\n RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.17.0+ #55 e8beeee8289528f11357029357cf\n Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297\n RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870\n RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0\n RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000\n R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0\n FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0\n RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297\n PKRU: 55555554\n RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870\n RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700\n RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000\n R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700\n FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n __efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n ? enqueue_task_fair+0x95/0x550\n efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:48.329Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed7a824fda8732578d1014fad1f7fb0363705090"
},
{
"url": "https://git.kernel.org/stable/c/b8c46bc358d84701e7f7ffa054037db25f25da0e"
},
{
"url": "https://git.kernel.org/stable/c/dcc85e1593686e42c6749ef3d356db34759d59e8"
},
{
"url": "https://git.kernel.org/stable/c/059a47f1da93811d37533556d67e72f2261b1127"
}
],
"title": "net: sfc: add missing xdp queue reinitialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49096",
"datePublished": "2025-02-26T01:54:49.108Z",
"dateReserved": "2025-02-26T01:49:39.249Z",
"dateUpdated": "2025-10-01T19:57:05.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49244 (GCVE-0-2022-49244)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error paths.
Fix this by calling of_node_put() in error handling too.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87e04a89c31e792eef62bcba6ebb77fd323d28a1",
"status": "affected",
"version": "286c6f7b28fab19d649c2e1f3bc18fdecdbadfe5",
"versionType": "git"
},
{
"lessThan": "d5a38629f1aaf397fd471b27e49d55289ddc0656",
"status": "affected",
"version": "d1be8577f0b2f679095d237aaf281dca344f06c4",
"versionType": "git"
},
{
"lessThan": "1765787ec02e824f4f5e672cf269280a5da09d2f",
"status": "affected",
"version": "4e28491a7a198c668437f2be8a91a76aa52f20eb",
"versionType": "git"
},
{
"lessThan": "e45ac7831ff3e2934d58cce319c17c8ec763c95c",
"status": "affected",
"version": "4e28491a7a198c668437f2be8a91a76aa52f20eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFix this by calling of_node_put() in error handling too."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:14.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87e04a89c31e792eef62bcba6ebb77fd323d28a1"
},
{
"url": "https://git.kernel.org/stable/c/d5a38629f1aaf397fd471b27e49d55289ddc0656"
},
{
"url": "https://git.kernel.org/stable/c/1765787ec02e824f4f5e672cf269280a5da09d2f"
},
{
"url": "https://git.kernel.org/stable/c/e45ac7831ff3e2934d58cce319c17c8ec763c95c"
}
],
"title": "ASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49244",
"datePublished": "2025-02-26T01:56:04.783Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-05-04T08:33:14.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49541 (GCVE-0-2022-49541)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential double free during failed mount
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2088799
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:38.834933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:40.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce0008a0e410cdd95f0d8cd81b2902ec10a660c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9a167fc440e5693c1cdd7f07071e05658bd9d89d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee71f8f1cd3c8c4a251fd3e8abc89215ae3457cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8378a51e3f8140f60901fb27208cc7a6e47047b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential double free during failed mount\n\nRHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2088799"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:09.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce0008a0e410cdd95f0d8cd81b2902ec10a660c4"
},
{
"url": "https://git.kernel.org/stable/c/9a167fc440e5693c1cdd7f07071e05658bd9d89d"
},
{
"url": "https://git.kernel.org/stable/c/ee71f8f1cd3c8c4a251fd3e8abc89215ae3457cb"
},
{
"url": "https://git.kernel.org/stable/c/8378a51e3f8140f60901fb27208cc7a6e47047b5"
}
],
"title": "cifs: fix potential double free during failed mount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49541",
"datePublished": "2025-02-26T02:13:56.496Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-10-01T19:46:40.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21727 (GCVE-0-2025-21727)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
padata: fix UAF in padata_reorder
A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0
Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker
Call Trace:
<TASK>
dump_stack_lvl+0x32/0x50
print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0
kasan_report+0xa5/0xd0
padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220
padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0
If 'mdelay(10)' is added before calling 'padata_find_next' in the
'padata_reorder' function, this issue could be reproduced easily with
ltp test (pcrypt_aead01).
This can be explained as bellow:
pcrypt_aead_encrypt
...
padata_do_parallel
refcount_inc(&pd->refcnt); // add refcnt
...
padata_do_serial
padata_reorder // pd
while (1) {
padata_find_next(pd, true); // using pd
queue_work_on
...
padata_serial_worker crypto_del_alg
padata_put_pd_cnt // sub refcnt
padata_free_shell
padata_put_pd(ps->pd);
// pd is freed
// loop again, but pd is freed
// call padata_find_next, UAF
}
In the padata_reorder function, when it loops in 'while', if the alg is
deleted, the refcnt may be decreased to 0 before entering
'padata_find_next', which leads to UAF.
As mentioned in [1], do_serial is supposed to be called with BHs disabled
and always happen under RCU protection, to address this issue, add
synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls
to finish.
[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/
[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b128a30409356df65f1a51cff3eb986cac8cfedc Version: b128a30409356df65f1a51cff3eb986cac8cfedc Version: b128a30409356df65f1a51cff3eb986cac8cfedc Version: b128a30409356df65f1a51cff3eb986cac8cfedc Version: b128a30409356df65f1a51cff3eb986cac8cfedc Version: b128a30409356df65f1a51cff3eb986cac8cfedc Version: b128a30409356df65f1a51cff3eb986cac8cfedc |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:06.104597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:30.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f78170bee51469734b1a306a74fc5f777bb22ba6",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "f3e0b9f790f8e8065d59e67b565a83154d9f3079",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "573ac9c70bf7885dc85d82fa44550581bfc3b738",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "80231f069240d52e98b6a317456c67b2eafd0781",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "e01780ea4661172734118d2a5f41bc9720765668",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\n\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt // sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps-\u003epd);\n\t\t\t\t\t\t// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n\u0027padata_find_next\u0027, which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\nto finish.\n\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:52.256Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6"
},
{
"url": "https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079"
},
{
"url": "https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd"
},
{
"url": "https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de"
},
{
"url": "https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738"
},
{
"url": "https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781"
},
{
"url": "https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668"
}
],
"title": "padata: fix UAF in padata_reorder",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21727",
"datePublished": "2025-02-27T02:07:33.501Z",
"dateReserved": "2024-12-29T08:45:45.754Z",
"dateUpdated": "2025-11-03T19:36:30.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49543 (GCVE-0-2022-49543)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: fix the warning of dev_wake in mhi_pm_disable_transition()
When test device recovery with below command, it has warning in message
as below.
echo assert > /sys/kernel/debug/ath11k/wcn6855\ hw2.0/simulate_fw_crash
echo assert > /sys/kernel/debug/ath11k/qca6390\ hw2.0/simulate_fw_crash
warning message:
[ 1965.642121] ath11k_pci 0000:06:00.0: simulating firmware assert crash
[ 1968.471364] ieee80211 phy0: Hardware restart was requested
[ 1968.511305] ------------[ cut here ]------------
[ 1968.511368] WARNING: CPU: 3 PID: 1546 at drivers/bus/mhi/core/pm.c:505 mhi_pm_disable_transition+0xb37/0xda0 [mhi]
[ 1968.511443] Modules linked in: ath11k_pci ath11k mac80211 libarc4 cfg80211 qmi_helpers qrtr_mhi mhi qrtr nvme nvme_core
[ 1968.511563] CPU: 3 PID: 1546 Comm: kworker/u17:0 Kdump: loaded Tainted: G W 5.17.0-rc3-wt-ath+ #579
[ 1968.511629] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021
[ 1968.511704] Workqueue: mhi_hiprio_wq mhi_pm_st_worker [mhi]
[ 1968.511787] RIP: 0010:mhi_pm_disable_transition+0xb37/0xda0 [mhi]
[ 1968.511870] Code: a9 fe ff ff 4c 89 ff 44 89 04 24 e8 03 46 f6 e5 44 8b 04 24 41 83 f8 01 0f 84 21 fe ff ff e9 4c fd ff ff 0f 0b e9 af f8 ff ff <0f> 0b e9 5c f8 ff ff 48 89 df e8 da 9e ee e3 e9 12 fd ff ff 4c 89
[ 1968.511923] RSP: 0018:ffffc900024efbf0 EFLAGS: 00010286
[ 1968.511969] RAX: 00000000ffffffff RBX: ffff88811d241250 RCX: ffffffffc0176922
[ 1968.512014] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888118a90a24
[ 1968.512059] RBP: ffff888118a90800 R08: 0000000000000000 R09: ffff888118a90a27
[ 1968.512102] R10: ffffed1023152144 R11: 0000000000000001 R12: ffff888118a908ac
[ 1968.512229] R13: ffff888118a90928 R14: dffffc0000000000 R15: ffff888118a90a24
[ 1968.512310] FS: 0000000000000000(0000) GS:ffff888234200000(0000) knlGS:0000000000000000
[ 1968.512405] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1968.512493] CR2: 00007f5538f443a8 CR3: 000000016dc28001 CR4: 00000000003706e0
[ 1968.512587] Call Trace:
[ 1968.512672] <TASK>
[ 1968.512751] ? _raw_spin_unlock_irq+0x1f/0x40
[ 1968.512859] mhi_pm_st_worker+0x3ac/0x790 [mhi]
[ 1968.512959] ? mhi_pm_mission_mode_transition.isra.0+0x7d0/0x7d0 [mhi]
[ 1968.513063] process_one_work+0x86a/0x1400
[ 1968.513184] ? pwq_dec_nr_in_flight+0x230/0x230
[ 1968.513312] ? move_linked_works+0x125/0x290
[ 1968.513416] worker_thread+0x6db/0xf60
[ 1968.513536] ? process_one_work+0x1400/0x1400
[ 1968.513627] kthread+0x241/0x2d0
[ 1968.513733] ? kthread_complete_and_exit+0x20/0x20
[ 1968.513821] ret_from_fork+0x22/0x30
[ 1968.513924] </TASK>
Reason is mhi_deassert_dev_wake() from mhi_device_put() is called
but mhi_assert_dev_wake() from __mhi_device_get_sync() is not called
in progress of recovery. Commit 8e0559921f9a ("bus: mhi: core:
Skip device wake in error or shutdown state") add check for the
pm_state of mhi in __mhi_device_get_sync(), and the pm_state is not
the normal state untill recovery is completed, so it leads the
dev_wake is not 0 and above warning print in mhi_pm_disable_transition()
while checking mhi_cntrl->dev_wake.
Add check in ath11k_pci_write32()/ath11k_pci_read32() to skip call
mhi_device_put() if mhi_device_get_sync() does not really do wake,
then the warning gone.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f18206cddae033c488e4879f198699092ca0524",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "a2d9b7357469949ad02f511fc69f8fa3a1afbf89",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "0d7a8a6204ea9271f1d0a8c66a9fd2f54d2e3cbc",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix the warning of dev_wake in mhi_pm_disable_transition()\n\nWhen test device recovery with below command, it has warning in message\nas below.\necho assert \u003e /sys/kernel/debug/ath11k/wcn6855\\ hw2.0/simulate_fw_crash\necho assert \u003e /sys/kernel/debug/ath11k/qca6390\\ hw2.0/simulate_fw_crash\n\nwarning message:\n[ 1965.642121] ath11k_pci 0000:06:00.0: simulating firmware assert crash\n[ 1968.471364] ieee80211 phy0: Hardware restart was requested\n[ 1968.511305] ------------[ cut here ]------------\n[ 1968.511368] WARNING: CPU: 3 PID: 1546 at drivers/bus/mhi/core/pm.c:505 mhi_pm_disable_transition+0xb37/0xda0 [mhi]\n[ 1968.511443] Modules linked in: ath11k_pci ath11k mac80211 libarc4 cfg80211 qmi_helpers qrtr_mhi mhi qrtr nvme nvme_core\n[ 1968.511563] CPU: 3 PID: 1546 Comm: kworker/u17:0 Kdump: loaded Tainted: G W 5.17.0-rc3-wt-ath+ #579\n[ 1968.511629] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 1968.511704] Workqueue: mhi_hiprio_wq mhi_pm_st_worker [mhi]\n[ 1968.511787] RIP: 0010:mhi_pm_disable_transition+0xb37/0xda0 [mhi]\n[ 1968.511870] Code: a9 fe ff ff 4c 89 ff 44 89 04 24 e8 03 46 f6 e5 44 8b 04 24 41 83 f8 01 0f 84 21 fe ff ff e9 4c fd ff ff 0f 0b e9 af f8 ff ff \u003c0f\u003e 0b e9 5c f8 ff ff 48 89 df e8 da 9e ee e3 e9 12 fd ff ff 4c 89\n[ 1968.511923] RSP: 0018:ffffc900024efbf0 EFLAGS: 00010286\n[ 1968.511969] RAX: 00000000ffffffff RBX: ffff88811d241250 RCX: ffffffffc0176922\n[ 1968.512014] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888118a90a24\n[ 1968.512059] RBP: ffff888118a90800 R08: 0000000000000000 R09: ffff888118a90a27\n[ 1968.512102] R10: ffffed1023152144 R11: 0000000000000001 R12: ffff888118a908ac\n[ 1968.512229] R13: ffff888118a90928 R14: dffffc0000000000 R15: ffff888118a90a24\n[ 1968.512310] FS: 0000000000000000(0000) GS:ffff888234200000(0000) knlGS:0000000000000000\n[ 1968.512405] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1968.512493] CR2: 00007f5538f443a8 CR3: 000000016dc28001 CR4: 00000000003706e0\n[ 1968.512587] Call Trace:\n[ 1968.512672] \u003cTASK\u003e\n[ 1968.512751] ? _raw_spin_unlock_irq+0x1f/0x40\n[ 1968.512859] mhi_pm_st_worker+0x3ac/0x790 [mhi]\n[ 1968.512959] ? mhi_pm_mission_mode_transition.isra.0+0x7d0/0x7d0 [mhi]\n[ 1968.513063] process_one_work+0x86a/0x1400\n[ 1968.513184] ? pwq_dec_nr_in_flight+0x230/0x230\n[ 1968.513312] ? move_linked_works+0x125/0x290\n[ 1968.513416] worker_thread+0x6db/0xf60\n[ 1968.513536] ? process_one_work+0x1400/0x1400\n[ 1968.513627] kthread+0x241/0x2d0\n[ 1968.513733] ? kthread_complete_and_exit+0x20/0x20\n[ 1968.513821] ret_from_fork+0x22/0x30\n[ 1968.513924] \u003c/TASK\u003e\n\nReason is mhi_deassert_dev_wake() from mhi_device_put() is called\nbut mhi_assert_dev_wake() from __mhi_device_get_sync() is not called\nin progress of recovery. Commit 8e0559921f9a (\"bus: mhi: core:\nSkip device wake in error or shutdown state\") add check for the\npm_state of mhi in __mhi_device_get_sync(), and the pm_state is not\nthe normal state untill recovery is completed, so it leads the\ndev_wake is not 0 and above warning print in mhi_pm_disable_transition()\nwhile checking mhi_cntrl-\u003edev_wake.\n\nAdd check in ath11k_pci_write32()/ath11k_pci_read32() to skip call\nmhi_device_put() if mhi_device_get_sync() does not really do wake,\nthen the warning gone.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:11.855Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f18206cddae033c488e4879f198699092ca0524"
},
{
"url": "https://git.kernel.org/stable/c/a2d9b7357469949ad02f511fc69f8fa3a1afbf89"
},
{
"url": "https://git.kernel.org/stable/c/0d7a8a6204ea9271f1d0a8c66a9fd2f54d2e3cbc"
}
],
"title": "ath11k: fix the warning of dev_wake in mhi_pm_disable_transition()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49543",
"datePublished": "2025-02-26T02:13:57.422Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-05-04T08:40:11.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49592 (GCVE-0-2022-49592)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix dma queue left shift overflow issue
When queue number is > 4, left shift overflows due to 32 bits
integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.
If CONFIG_UBSAN is enabled, kernel dumps below warning:
[ 10.363842] ==================================================================
[ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
[ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
[ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
[ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
[ 10.363958] Call Trace:
[ 10.363960] <TASK>
[ 10.363963] dump_stack_lvl+0x4a/0x5f
[ 10.363971] dump_stack+0x10/0x12
[ 10.363974] ubsan_epilogue+0x9/0x45
[ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
[ 10.363979] ? wake_up_klogd+0x4a/0x50
[ 10.363983] ? vprintk_emit+0x8f/0x240
[ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
[ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
[ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
[ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
[ 10.364030] ? page_pool_alloc_pages+0x4d/0x70
[ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
[ 10.364042] stmmac_open+0x39e/0x920 [stmmac]
[ 10.364050] __dev_open+0xf0/0x1a0
[ 10.364054] __dev_change_flags+0x188/0x1f0
[ 10.364057] dev_change_flags+0x26/0x60
[ 10.364059] do_setlink+0x908/0xc40
[ 10.364062] ? do_setlink+0xb10/0xc40
[ 10.364064] ? __nla_validate_parse+0x4c/0x1a0
[ 10.364068] __rtnl_newlink+0x597/0xa10
[ 10.364072] ? __nla_reserve+0x41/0x50
[ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0
[ 10.364079] ? pskb_expand_head+0x75/0x310
[ 10.364082] ? nla_reserve_64bit+0x21/0x40
[ 10.364086] ? skb_free_head+0x65/0x80
[ 10.364089] ? security_sock_rcv_skb+0x2c/0x50
[ 10.364094] ? __cond_resched+0x19/0x30
[ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420
[ 10.364100] rtnl_newlink+0x49/0x70
This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue
mapping warning.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 Version: d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 Version: d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 Version: d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 Version: d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 Version: d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 Version: d43042f4da3e1c2e4ccac3b1d9153cb0798533a4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad2febdfbd01e1d092a08bfdba92ede79ea05ff3",
"status": "affected",
"version": "d43042f4da3e1c2e4ccac3b1d9153cb0798533a4",
"versionType": "git"
},
{
"lessThan": "508d86ead36cbd8dfb60773a33276790d668c473",
"status": "affected",
"version": "d43042f4da3e1c2e4ccac3b1d9153cb0798533a4",
"versionType": "git"
},
{
"lessThan": "573768dede0e2b7de38ecbc11cb3ee47643902dc",
"status": "affected",
"version": "d43042f4da3e1c2e4ccac3b1d9153cb0798533a4",
"versionType": "git"
},
{
"lessThan": "a3ac79f38d354b10925824899cdbd2caadce55ba",
"status": "affected",
"version": "d43042f4da3e1c2e4ccac3b1d9153cb0798533a4",
"versionType": "git"
},
{
"lessThan": "7c687a893f5cae5ca40d189635602e93af9bab73",
"status": "affected",
"version": "d43042f4da3e1c2e4ccac3b1d9153cb0798533a4",
"versionType": "git"
},
{
"lessThan": "e846bde09677fa3b203057846620b7ed96540f5f",
"status": "affected",
"version": "d43042f4da3e1c2e4ccac3b1d9153cb0798533a4",
"versionType": "git"
},
{
"lessThan": "613b065ca32e90209024ec4a6bb5ca887ee70980",
"status": "affected",
"version": "d43042f4da3e1c2e4ccac3b1d9153cb0798533a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.290",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.290",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.254",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix dma queue left shift overflow issue\n\nWhen queue number is \u003e 4, left shift overflows due to 32 bits\ninteger variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.\n\nIf CONFIG_UBSAN is enabled, kernel dumps below warning:\n[ 10.363842] ==================================================================\n[ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/\nlinux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12\n[ 10.363929] shift exponent 40 is too large for 32-bit type \u0027unsigned int\u0027\n[ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg\n[ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021\n[ 10.363958] Call Trace:\n[ 10.363960] \u003cTASK\u003e\n[ 10.363963] dump_stack_lvl+0x4a/0x5f\n[ 10.363971] dump_stack+0x10/0x12\n[ 10.363974] ubsan_epilogue+0x9/0x45\n[ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n[ 10.363979] ? wake_up_klogd+0x4a/0x50\n[ 10.363983] ? vprintk_emit+0x8f/0x240\n[ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]\n[ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]\n[ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]\n[ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac]\n[ 10.364030] ? page_pool_alloc_pages+0x4d/0x70\n[ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]\n[ 10.364042] stmmac_open+0x39e/0x920 [stmmac]\n[ 10.364050] __dev_open+0xf0/0x1a0\n[ 10.364054] __dev_change_flags+0x188/0x1f0\n[ 10.364057] dev_change_flags+0x26/0x60\n[ 10.364059] do_setlink+0x908/0xc40\n[ 10.364062] ? do_setlink+0xb10/0xc40\n[ 10.364064] ? __nla_validate_parse+0x4c/0x1a0\n[ 10.364068] __rtnl_newlink+0x597/0xa10\n[ 10.364072] ? __nla_reserve+0x41/0x50\n[ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0\n[ 10.364079] ? pskb_expand_head+0x75/0x310\n[ 10.364082] ? nla_reserve_64bit+0x21/0x40\n[ 10.364086] ? skb_free_head+0x65/0x80\n[ 10.364089] ? security_sock_rcv_skb+0x2c/0x50\n[ 10.364094] ? __cond_resched+0x19/0x30\n[ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420\n[ 10.364100] rtnl_newlink+0x49/0x70\n\nThis change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue\nmapping warning.\n\nBugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:21.229Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad2febdfbd01e1d092a08bfdba92ede79ea05ff3"
},
{
"url": "https://git.kernel.org/stable/c/508d86ead36cbd8dfb60773a33276790d668c473"
},
{
"url": "https://git.kernel.org/stable/c/573768dede0e2b7de38ecbc11cb3ee47643902dc"
},
{
"url": "https://git.kernel.org/stable/c/a3ac79f38d354b10925824899cdbd2caadce55ba"
},
{
"url": "https://git.kernel.org/stable/c/7c687a893f5cae5ca40d189635602e93af9bab73"
},
{
"url": "https://git.kernel.org/stable/c/e846bde09677fa3b203057846620b7ed96540f5f"
},
{
"url": "https://git.kernel.org/stable/c/613b065ca32e90209024ec4a6bb5ca887ee70980"
}
],
"title": "net: stmmac: fix dma queue left shift overflow issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49592",
"datePublished": "2025-02-26T02:23:24.552Z",
"dateReserved": "2025-02-26T02:21:30.413Z",
"dateUpdated": "2025-05-04T08:41:21.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49647 (GCVE-0-2022-49647)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup: Use separate src/dst nodes when preloading css_sets for migration
Each cset (css_set) is pinned by its tasks. When we're moving tasks around
across csets for a migration, we need to hold the source and destination
csets to ensure that they don't go away while we're moving tasks about. This
is done by linking cset->mg_preload_node on either the
mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the
same cset->mg_preload_node for both the src and dst lists was deemed okay as
a cset can't be both the source and destination at the same time.
Unfortunately, this overloading becomes problematic when multiple tasks are
involved in a migration and some of them are identity noop migrations while
others are actually moving across cgroups. For example, this can happen with
the following sequence on cgroup1:
#1> mkdir -p /sys/fs/cgroup/misc/a/b
#2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs
#3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS &
#4> PID=$!
#5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks
#6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs
the process including the group leader back into a. In this final migration,
non-leader threads would be doing identity migration while the group leader
is doing an actual one.
After #3, let's say the whole process was in cset A, and that after #4, the
leader moves to cset B. Then, during #6, the following happens:
1. cgroup_migrate_add_src() is called on B for the leader.
2. cgroup_migrate_add_src() is called on A for the other threads.
3. cgroup_migrate_prepare_dst() is called. It scans the src list.
4. It notices that B wants to migrate to A, so it tries to A to the dst
list but realizes that its ->mg_preload_node is already busy.
5. and then it notices A wants to migrate to A as it's an identity
migration, it culls it by list_del_init()'ing its ->mg_preload_node and
putting references accordingly.
6. The rest of migration takes place with B on the src list but nothing on
the dst list.
This means that A isn't held while migration is in progress. If all tasks
leave A before the migration finishes and the incoming task pins it, the
cset will be destroyed leading to use-after-free.
This is caused by overloading cset->mg_preload_node for both src and dst
preload lists. We wanted to exclude the cset from the src list but ended up
inadvertently excluding it from the dst list too.
This patch fixes the issue by separating out cset->mg_preload_node into
->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst
preloadings don't interfere with each other.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f817de98513d060023be4fa1d061b29a6515273e Version: f817de98513d060023be4fa1d061b29a6515273e Version: f817de98513d060023be4fa1d061b29a6515273e Version: f817de98513d060023be4fa1d061b29a6515273e Version: f817de98513d060023be4fa1d061b29a6515273e Version: f817de98513d060023be4fa1d061b29a6515273e Version: f817de98513d060023be4fa1d061b29a6515273e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49647",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:22.179725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:31.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/cgroup-defs.h",
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27",
"status": "affected",
"version": "f817de98513d060023be4fa1d061b29a6515273e",
"versionType": "git"
},
{
"lessThan": "cec2bbdcc14fbaa6b95ee15a7c423b05d97038be",
"status": "affected",
"version": "f817de98513d060023be4fa1d061b29a6515273e",
"versionType": "git"
},
{
"lessThan": "ad44e05f3e016bdcb1ad25af35ade5b5f41ccd68",
"status": "affected",
"version": "f817de98513d060023be4fa1d061b29a6515273e",
"versionType": "git"
},
{
"lessThan": "7657e3958535d101a24ab4400f9b8062b9107cc4",
"status": "affected",
"version": "f817de98513d060023be4fa1d061b29a6515273e",
"versionType": "git"
},
{
"lessThan": "54aee4e5ce8c21555286a6333e46c1713880cf93",
"status": "affected",
"version": "f817de98513d060023be4fa1d061b29a6515273e",
"versionType": "git"
},
{
"lessThan": "0e41774b564befa6d271e8d5086bf870d617a4e6",
"status": "affected",
"version": "f817de98513d060023be4fa1d061b29a6515273e",
"versionType": "git"
},
{
"lessThan": "07fd5b6cdf3cc30bfde8fe0f644771688be04447",
"status": "affected",
"version": "f817de98513d060023be4fa1d061b29a6515273e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/cgroup-defs.h",
"kernel/cgroup/cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.289",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Use separate src/dst nodes when preloading css_sets for migration\n\nEach cset (css_set) is pinned by its tasks. When we\u0027re moving tasks around\nacross csets for a migration, we need to hold the source and destination\ncsets to ensure that they don\u0027t go away while we\u0027re moving tasks about. This\nis done by linking cset-\u003emg_preload_node on either the\nmgctx-\u003epreloaded_src_csets or mgctx-\u003epreloaded_dst_csets list. Using the\nsame cset-\u003emg_preload_node for both the src and dst lists was deemed okay as\na cset can\u0027t be both the source and destination at the same time.\n\nUnfortunately, this overloading becomes problematic when multiple tasks are\ninvolved in a migration and some of them are identity noop migrations while\nothers are actually moving across cgroups. For example, this can happen with\nthe following sequence on cgroup1:\n\n #1\u003e mkdir -p /sys/fs/cgroup/misc/a/b\n #2\u003e echo $$ \u003e /sys/fs/cgroup/misc/a/cgroup.procs\n #3\u003e RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS \u0026\n #4\u003e PID=$!\n #5\u003e echo $PID \u003e /sys/fs/cgroup/misc/a/b/tasks\n #6\u003e echo $PID \u003e /sys/fs/cgroup/misc/a/cgroup.procs\n\nthe process including the group leader back into a. In this final migration,\nnon-leader threads would be doing identity migration while the group leader\nis doing an actual one.\n\nAfter #3, let\u0027s say the whole process was in cset A, and that after #4, the\nleader moves to cset B. Then, during #6, the following happens:\n\n 1. cgroup_migrate_add_src() is called on B for the leader.\n\n 2. cgroup_migrate_add_src() is called on A for the other threads.\n\n 3. cgroup_migrate_prepare_dst() is called. It scans the src list.\n\n 4. It notices that B wants to migrate to A, so it tries to A to the dst\n list but realizes that its -\u003emg_preload_node is already busy.\n\n 5. and then it notices A wants to migrate to A as it\u0027s an identity\n migration, it culls it by list_del_init()\u0027ing its -\u003emg_preload_node and\n putting references accordingly.\n\n 6. The rest of migration takes place with B on the src list but nothing on\n the dst list.\n\nThis means that A isn\u0027t held while migration is in progress. If all tasks\nleave A before the migration finishes and the incoming task pins it, the\ncset will be destroyed leading to use-after-free.\n\nThis is caused by overloading cset-\u003emg_preload_node for both src and dst\npreload lists. We wanted to exclude the cset from the src list but ended up\ninadvertently excluding it from the dst list too.\n\nThis patch fixes the issue by separating out cset-\u003emg_preload_node into\n-\u003emg_src_preload_node and -\u003emg_dst_preload_node, so that the src and dst\npreloadings don\u0027t interfere with each other."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:31.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27"
},
{
"url": "https://git.kernel.org/stable/c/cec2bbdcc14fbaa6b95ee15a7c423b05d97038be"
},
{
"url": "https://git.kernel.org/stable/c/ad44e05f3e016bdcb1ad25af35ade5b5f41ccd68"
},
{
"url": "https://git.kernel.org/stable/c/7657e3958535d101a24ab4400f9b8062b9107cc4"
},
{
"url": "https://git.kernel.org/stable/c/54aee4e5ce8c21555286a6333e46c1713880cf93"
},
{
"url": "https://git.kernel.org/stable/c/0e41774b564befa6d271e8d5086bf870d617a4e6"
},
{
"url": "https://git.kernel.org/stable/c/07fd5b6cdf3cc30bfde8fe0f644771688be04447"
}
],
"title": "cgroup: Use separate src/dst nodes when preloading css_sets for migration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49647",
"datePublished": "2025-02-26T02:23:51.561Z",
"dateReserved": "2025-02-26T02:21:30.432Z",
"dateUpdated": "2025-05-04T08:42:31.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49331 (GCVE-0-2022-49331)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
Error paths do not free previously allocated memory. Add devm_kfree() to
those failure paths.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 Version: 26fc6c7f02cb26c39c4733de3dbc3c0646fc1074 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:19.500104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:55.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/st21nfca/se.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "593773088d615a46a42c97e01a0550d192bb7f74",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "d221ce54ce331c1a23be71eebf57f6a088632383",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "6fce324b530dd74750ad870699e33eeed1029ded",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "3eca2c42daa4659965db6817479027cbc6df7899",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "54423649bc0ed464b75807a7cf2857a5871f738f",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "f444ecd3f57f4ba5090fe8b6756933e37de4226e",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "db836b97464d44340b568e041fd24602858713f7",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "55904086041ba4ee4070187b36590f8f8d6df4cd",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
},
{
"lessThan": "996419e0594abb311fb958553809f24f38e7abbe",
"status": "affected",
"version": "26fc6c7f02cb26c39c4733de3dbc3c0646fc1074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/st21nfca/se.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling\n\nError paths do not free previously allocated memory. Add devm_kfree() to\nthose failure paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:22.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/593773088d615a46a42c97e01a0550d192bb7f74"
},
{
"url": "https://git.kernel.org/stable/c/d221ce54ce331c1a23be71eebf57f6a088632383"
},
{
"url": "https://git.kernel.org/stable/c/6fce324b530dd74750ad870699e33eeed1029ded"
},
{
"url": "https://git.kernel.org/stable/c/3eca2c42daa4659965db6817479027cbc6df7899"
},
{
"url": "https://git.kernel.org/stable/c/54423649bc0ed464b75807a7cf2857a5871f738f"
},
{
"url": "https://git.kernel.org/stable/c/f444ecd3f57f4ba5090fe8b6756933e37de4226e"
},
{
"url": "https://git.kernel.org/stable/c/db836b97464d44340b568e041fd24602858713f7"
},
{
"url": "https://git.kernel.org/stable/c/55904086041ba4ee4070187b36590f8f8d6df4cd"
},
{
"url": "https://git.kernel.org/stable/c/996419e0594abb311fb958553809f24f38e7abbe"
}
],
"title": "nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49331",
"datePublished": "2025-02-26T02:10:51.040Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-10-01T19:46:55.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49437 (GCVE-0-2022-49437)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/xive: Fix refcount leak in xive_spapr_init
of_find_compatible_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:05.966582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:49.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/xive/spapr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65f11ccdd746e0e7f0b469cc989ba43d4f30ecfe",
"status": "affected",
"version": "eac1e731b59ee3b5f5e641a7765c7ed41ed26226",
"versionType": "git"
},
{
"lessThan": "6e806485d851986a2445267608f27cb4ba2ed774",
"status": "affected",
"version": "eac1e731b59ee3b5f5e641a7765c7ed41ed26226",
"versionType": "git"
},
{
"lessThan": "cc62dde2a5f4ba14016fd9caec76f08d388f4b9c",
"status": "affected",
"version": "eac1e731b59ee3b5f5e641a7765c7ed41ed26226",
"versionType": "git"
},
{
"lessThan": "1d1fb9618bdd5a5fbf9a9eb75133da301d33721c",
"status": "affected",
"version": "eac1e731b59ee3b5f5e641a7765c7ed41ed26226",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/xive/spapr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xive: Fix refcount leak in xive_spapr_init\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:38.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65f11ccdd746e0e7f0b469cc989ba43d4f30ecfe"
},
{
"url": "https://git.kernel.org/stable/c/6e806485d851986a2445267608f27cb4ba2ed774"
},
{
"url": "https://git.kernel.org/stable/c/cc62dde2a5f4ba14016fd9caec76f08d388f4b9c"
},
{
"url": "https://git.kernel.org/stable/c/1d1fb9618bdd5a5fbf9a9eb75133da301d33721c"
}
],
"title": "powerpc/xive: Fix refcount leak in xive_spapr_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49437",
"datePublished": "2025-02-26T02:12:52.524Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-10-01T19:46:49.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53178 (GCVE-0-2024-53178)
Vulnerability from cvelistv5
Published
2024-12-27 13:49
Modified
2025-10-01 20:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: Don't leak cfid when reconnect races with open_cached_dir
open_cached_dir() may either race with the tcon reconnection even before
compound_send_recv() or directly trigger a reconnection via
SMB2_open_init() or SMB_query_info_init().
The reconnection process invokes invalidate_all_cached_dirs() via
cifs_mark_open_files_invalid(), which removes all cfids from the
cfids->entries list but doesn't drop a ref if has_lease isn't true. This
results in the currently-being-constructed cfid not being on the list,
but still having a refcount of 2. It leaks if returned from
open_cached_dir().
Fix this by setting cfid->has_lease when the ref is actually taken; the
cfid will not be used by other threads until it has a valid time.
Addresses these kmemleaks:
unreferenced object 0xffff8881090c4000 (size 1024):
comm "bash", pid 1860, jiffies 4295126592
hex dump (first 32 bytes):
00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........".......
00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O.....
backtrace (crc 6f58c20f):
[<ffffffff8b895a1e>] __kmalloc_cache_noprof+0x2be/0x350
[<ffffffff8bda06e3>] open_cached_dir+0x993/0x1fb0
[<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50
[<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0
[<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200
[<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0
[<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
unreferenced object 0xffff8881044fdcf8 (size 8):
comm "bash", pid 1860, jiffies 4295126592
hex dump (first 8 bytes):
00 cc cc cc cc cc cc cc ........
backtrace (crc 10c106a9):
[<ffffffff8b89a3d3>] __kmalloc_node_track_caller_noprof+0x363/0x480
[<ffffffff8b7d7256>] kstrdup+0x36/0x60
[<ffffffff8bda0700>] open_cached_dir+0x9b0/0x1fb0
[<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50
[<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0
[<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200
[<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0
[<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
And addresses these BUG splats when unmounting the SMB filesystem:
BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]
WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100
Modules linked in:
CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
RIP: 0010:umount_check+0xd0/0x100
Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41
RSP: 0018:ffff88811cc27978 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40
RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3
R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08
R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0
FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0
Call Trace:
<TASK>
d_walk+0x6a/0x530
shrink_dcache_for_umount+0x6a/0x200
generic_shutdown_super+0x52/0x2a0
kill_anon_super+0x22/0x40
cifs_kill_sb+0x159/0x1e0
deactivate_locked_super+0x66/0xe0
cleanup_mnt+0x140/0x210
task_work_run+0xfb/0x170
syscall_exit_to_user_mode+0x29f/0x2b0
do_syscall_64+0xa1/0x1a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f23bfb93ae7
Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:04:23.545545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:21.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31fabf70d58388d5475e48ca8a6b7d2847b36678",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "1d76332d783db12684b67592f1fb2057b88af4c3",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "73a57b25b4df23f22814fc06b7e8f9cf570be026",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "7afb86733685c64c604d32faf00fa4a1f22c2ab1",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Don\u0027t leak cfid when reconnect races with open_cached_dir\n\nopen_cached_dir() may either race with the tcon reconnection even before\ncompound_send_recv() or directly trigger a reconnection via\nSMB2_open_init() or SMB_query_info_init().\n\nThe reconnection process invokes invalidate_all_cached_dirs() via\ncifs_mark_open_files_invalid(), which removes all cfids from the\ncfids-\u003eentries list but doesn\u0027t drop a ref if has_lease isn\u0027t true. This\nresults in the currently-being-constructed cfid not being on the list,\nbut still having a refcount of 2. It leaks if returned from\nopen_cached_dir().\n\nFix this by setting cfid-\u003ehas_lease when the ref is actually taken; the\ncfid will not be used by other threads until it has a valid time.\n\nAddresses these kmemleaks:\n\nunreferenced object 0xffff8881090c4000 (size 1024):\n comm \"bash\", pid 1860, jiffies 4295126592\n hex dump (first 32 bytes):\n 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........\".......\n 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E\"......O.....\n backtrace (crc 6f58c20f):\n [\u003cffffffff8b895a1e\u003e] __kmalloc_cache_noprof+0x2be/0x350\n [\u003cffffffff8bda06e3\u003e] open_cached_dir+0x993/0x1fb0\n [\u003cffffffff8bdaa750\u003e] cifs_readdir+0x15a0/0x1d50\n [\u003cffffffff8b9a853f\u003e] iterate_dir+0x28f/0x4b0\n [\u003cffffffff8b9a9aed\u003e] __x64_sys_getdents64+0xfd/0x200\n [\u003cffffffff8cf6da05\u003e] do_syscall_64+0x95/0x1a0\n [\u003cffffffff8d00012f\u003e] entry_SYSCALL_64_after_hwframe+0x76/0x7e\nunreferenced object 0xffff8881044fdcf8 (size 8):\n comm \"bash\", pid 1860, jiffies 4295126592\n hex dump (first 8 bytes):\n 00 cc cc cc cc cc cc cc ........\n backtrace (crc 10c106a9):\n [\u003cffffffff8b89a3d3\u003e] __kmalloc_node_track_caller_noprof+0x363/0x480\n [\u003cffffffff8b7d7256\u003e] kstrdup+0x36/0x60\n [\u003cffffffff8bda0700\u003e] open_cached_dir+0x9b0/0x1fb0\n [\u003cffffffff8bdaa750\u003e] cifs_readdir+0x15a0/0x1d50\n [\u003cffffffff8b9a853f\u003e] iterate_dir+0x28f/0x4b0\n [\u003cffffffff8b9a9aed\u003e] __x64_sys_getdents64+0xfd/0x200\n [\u003cffffffff8cf6da05\u003e] do_syscall_64+0x95/0x1a0\n [\u003cffffffff8d00012f\u003e] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAnd addresses these BUG splats when unmounting the SMB filesystem:\n\nBUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]\nWARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100\nModules linked in:\nCPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:umount_check+0xd0/0x100\nCode: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff \u003c0f\u003e 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41\nRSP: 0018:ffff88811cc27978 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40\nRBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3\nR10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08\nR13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0\nFS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0\nCall Trace:\n \u003cTASK\u003e\n d_walk+0x6a/0x530\n shrink_dcache_for_umount+0x6a/0x200\n generic_shutdown_super+0x52/0x2a0\n kill_anon_super+0x22/0x40\n cifs_kill_sb+0x159/0x1e0\n deactivate_locked_super+0x66/0xe0\n cleanup_mnt+0x140/0x210\n task_work_run+0xfb/0x170\n syscall_exit_to_user_mode+0x29f/0x2b0\n do_syscall_64+0xa1/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f23bfb93ae7\nCode: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:55:02.060Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31fabf70d58388d5475e48ca8a6b7d2847b36678"
},
{
"url": "https://git.kernel.org/stable/c/1d76332d783db12684b67592f1fb2057b88af4c3"
},
{
"url": "https://git.kernel.org/stable/c/73a57b25b4df23f22814fc06b7e8f9cf570be026"
},
{
"url": "https://git.kernel.org/stable/c/7afb86733685c64c604d32faf00fa4a1f22c2ab1"
}
],
"title": "smb: Don\u0027t leak cfid when reconnect races with open_cached_dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53178",
"datePublished": "2024-12-27T13:49:22.085Z",
"dateReserved": "2024-11-19T17:17:25.008Z",
"dateUpdated": "2025-10-01T20:07:21.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49177 (GCVE-0-2022-49177)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: cavium - fix NULL but dereferenced coccicheck error
Fix following coccicheck warning:
./drivers/char/hw_random/cavium-rng-vf.c:182:17-20: ERROR:
pdev is NULL but dereferenced.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:36.860050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:56:59.997Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/cavium-rng-vf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e47b12f9415169eceda6770fcf45802e0c8d2a66",
"status": "affected",
"version": "680efb33546be8960ccbb2f4e0e43034d9c93b30",
"versionType": "git"
},
{
"lessThan": "e6205ad58a7ac194abfb33897585b38687d797fa",
"status": "affected",
"version": "680efb33546be8960ccbb2f4e0e43034d9c93b30",
"versionType": "git"
},
{
"status": "affected",
"version": "bc20294cc8da53c0dc0f5a076b4883be6ec96930",
"versionType": "git"
},
{
"status": "affected",
"version": "7919dfd84b352782df92c1ff2f0ca4dd5328d198",
"versionType": "git"
},
{
"status": "affected",
"version": "cc744db61229b6c55164b8cbdfaad4caacce62f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/cavium-rng-vf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: cavium - fix NULL but dereferenced coccicheck error\n\nFix following coccicheck warning:\n./drivers/char/hw_random/cavium-rng-vf.c:182:17-20: ERROR:\npdev is NULL but dereferenced."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T14:27:27.774Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e47b12f9415169eceda6770fcf45802e0c8d2a66"
},
{
"url": "https://git.kernel.org/stable/c/e6205ad58a7ac194abfb33897585b38687d797fa"
}
],
"title": "hwrng: cavium - fix NULL but dereferenced coccicheck error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49177",
"datePublished": "2025-02-26T01:55:31.078Z",
"dateReserved": "2025-02-26T01:49:39.281Z",
"dateUpdated": "2025-10-01T19:56:59.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21862 (GCVE-0-2025-21862)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drop_monitor: fix incorrect initialization order
Syzkaller reports the following bug:
BUG: spinlock bad magic on CPU#1, syz-executor.0/7995
lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x119/0x179 lib/dump_stack.c:118
debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
_raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159
reset_per_cpu_data+0xe6/0x240 [drop_monitor]
net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]
genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739
genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800
netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497
genl_rcv+0x29/0x40 net/netlink/genetlink.c:811
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916
sock_sendmsg_nosec net/socket.c:651 [inline]
__sock_sendmsg+0x157/0x190 net/socket.c:663
____sys_sendmsg+0x712/0x870 net/socket.c:2378
___sys_sendmsg+0xf8/0x170 net/socket.c:2432
__sys_sendmsg+0xea/0x1b0 net/socket.c:2461
do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7f3f9815aee9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9
RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007
RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768
If drop_monitor is built as a kernel module, syzkaller may have time
to send a netlink NET_DM_CMD_START message during the module loading.
This will call the net_dm_monitor_start() function that uses
a spinlock that has not yet been initialized.
To fix this, let's place resource initialization above the registration
of a generic netlink family.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 Version: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:42.627398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:37.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:19.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/drop_monitor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e9e0f224ffd8b819da3ea247dda404795fdd182",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
},
{
"lessThan": "29f9cdcab3d96d5207a5c92b52c40ad75e5915d8",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
},
{
"lessThan": "872c7c7e57a746046796ddfead529c9d37b9f6b4",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
},
{
"lessThan": "fcfc00bfec7bb6661074cb21356d05a4c9470a3c",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
},
{
"lessThan": "0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
},
{
"lessThan": "b7859e8643e75619b2705b4fcac93ffd94d72b4a",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
},
{
"lessThan": "219a47d0e6195bd202f22855e35f25bd15bc4d58",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
},
{
"lessThan": "07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea",
"status": "affected",
"version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/drop_monitor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: fix incorrect initialization order\n\nSyzkaller reports the following bug:\n\nBUG: spinlock bad magic on CPU#1, syz-executor.0/7995\n lock: 0xffff88805303f3e0, .magic: 00000000, .owner: \u003cnone\u003e/-1, .owner_cpu: 0\nCPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x119/0x179 lib/dump_stack.c:118\n debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]\n do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]\n _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159\n reset_per_cpu_data+0xe6/0x240 [drop_monitor]\n net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]\n genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497\n genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:651 [inline]\n __sock_sendmsg+0x157/0x190 net/socket.c:663\n ____sys_sendmsg+0x712/0x870 net/socket.c:2378\n ___sys_sendmsg+0xf8/0x170 net/socket.c:2432\n __sys_sendmsg+0xea/0x1b0 net/socket.c:2461\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\nRIP: 0033:0x7f3f9815aee9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9\nRDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007\nRBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768\n\nIf drop_monitor is built as a kernel module, syzkaller may have time\nto send a netlink NET_DM_CMD_START message during the module loading.\nThis will call the net_dm_monitor_start() function that uses\na spinlock that has not yet been initialized.\n\nTo fix this, let\u0027s place resource initialization above the registration\nof a generic netlink family.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:45.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e9e0f224ffd8b819da3ea247dda404795fdd182"
},
{
"url": "https://git.kernel.org/stable/c/29f9cdcab3d96d5207a5c92b52c40ad75e5915d8"
},
{
"url": "https://git.kernel.org/stable/c/872c7c7e57a746046796ddfead529c9d37b9f6b4"
},
{
"url": "https://git.kernel.org/stable/c/fcfc00bfec7bb6661074cb21356d05a4c9470a3c"
},
{
"url": "https://git.kernel.org/stable/c/0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282"
},
{
"url": "https://git.kernel.org/stable/c/b7859e8643e75619b2705b4fcac93ffd94d72b4a"
},
{
"url": "https://git.kernel.org/stable/c/219a47d0e6195bd202f22855e35f25bd15bc4d58"
},
{
"url": "https://git.kernel.org/stable/c/07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea"
}
],
"title": "drop_monitor: fix incorrect initialization order",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21862",
"datePublished": "2025-03-12T09:42:19.881Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-11-03T19:38:19.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49534 (GCVE-0-2022-49534)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Protect memory leak for NPIV ports sending PLOGI_RJT
There is a potential memory leak in lpfc_ignore_els_cmpl() and
lpfc_els_rsp_reject() that was allocated from NPIV PLOGI_RJT
(lpfc_rcv_plogi()'s login_mbox).
Check if cmdiocb->context_un.mbox was allocated in lpfc_ignore_els_cmpl(),
and then free it back to phba->mbox_mem_pool along with mbox->ctx_buf for
service parameters.
For lpfc_els_rsp_reject() failure, free both the ctx_buf for service
parameters and the login_mbox.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49534",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:49.137797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:40.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_nportdisc.c",
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c00df0f34a6d5e14da379f96ea67e501ce67b002",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "672d1cb40551ea9c95efad43ab6d45e4ab4e015f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_nportdisc.c",
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Protect memory leak for NPIV ports sending PLOGI_RJT\n\nThere is a potential memory leak in lpfc_ignore_els_cmpl() and\nlpfc_els_rsp_reject() that was allocated from NPIV PLOGI_RJT\n(lpfc_rcv_plogi()\u0027s login_mbox).\n\nCheck if cmdiocb-\u003econtext_un.mbox was allocated in lpfc_ignore_els_cmpl(),\nand then free it back to phba-\u003embox_mem_pool along with mbox-\u003ectx_buf for\nservice parameters.\n\nFor lpfc_els_rsp_reject() failure, free both the ctx_buf for service\nparameters and the login_mbox."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:59.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c00df0f34a6d5e14da379f96ea67e501ce67b002"
},
{
"url": "https://git.kernel.org/stable/c/672d1cb40551ea9c95efad43ab6d45e4ab4e015f"
}
],
"title": "scsi: lpfc: Protect memory leak for NPIV ports sending PLOGI_RJT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49534",
"datePublished": "2025-02-26T02:13:52.978Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-10-01T19:46:40.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57979 (GCVE-0-2024-57979)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pps: Fix a use-after-free
On a board running ntpd and gpsd, I'm seeing a consistent use-after-free
in sys_exit() from gpsd when rebooting:
pps pps1: removed
------------[ cut here ]------------
kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.
WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150
CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1
Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kobject_put+0x120/0x150
lr : kobject_put+0x120/0x150
sp : ffffffc0803d3ae0
x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001
x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440
x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600
x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20
x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
kobject_put+0x120/0x150
cdev_put+0x20/0x3c
__fput+0x2c4/0x2d8
____fput+0x1c/0x38
task_work_run+0x70/0xfc
do_exit+0x2a0/0x924
do_group_exit+0x34/0x90
get_signal+0x7fc/0x8c0
do_signal+0x128/0x13b4
do_notify_resume+0xdc/0x160
el0_svc+0xd4/0xf8
el0t_64_sync_handler+0x140/0x14c
el0t_64_sync+0x190/0x194
---[ end trace 0000000000000000 ]---
...followed by more symptoms of corruption, with similar stacks:
refcount_t: underflow; use-after-free.
kernel BUG at lib/list_debug.c:62!
Kernel panic - not syncing: Oops - BUG: Fatal exception
This happens because pps_device_destruct() frees the pps_device with the
embedded cdev immediately after calling cdev_del(), but, as the comment
above cdev_del() notes, fops for previously opened cdevs are still
callable even after cdev_del() returns. I think this bug has always
been there: I can't explain why it suddenly started happening every time
I reboot this particular board.
In commit d953e0e837e6 ("pps: Fix a use-after free bug when
unregistering a source."), George Spelvin suggested removing the
embedded cdev. That seems like the simplest way to fix this, so I've
implemented his suggestion, using __register_chrdev() with pps_idr
becoming the source of truth for which minor corresponds to which
device.
But now that pps_idr defines userspace visibility instead of cdev_add(),
we need to be sure the pps->dev refcount can't reach zero while
userspace can still find it again. So, the idr_remove() call moves to
pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev.
pps_core: source serial1 got cdev (251:1)
<...>
pps pps1: removed
pps_core: unregistering pps1
pps_core: deallocating pps1
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 Version: 77327a71f9841b7dfa708195d1cb133d4ef4a989 Version: cd59fb14918a6b20c1ac8be121fa6397b97b00cb Version: 49626fbb0360332e40fd76a48cb2ba876d6134ad |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:14:45.747533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:30.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:56.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pps/clients/pps-gpio.c",
"drivers/pps/clients/pps-ktimer.c",
"drivers/pps/clients/pps-ldisc.c",
"drivers/pps/clients/pps_parport.c",
"drivers/pps/kapi.c",
"drivers/pps/kc.c",
"drivers/pps/pps.c",
"drivers/ptp/ptp_ocp.c",
"include/linux/pps_kernel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"lessThan": "1a7735ab2cb9747518a7416fb5929e85442dec62",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"lessThan": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"lessThan": "91932db1d96b2952299ce30c1c693d834d10ace6",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"lessThan": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"lessThan": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"lessThan": "85241f7de216f8298f6e48540ea13d7dcd100870",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"lessThan": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"status": "affected",
"version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
"versionType": "git"
},
{
"status": "affected",
"version": "77327a71f9841b7dfa708195d1cb133d4ef4a989",
"versionType": "git"
},
{
"status": "affected",
"version": "cd59fb14918a6b20c1ac8be121fa6397b97b00cb",
"versionType": "git"
},
{
"status": "affected",
"version": "49626fbb0360332e40fd76a48cb2ba876d6134ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pps/clients/pps-gpio.c",
"drivers/pps/clients/pps-ktimer.c",
"drivers/pps/clients/pps-ldisc.c",
"drivers/pps/clients/pps_parport.c",
"drivers/pps/kapi.c",
"drivers/pps/kc.c",
"drivers/pps/pps.c",
"drivers/ptp/ptp_ocp.c",
"include/linux/pps_kernel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I\u0027m seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n pps pps1: removed\n ------------[ cut here ]------------\n kobject: \u0027(null)\u0027 (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : kobject_put+0x120/0x150\n lr : kobject_put+0x120/0x150\n sp : ffffffc0803d3ae0\n x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n kobject_put+0x120/0x150\n cdev_put+0x20/0x3c\n __fput+0x2c4/0x2d8\n ____fput+0x1c/0x38\n task_work_run+0x70/0xfc\n do_exit+0x2a0/0x924\n do_group_exit+0x34/0x90\n get_signal+0x7fc/0x8c0\n do_signal+0x128/0x13b4\n do_notify_resume+0xdc/0x160\n el0_svc+0xd4/0xf8\n el0t_64_sync_handler+0x140/0x14c\n el0t_64_sync+0x190/0x194\n ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n refcount_t: underflow; use-after-free.\n kernel BUG at lib/list_debug.c:62!\n Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can\u0027t explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I\u0027ve\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps-\u003edev refcount can\u0027t reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps-\u003edev.\n\n pps_core: source serial1 got cdev (251:1)\n \u003c...\u003e\n pps pps1: removed\n pps_core: unregistering pps1\n pps_core: deallocating pps1"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:01:47.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e"
},
{
"url": "https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62"
},
{
"url": "https://git.kernel.org/stable/c/c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7"
},
{
"url": "https://git.kernel.org/stable/c/91932db1d96b2952299ce30c1c693d834d10ace6"
},
{
"url": "https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64"
},
{
"url": "https://git.kernel.org/stable/c/7e5ee3281dc09014367f5112b6d566ba36ea2d49"
},
{
"url": "https://git.kernel.org/stable/c/85241f7de216f8298f6e48540ea13d7dcd100870"
},
{
"url": "https://git.kernel.org/stable/c/c79a39dc8d060b9e64e8b0fa9d245d44befeefbe"
}
],
"title": "pps: Fix a use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57979",
"datePublished": "2025-02-27T02:07:06.168Z",
"dateReserved": "2025-02-27T02:04:28.912Z",
"dateUpdated": "2025-11-03T19:32:56.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49084 (GCVE-0-2022-49084)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
qede: confirm skb is allocated before using
qede_build_skb() assumes build_skb() always works and goes straight
to skb_reserve(). However, build_skb() can fail under memory pressure.
This results in a kernel panic because the skb to reserve is NULL.
Add a check in case build_skb() failed to allocate and return NULL.
The NULL return is handled correctly in callers to qede_build_skb().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8a8633978b842c88fbcfe00d4e5dde96048f630e Version: 8a8633978b842c88fbcfe00d4e5dde96048f630e Version: 8a8633978b842c88fbcfe00d4e5dde96048f630e Version: 8a8633978b842c88fbcfe00d4e5dde96048f630e Version: 8a8633978b842c88fbcfe00d4e5dde96048f630e Version: 8a8633978b842c88fbcfe00d4e5dde96048f630e Version: 8a8633978b842c88fbcfe00d4e5dde96048f630e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9648adb1b3ece55c657d3a4f52bfee663b710dfe",
"status": "affected",
"version": "8a8633978b842c88fbcfe00d4e5dde96048f630e",
"versionType": "git"
},
{
"lessThan": "034a92c6a81048128fc7b18d278d52438a13902a",
"status": "affected",
"version": "8a8633978b842c88fbcfe00d4e5dde96048f630e",
"versionType": "git"
},
{
"lessThan": "8928239e5e2e460d95b8a0b89f61671625e7ece0",
"status": "affected",
"version": "8a8633978b842c88fbcfe00d4e5dde96048f630e",
"versionType": "git"
},
{
"lessThan": "c9bdce2359b5f4986eb38d1e81865b3586cc20d2",
"status": "affected",
"version": "8a8633978b842c88fbcfe00d4e5dde96048f630e",
"versionType": "git"
},
{
"lessThan": "b2d6b3db9d1cf80908964036dbe1c52a86b1afb1",
"status": "affected",
"version": "8a8633978b842c88fbcfe00d4e5dde96048f630e",
"versionType": "git"
},
{
"lessThan": "e1fd0c42acfa22bb34d2ab6a111484f466ab8093",
"status": "affected",
"version": "8a8633978b842c88fbcfe00d4e5dde96048f630e",
"versionType": "git"
},
{
"lessThan": "4e910dbe36508654a896d5735b318c0b88172570",
"status": "affected",
"version": "8a8633978b842c88fbcfe00d4e5dde96048f630e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nqede: confirm skb is allocated before using\n\nqede_build_skb() assumes build_skb() always works and goes straight\nto skb_reserve(). However, build_skb() can fail under memory pressure.\nThis results in a kernel panic because the skb to reserve is NULL.\n\nAdd a check in case build_skb() failed to allocate and return NULL.\n\nThe NULL return is handled correctly in callers to qede_build_skb()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:23.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9648adb1b3ece55c657d3a4f52bfee663b710dfe"
},
{
"url": "https://git.kernel.org/stable/c/034a92c6a81048128fc7b18d278d52438a13902a"
},
{
"url": "https://git.kernel.org/stable/c/8928239e5e2e460d95b8a0b89f61671625e7ece0"
},
{
"url": "https://git.kernel.org/stable/c/c9bdce2359b5f4986eb38d1e81865b3586cc20d2"
},
{
"url": "https://git.kernel.org/stable/c/b2d6b3db9d1cf80908964036dbe1c52a86b1afb1"
},
{
"url": "https://git.kernel.org/stable/c/e1fd0c42acfa22bb34d2ab6a111484f466ab8093"
},
{
"url": "https://git.kernel.org/stable/c/4e910dbe36508654a896d5735b318c0b88172570"
}
],
"title": "qede: confirm skb is allocated before using",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49084",
"datePublished": "2025-02-26T01:54:43.099Z",
"dateReserved": "2025-02-26T01:49:39.248Z",
"dateUpdated": "2025-05-04T08:29:23.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53680 (GCVE-0-2024-53680)
Vulnerability from cvelistv5
Published
2025-01-11 12:25
Modified
2025-11-03 20:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()
Under certain kernel configurations when building with Clang/LLVM, the
compiler does not generate a return or jump as the terminator
instruction for ip_vs_protocol_init(), triggering the following objtool
warning during build time:
vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()
At runtime, this either causes an oops when trying to load the ipvs
module or a boot-time panic if ipvs is built-in. This same issue has
been reported by the Intel kernel test robot previously.
Digging deeper into both LLVM and the kernel code reveals this to be a
undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer
of 64 chars to store the registered protocol names and leaves it
uninitialized after definition. The function calls strnlen() when
concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE
strnlen() performs an extra step to check whether the last byte of the
input char buffer is a null character (commit 3009f891bb9f ("fortify:
Allow strlen() and strnlen() to pass compile-time known lengths")).
This, together with possibly other configurations, cause the following
IR to be generated:
define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 {
%1 = alloca [64 x i8], align 16
...
14: ; preds = %11
%15 = getelementptr inbounds i8, ptr %1, i64 63
%16 = load i8, ptr %15, align 1
%17 = tail call i1 @llvm.is.constant.i8(i8 %16)
%18 = icmp eq i8 %16, 0
%19 = select i1 %17, i1 %18, i1 false
br i1 %19, label %20, label %23
20: ; preds = %14
%21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23
...
23: ; preds = %14, %11, %20
%24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24
...
}
The above code calculates the address of the last char in the buffer
(value %15) and then loads from it (value %16). Because the buffer is
never initialized, the LLVM GVN pass marks value %16 as undefined:
%13 = getelementptr inbounds i8, ptr %1, i64 63
br i1 undef, label %14, label %17
This gives later passes (SCCP, in particular) more DCE opportunities by
propagating the undef value further, and eventually removes everything
after the load on the uninitialized stack location:
define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 {
%1 = alloca [64 x i8], align 16
...
12: ; preds = %11
%13 = getelementptr inbounds i8, ptr %1, i64 63
unreachable
}
In this way, the generated native code will just fall through to the
next function, as LLVM does not generate any code for the unreachable IR
instruction and leaves the function without a terminator.
Zero the on-stack buffer to avoid this possible UB.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:48:17.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31d1ddc1ce8e8d3f101a679243abb42a313ee88a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b2cbed82b7c6504a8a0fbd181f92dd56b432c12",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d6e1776f51c95827142f1d7064118e255e2deec1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "664d0feab92495b6a27edc3d1119e232c0fe8b2b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "124834133b32f9386bb2d8581d9ab92f65e951e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48130002e64fd191b7d18efeb4d253fcc23e4688",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "146b6f1112eb30a19776d6c323c994e9d67790db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()\n\nUnder certain kernel configurations when building with Clang/LLVM, the\ncompiler does not generate a return or jump as the terminator\ninstruction for ip_vs_protocol_init(), triggering the following objtool\nwarning during build time:\n\n vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()\n\nAt runtime, this either causes an oops when trying to load the ipvs\nmodule or a boot-time panic if ipvs is built-in. This same issue has\nbeen reported by the Intel kernel test robot previously.\n\nDigging deeper into both LLVM and the kernel code reveals this to be a\nundefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer\nof 64 chars to store the registered protocol names and leaves it\nuninitialized after definition. The function calls strnlen() when\nconcatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE\nstrnlen() performs an extra step to check whether the last byte of the\ninput char buffer is a null character (commit 3009f891bb9f (\"fortify:\nAllow strlen() and strnlen() to pass compile-time known lengths\")).\nThis, together with possibly other configurations, cause the following\nIR to be generated:\n\n define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section \".init.text\" align 16 !kcfi_type !29 {\n %1 = alloca [64 x i8], align 16\n ...\n\n 14: ; preds = %11\n %15 = getelementptr inbounds i8, ptr %1, i64 63\n %16 = load i8, ptr %15, align 1\n %17 = tail call i1 @llvm.is.constant.i8(i8 %16)\n %18 = icmp eq i8 %16, 0\n %19 = select i1 %17, i1 %18, i1 false\n br i1 %19, label %20, label %23\n\n 20: ; preds = %14\n %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23\n ...\n\n 23: ; preds = %14, %11, %20\n %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24\n ...\n }\n\nThe above code calculates the address of the last char in the buffer\n(value %15) and then loads from it (value %16). Because the buffer is\nnever initialized, the LLVM GVN pass marks value %16 as undefined:\n\n %13 = getelementptr inbounds i8, ptr %1, i64 63\n br i1 undef, label %14, label %17\n\nThis gives later passes (SCCP, in particular) more DCE opportunities by\npropagating the undef value further, and eventually removes everything\nafter the load on the uninitialized stack location:\n\n define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section \".init.text\" align 16 !kcfi_type !11 {\n %1 = alloca [64 x i8], align 16\n ...\n\n 12: ; preds = %11\n %13 = getelementptr inbounds i8, ptr %1, i64 63\n unreachable\n }\n\nIn this way, the generated native code will just fall through to the\nnext function, as LLVM does not generate any code for the unreachable IR\ninstruction and leaves the function without a terminator.\n\nZero the on-stack buffer to avoid this possible UB."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:56:50.317Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31d1ddc1ce8e8d3f101a679243abb42a313ee88a"
},
{
"url": "https://git.kernel.org/stable/c/0b2cbed82b7c6504a8a0fbd181f92dd56b432c12"
},
{
"url": "https://git.kernel.org/stable/c/d6e1776f51c95827142f1d7064118e255e2deec1"
},
{
"url": "https://git.kernel.org/stable/c/664d0feab92495b6a27edc3d1119e232c0fe8b2b"
},
{
"url": "https://git.kernel.org/stable/c/124834133b32f9386bb2d8581d9ab92f65e951e4"
},
{
"url": "https://git.kernel.org/stable/c/48130002e64fd191b7d18efeb4d253fcc23e4688"
},
{
"url": "https://git.kernel.org/stable/c/146b6f1112eb30a19776d6c323c994e9d67790db"
}
],
"title": "ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53680",
"datePublished": "2025-01-11T12:25:21.794Z",
"dateReserved": "2025-01-09T09:49:29.723Z",
"dateUpdated": "2025-11-03T20:48:17.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49412 (GCVE-0-2022-49412)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-06-19 12:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bfq: Avoid merging queues with different parents
It can happen that the parent of a bfqq changes between the moment we
decide two queues are worth to merge (and set bic->stable_merge_bfqq)
and the moment bfq_setup_merge() is called. This can happen e.g. because
the process submitted IO for a different cgroup and thus bfqq got
reparented. It can even happen that the bfqq we are merging with has
parent cgroup that is already offline and going to be destroyed in which
case the merge can lead to use-after-free issues such as:
BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50
Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544
CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x46/0x5a
print_address_description.constprop.0+0x1f/0x140
? __bfq_deactivate_entity+0x9cb/0xa50
kasan_report.cold+0x7f/0x11b
? __bfq_deactivate_entity+0x9cb/0xa50
__bfq_deactivate_entity+0x9cb/0xa50
? update_curr+0x32f/0x5d0
bfq_deactivate_entity+0xa0/0x1d0
bfq_del_bfqq_busy+0x28a/0x420
? resched_curr+0x116/0x1d0
? bfq_requeue_bfqq+0x70/0x70
? check_preempt_wakeup+0x52b/0xbc0
__bfq_bfqq_expire+0x1a2/0x270
bfq_bfqq_expire+0xd16/0x2160
? try_to_wake_up+0x4ee/0x1260
? bfq_end_wr_async_queues+0xe0/0xe0
? _raw_write_unlock_bh+0x60/0x60
? _raw_spin_lock_irq+0x81/0xe0
bfq_idle_slice_timer+0x109/0x280
? bfq_dispatch_request+0x4870/0x4870
__hrtimer_run_queues+0x37d/0x700
? enqueue_hrtimer+0x1b0/0x1b0
? kvm_clock_get_cycles+0xd/0x10
? ktime_get_update_offsets_now+0x6f/0x280
hrtimer_interrupt+0x2c8/0x740
Fix the problem by checking that the parent of the two bfqqs we are
merging in bfq_setup_merge() is the same.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:26.495959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ee21edaed09e6b25f2c007b3f326752bc89bacf",
"status": "affected",
"version": "430a67f9d6169a7b3e328bceb2ef9542e4153c7c",
"versionType": "git"
},
{
"lessThan": "a16c65cca7d2c7ff965fdd3adc8df2156529caf1",
"status": "affected",
"version": "430a67f9d6169a7b3e328bceb2ef9542e4153c7c",
"versionType": "git"
},
{
"lessThan": "8abc8763b11c35e03cc91d59fd0cd28d39f88ca9",
"status": "affected",
"version": "430a67f9d6169a7b3e328bceb2ef9542e4153c7c",
"versionType": "git"
},
{
"lessThan": "c1cee4ab36acef271be9101590756ed0c0c374d9",
"status": "affected",
"version": "430a67f9d6169a7b3e328bceb2ef9542e4153c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Avoid merging queues with different parents\n\nIt can happen that the parent of a bfqq changes between the moment we\ndecide two queues are worth to merge (and set bic-\u003estable_merge_bfqq)\nand the moment bfq_setup_merge() is called. This can happen e.g. because\nthe process submitted IO for a different cgroup and thus bfqq got\nreparented. It can even happen that the bfqq we are merging with has\nparent cgroup that is already offline and going to be destroyed in which\ncase the merge can lead to use-after-free issues such as:\n\nBUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50\nRead of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544\n\nCPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x46/0x5a\n print_address_description.constprop.0+0x1f/0x140\n ? __bfq_deactivate_entity+0x9cb/0xa50\n kasan_report.cold+0x7f/0x11b\n ? __bfq_deactivate_entity+0x9cb/0xa50\n __bfq_deactivate_entity+0x9cb/0xa50\n ? update_curr+0x32f/0x5d0\n bfq_deactivate_entity+0xa0/0x1d0\n bfq_del_bfqq_busy+0x28a/0x420\n ? resched_curr+0x116/0x1d0\n ? bfq_requeue_bfqq+0x70/0x70\n ? check_preempt_wakeup+0x52b/0xbc0\n __bfq_bfqq_expire+0x1a2/0x270\n bfq_bfqq_expire+0xd16/0x2160\n ? try_to_wake_up+0x4ee/0x1260\n ? bfq_end_wr_async_queues+0xe0/0xe0\n ? _raw_write_unlock_bh+0x60/0x60\n ? _raw_spin_lock_irq+0x81/0xe0\n bfq_idle_slice_timer+0x109/0x280\n ? bfq_dispatch_request+0x4870/0x4870\n __hrtimer_run_queues+0x37d/0x700\n ? enqueue_hrtimer+0x1b0/0x1b0\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_update_offsets_now+0x6f/0x280\n hrtimer_interrupt+0x2c8/0x740\n\nFix the problem by checking that the parent of the two bfqqs we are\nmerging in bfq_setup_merge() is the same."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:39:08.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ee21edaed09e6b25f2c007b3f326752bc89bacf"
},
{
"url": "https://git.kernel.org/stable/c/a16c65cca7d2c7ff965fdd3adc8df2156529caf1"
},
{
"url": "https://git.kernel.org/stable/c/8abc8763b11c35e03cc91d59fd0cd28d39f88ca9"
},
{
"url": "https://git.kernel.org/stable/c/c1cee4ab36acef271be9101590756ed0c0c374d9"
}
],
"title": "bfq: Avoid merging queues with different parents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49412",
"datePublished": "2025-02-26T02:12:34.114Z",
"dateReserved": "2025-02-26T02:08:31.567Z",
"dateUpdated": "2025-06-19T12:39:08.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49476 (GCVE-0-2022-49476)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7921: fix kernel crash at mt7921_pci_remove
The crash log shown it is possible that mt7921_irq_handler is called while
devm_free_irq is being handled so mt76_free_device need to be postponed
until devm_free_irq is completed to solve the crash we free the mt76 device
too early.
[ 9299.339655] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 9299.339705] #PF: supervisor read access in kernel mode
[ 9299.339735] #PF: error_code(0x0000) - not-present page
[ 9299.339768] PGD 0 P4D 0
[ 9299.339786] Oops: 0000 [#1] SMP PTI
[ 9299.339812] CPU: 1 PID: 1624 Comm: prepare-suspend Not tainted 5.15.14-1.fc32.qubes.x86_64 #1
[ 9299.339863] Hardware name: Xen HVM domU, BIOS 4.14.3 01/20/2022
[ 9299.339901] RIP: 0010:mt7921_irq_handler+0x1e/0x70 [mt7921e]
[ 9299.340048] RSP: 0018:ffffa81b80c27cb0 EFLAGS: 00010082
[ 9299.340081] RAX: 0000000000000000 RBX: ffff98a4cb752020 RCX: ffffffffa96211c5
[ 9299.340123] RDX: 0000000000000000 RSI: 00000000000d4204 RDI: ffff98a4cb752020
[ 9299.340165] RBP: ffff98a4c28a62a4 R08: ffff98a4c37a96c0 R09: 0000000080150011
[ 9299.340207] R10: 0000000040000000 R11: 0000000000000000 R12: ffff98a4c4eaa080
[ 9299.340249] R13: ffff98a4c28a6360 R14: ffff98a4cb752020 R15: ffff98a4c28a6228
[ 9299.340297] FS: 00007260840d3740(0000) GS:ffff98a4ef700000(0000) knlGS:0000000000000000
[ 9299.340345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9299.340383] CR2: 0000000000000008 CR3: 0000000004c56001 CR4: 0000000000770ee0
[ 9299.340432] PKRU: 55555554
[ 9299.340449] Call Trace:
[ 9299.340467] <TASK>
[ 9299.340485] __free_irq+0x221/0x350
[ 9299.340527] free_irq+0x30/0x70
[ 9299.340553] devm_free_irq+0x55/0x80
[ 9299.340579] mt7921_pci_remove+0x2f/0x40 [mt7921e]
[ 9299.340616] pci_device_remove+0x3b/0xa0
[ 9299.340651] __device_release_driver+0x17a/0x240
[ 9299.340686] device_driver_detach+0x3c/0xa0
[ 9299.340714] unbind_store+0x113/0x130
[ 9299.340740] kernfs_fop_write_iter+0x124/0x1b0
[ 9299.340775] new_sync_write+0x15c/0x1f0
[ 9299.340806] vfs_write+0x1d2/0x270
[ 9299.340831] ksys_write+0x67/0xe0
[ 9299.340857] do_syscall_64+0x3b/0x90
[ 9299.340887] entry_SYSCALL_64_after_hwframe+0x44/0xae
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:36.188558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:45.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09693f5b636fb3f6dd56fd943226fc1bbc600b51",
"status": "affected",
"version": "5c14a5f944b91371961548b1907802f74a4d2e5c",
"versionType": "git"
},
{
"lessThan": "677e669973bf5460705bc65033445ea9f6615999",
"status": "affected",
"version": "5c14a5f944b91371961548b1907802f74a4d2e5c",
"versionType": "git"
},
{
"lessThan": "ad483ed9dd5193a54293269c852a29051813b7bd",
"status": "affected",
"version": "5c14a5f944b91371961548b1907802f74a4d2e5c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix kernel crash at mt7921_pci_remove\n\nThe crash log shown it is possible that mt7921_irq_handler is called while\ndevm_free_irq is being handled so mt76_free_device need to be postponed\nuntil devm_free_irq is completed to solve the crash we free the mt76 device\ntoo early.\n\n[ 9299.339655] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[ 9299.339705] #PF: supervisor read access in kernel mode\n[ 9299.339735] #PF: error_code(0x0000) - not-present page\n[ 9299.339768] PGD 0 P4D 0\n[ 9299.339786] Oops: 0000 [#1] SMP PTI\n[ 9299.339812] CPU: 1 PID: 1624 Comm: prepare-suspend Not tainted 5.15.14-1.fc32.qubes.x86_64 #1\n[ 9299.339863] Hardware name: Xen HVM domU, BIOS 4.14.3 01/20/2022\n[ 9299.339901] RIP: 0010:mt7921_irq_handler+0x1e/0x70 [mt7921e]\n[ 9299.340048] RSP: 0018:ffffa81b80c27cb0 EFLAGS: 00010082\n[ 9299.340081] RAX: 0000000000000000 RBX: ffff98a4cb752020 RCX: ffffffffa96211c5\n[ 9299.340123] RDX: 0000000000000000 RSI: 00000000000d4204 RDI: ffff98a4cb752020\n[ 9299.340165] RBP: ffff98a4c28a62a4 R08: ffff98a4c37a96c0 R09: 0000000080150011\n[ 9299.340207] R10: 0000000040000000 R11: 0000000000000000 R12: ffff98a4c4eaa080\n[ 9299.340249] R13: ffff98a4c28a6360 R14: ffff98a4cb752020 R15: ffff98a4c28a6228\n[ 9299.340297] FS: 00007260840d3740(0000) GS:ffff98a4ef700000(0000) knlGS:0000000000000000\n[ 9299.340345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9299.340383] CR2: 0000000000000008 CR3: 0000000004c56001 CR4: 0000000000770ee0\n[ 9299.340432] PKRU: 55555554\n[ 9299.340449] Call Trace:\n[ 9299.340467] \u003cTASK\u003e\n[ 9299.340485] __free_irq+0x221/0x350\n[ 9299.340527] free_irq+0x30/0x70\n[ 9299.340553] devm_free_irq+0x55/0x80\n[ 9299.340579] mt7921_pci_remove+0x2f/0x40 [mt7921e]\n[ 9299.340616] pci_device_remove+0x3b/0xa0\n[ 9299.340651] __device_release_driver+0x17a/0x240\n[ 9299.340686] device_driver_detach+0x3c/0xa0\n[ 9299.340714] unbind_store+0x113/0x130\n[ 9299.340740] kernfs_fop_write_iter+0x124/0x1b0\n[ 9299.340775] new_sync_write+0x15c/0x1f0\n[ 9299.340806] vfs_write+0x1d2/0x270\n[ 9299.340831] ksys_write+0x67/0xe0\n[ 9299.340857] do_syscall_64+0x3b/0x90\n[ 9299.340887] entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:33.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09693f5b636fb3f6dd56fd943226fc1bbc600b51"
},
{
"url": "https://git.kernel.org/stable/c/677e669973bf5460705bc65033445ea9f6615999"
},
{
"url": "https://git.kernel.org/stable/c/ad483ed9dd5193a54293269c852a29051813b7bd"
}
],
"title": "mt76: mt7921: fix kernel crash at mt7921_pci_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49476",
"datePublished": "2025-02-26T02:13:18.013Z",
"dateReserved": "2025-02-26T02:08:31.580Z",
"dateUpdated": "2025-10-01T19:46:45.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58083 (GCVE-0-2024-58083)
Vulnerability from cvelistv5
Published
2025-03-06 16:13
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()
Explicitly verify the target vCPU is fully online _prior_ to clamping the
index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will
generate '0', i.e. KVM will return vCPU0 instead of NULL.
In practice, the bug is unlikely to cause problems, as it will only come
into play if userspace or the guest is buggy or misbehaving, e.g. KVM may
send interrupts to vCPU0 instead of dropping them on the floor.
However, returning vCPU0 when it shouldn't exist per online_vcpus is
problematic now that KVM uses an xarray for the vCPUs array, as KVM needs
to insert into the xarray before publishing the vCPU to userspace (see
commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")),
i.e. before vCPU creation is guaranteed to succeed.
As a result, incorrectly providing access to vCPU0 will trigger a
use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()
bails out of vCPU creation due to an error and frees vCPU0. Commit
afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but
in doing so introduced an unsolvable teardown conundrum. Preventing
accesses to vCPU0 before it's fully online will allow reverting commit
afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c Version: 559e2696d2f47a3575e9550f101a7e59e30b1b38 Version: d39f3cc71382165bb7efb8e06a2bd32f847de4ae Version: 7cee966029037a183d98cb88251ceb92a233fe63 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T17:00:02.623750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:23.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:17.500Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/kvm_host.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5cce2ed69b00e022b5cdf0c49c82986abd2941a8",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"lessThan": "09d50ccf0b2d739db4a485b08afe7520a4402a63",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"lessThan": "7c4899239d0f70f88ac42665b3da51678d122480",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"lessThan": "d817e510662fd1c9797952408d94806f97a5fffd",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"lessThan": "125da53b3c0c9d7f58353aea0076e9efd6498ba7",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"lessThan": "f2f805ada63b536bc192458a7098388286568ad4",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"lessThan": "ca8da90ed1432ff3d000de4f1e2275d4e7d21b96",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"lessThan": "1e7381f3617d14b3c11da80ff5f8a93ab14cfc46",
"status": "affected",
"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
"versionType": "git"
},
{
"status": "affected",
"version": "559e2696d2f47a3575e9550f101a7e59e30b1b38",
"versionType": "git"
},
{
"status": "affected",
"version": "d39f3cc71382165bb7efb8e06a2bd32f847de4ae",
"versionType": "git"
},
{
"status": "affected",
"version": "7cee966029037a183d98cb88251ceb92a233fe63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/kvm_host.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Explicitly verify target vCPU is online in kvm_get_vcpu()\n\nExplicitly verify the target vCPU is fully online _prior_ to clamping the\nindex in kvm_get_vcpu(). If the index is \"bad\", the nospec clamping will\ngenerate \u00270\u0027, i.e. KVM will return vCPU0 instead of NULL.\n\nIn practice, the bug is unlikely to cause problems, as it will only come\ninto play if userspace or the guest is buggy or misbehaving, e.g. KVM may\nsend interrupts to vCPU0 instead of dropping them on the floor.\n\nHowever, returning vCPU0 when it shouldn\u0027t exist per online_vcpus is\nproblematic now that KVM uses an xarray for the vCPUs array, as KVM needs\nto insert into the xarray before publishing the vCPU to userspace (see\ncommit c5b077549136 (\"KVM: Convert the kvm-\u003evcpus array to a xarray\")),\ni.e. before vCPU creation is guaranteed to succeed.\n\nAs a result, incorrectly providing access to vCPU0 will trigger a\nuse-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()\nbails out of vCPU creation due to an error and frees vCPU0. Commit\nafb2acb2e3a3 (\"KVM: Fix vcpu_array[0] races\") papered over that issue, but\nin doing so introduced an unsolvable teardown conundrum. Preventing\naccesses to vCPU0 before it\u0027s fully online will allow reverting commit\nafb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:01:53.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5cce2ed69b00e022b5cdf0c49c82986abd2941a8"
},
{
"url": "https://git.kernel.org/stable/c/09d50ccf0b2d739db4a485b08afe7520a4402a63"
},
{
"url": "https://git.kernel.org/stable/c/7c4899239d0f70f88ac42665b3da51678d122480"
},
{
"url": "https://git.kernel.org/stable/c/d817e510662fd1c9797952408d94806f97a5fffd"
},
{
"url": "https://git.kernel.org/stable/c/125da53b3c0c9d7f58353aea0076e9efd6498ba7"
},
{
"url": "https://git.kernel.org/stable/c/f2f805ada63b536bc192458a7098388286568ad4"
},
{
"url": "https://git.kernel.org/stable/c/ca8da90ed1432ff3d000de4f1e2275d4e7d21b96"
},
{
"url": "https://git.kernel.org/stable/c/1e7381f3617d14b3c11da80ff5f8a93ab14cfc46"
}
],
"title": "KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58083",
"datePublished": "2025-03-06T16:13:45.631Z",
"dateReserved": "2025-03-06T15:52:09.183Z",
"dateUpdated": "2025-11-03T19:34:17.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49562 (GCVE-0-2022-49562)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits
Use the recently introduced __try_cmpxchg_user() to update guest PTE A/D
bits instead of mapping the PTE into kernel address space. The VM_PFNMAP
path is broken as it assumes that vm_pgoff is the base pfn of the mapped
VMA range, which is conceptually wrong as vm_pgoff is the offset relative
to the file and has nothing to do with the pfn. The horrific hack worked
for the original use case (backing guest memory with /dev/mem), but leads
to accessing "random" pfns for pretty much any other VM_PFNMAP case.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/paging_tmpl.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38b888911e8dc89b89d8147cfb1d2dbe6373bf78",
"status": "affected",
"version": "bd53cb35a3e9adb73a834a36586e9ad80e877767",
"versionType": "git"
},
{
"lessThan": "8089e5e1d18402fb8152d6b6815450a36fffa9b0",
"status": "affected",
"version": "bd53cb35a3e9adb73a834a36586e9ad80e877767",
"versionType": "git"
},
{
"lessThan": "f122dfe4476890d60b8c679128cd2259ec96a24c",
"status": "affected",
"version": "bd53cb35a3e9adb73a834a36586e9ad80e877767",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/paging_tmpl.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.13",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits\n\nUse the recently introduced __try_cmpxchg_user() to update guest PTE A/D\nbits instead of mapping the PTE into kernel address space. The VM_PFNMAP\npath is broken as it assumes that vm_pgoff is the base pfn of the mapped\nVMA range, which is conceptually wrong as vm_pgoff is the offset relative\nto the file and has nothing to do with the pfn. The horrific hack worked\nfor the original use case (backing guest memory with /dev/mem), but leads\nto accessing \"random\" pfns for pretty much any other VM_PFNMAP case."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:41.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38b888911e8dc89b89d8147cfb1d2dbe6373bf78"
},
{
"url": "https://git.kernel.org/stable/c/8089e5e1d18402fb8152d6b6815450a36fffa9b0"
},
{
"url": "https://git.kernel.org/stable/c/f122dfe4476890d60b8c679128cd2259ec96a24c"
}
],
"title": "KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49562",
"datePublished": "2025-02-26T02:14:06.515Z",
"dateReserved": "2025-02-26T02:08:31.591Z",
"dateUpdated": "2025-05-04T08:40:41.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52975 (GCVE-0-2023-52975)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
Bug report and analysis from Ding Hui.
During iSCSI session logout, if another task accesses the shost ipaddress
attr, we can get a KASAN UAF report like this:
[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3
[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 276.944470] Call Trace:
[ 276.944943] <TASK>
[ 276.945397] dump_stack_lvl+0x34/0x48
[ 276.945887] print_address_description.constprop.0+0x86/0x1e7
[ 276.946421] print_report+0x36/0x4f
[ 276.947358] kasan_report+0xad/0x130
[ 276.948234] kasan_check_range+0x35/0x1c0
[ 276.948674] _raw_spin_lock_bh+0x78/0xe0
[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]
[ 276.952185] dev_attr_show+0x3f/0x80
[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0
[ 276.953401] seq_read_iter+0x402/0x1020
[ 276.954260] vfs_read+0x532/0x7b0
[ 276.955113] ksys_read+0xed/0x1c0
[ 276.955952] do_syscall_64+0x38/0x90
[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 276.956769] RIP: 0033:0x7f5d3a679222
[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222
[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003
[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000
[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000
[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58
[ 276.960536] </TASK>
[ 276.961357] Allocated by task 2209:
[ 276.961756] kasan_save_stack+0x1e/0x40
[ 276.962170] kasan_set_track+0x21/0x30
[ 276.962557] __kasan_kmalloc+0x7e/0x90
[ 276.962923] __kmalloc+0x5b/0x140
[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi]
[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]
[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[ 276.965546] netlink_unicast+0x4d5/0x7b0
[ 276.965905] netlink_sendmsg+0x78d/0xc30
[ 276.966236] sock_sendmsg+0xe5/0x120
[ 276.966576] ____sys_sendmsg+0x5fe/0x860
[ 276.966923] ___sys_sendmsg+0xe0/0x170
[ 276.967300] __sys_sendmsg+0xc8/0x170
[ 276.967666] do_syscall_64+0x38/0x90
[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 276.968773] Freed by task 2209:
[ 276.969111] kasan_save_stack+0x1e/0x40
[ 276.969449] kasan_set_track+0x21/0x30
[ 276.969789] kasan_save_free_info+0x2a/0x50
[ 276.970146] __kasan_slab_free+0x106/0x190
[ 276.970470] __kmem_cache_free+0x133/0x270
[ 276.970816] device_release+0x98/0x210
[ 276.971145] kobject_cleanup+0x101/0x360
[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi]
[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[ 276.972808] netlink_unicast+0x4d5/0x7b0
[ 276.973201] netlink_sendmsg+0x78d/0xc30
[ 276.973544] sock_sendmsg+0xe5/0x120
[ 276.973864] ____sys_sendmsg+0x5fe/0x860
[ 276.974248] ___sys_
---truncated---
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:46.852113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c",
"drivers/scsi/libiscsi.c",
"include/scsi/libiscsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17b738590b97fb3fc287289971d1519ff9b875a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8859687f5b242c0b057461df0a9ff51d5500783b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6f1d64b13097e85abda0f91b5638000afc5f9a06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c",
"drivers/scsi/libiscsi.c",
"include/scsi/libiscsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress\n\nBug report and analysis from Ding Hui.\n\nDuring iSCSI session logout, if another task accesses the shost ipaddress\nattr, we can get a KASAN UAF report like this:\n\n[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0\n[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088\n[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3\n[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[ 276.944470] Call Trace:\n[ 276.944943] \u003cTASK\u003e\n[ 276.945397] dump_stack_lvl+0x34/0x48\n[ 276.945887] print_address_description.constprop.0+0x86/0x1e7\n[ 276.946421] print_report+0x36/0x4f\n[ 276.947358] kasan_report+0xad/0x130\n[ 276.948234] kasan_check_range+0x35/0x1c0\n[ 276.948674] _raw_spin_lock_bh+0x78/0xe0\n[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]\n[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]\n[ 276.952185] dev_attr_show+0x3f/0x80\n[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0\n[ 276.953401] seq_read_iter+0x402/0x1020\n[ 276.954260] vfs_read+0x532/0x7b0\n[ 276.955113] ksys_read+0xed/0x1c0\n[ 276.955952] do_syscall_64+0x38/0x90\n[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 276.956769] RIP: 0033:0x7f5d3a679222\n[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222\n[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003\n[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000\n[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000\n[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58\n[ 276.960536] \u003c/TASK\u003e\n[ 276.961357] Allocated by task 2209:\n[ 276.961756] kasan_save_stack+0x1e/0x40\n[ 276.962170] kasan_set_track+0x21/0x30\n[ 276.962557] __kasan_kmalloc+0x7e/0x90\n[ 276.962923] __kmalloc+0x5b/0x140\n[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]\n[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi]\n[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]\n[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]\n[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]\n[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[ 276.965546] netlink_unicast+0x4d5/0x7b0\n[ 276.965905] netlink_sendmsg+0x78d/0xc30\n[ 276.966236] sock_sendmsg+0xe5/0x120\n[ 276.966576] ____sys_sendmsg+0x5fe/0x860\n[ 276.966923] ___sys_sendmsg+0xe0/0x170\n[ 276.967300] __sys_sendmsg+0xc8/0x170\n[ 276.967666] do_syscall_64+0x38/0x90\n[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 276.968773] Freed by task 2209:\n[ 276.969111] kasan_save_stack+0x1e/0x40\n[ 276.969449] kasan_set_track+0x21/0x30\n[ 276.969789] kasan_save_free_info+0x2a/0x50\n[ 276.970146] __kasan_slab_free+0x106/0x190\n[ 276.970470] __kmem_cache_free+0x133/0x270\n[ 276.970816] device_release+0x98/0x210\n[ 276.971145] kobject_cleanup+0x101/0x360\n[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi]\n[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]\n[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]\n[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[ 276.972808] netlink_unicast+0x4d5/0x7b0\n[ 276.973201] netlink_sendmsg+0x78d/0xc30\n[ 276.973544] sock_sendmsg+0xe5/0x120\n[ 276.973864] ____sys_sendmsg+0x5fe/0x860\n[ 276.974248] ___sys_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:38.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17b738590b97fb3fc287289971d1519ff9b875a1"
},
{
"url": "https://git.kernel.org/stable/c/8859687f5b242c0b057461df0a9ff51d5500783b"
},
{
"url": "https://git.kernel.org/stable/c/6f1d64b13097e85abda0f91b5638000afc5f9a06"
}
],
"title": "scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52975",
"datePublished": "2025-03-27T16:43:15.322Z",
"dateReserved": "2025-03-27T16:40:15.737Z",
"dateUpdated": "2025-05-04T07:46:38.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49431 (GCVE-0-2022-49431)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/iommu: Add missing of_node_put in iommu_init_early_dart
The device_node pointer is returned by of_find_compatible_node
with refcount incremented. We should use of_node_put() to avoid
the refcount leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/dart_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb4f2dc513e99c5d0485661f114e4dda73612d10",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dfc308d6f29aa28463deb9a12278a85a382385ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "df6d8b689252c0acc0448d4ae3d33f2d6db048ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8657e8ea23325949091da72453ba84fb73cc2bd9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7e3f1dfb9e21733d7276bc9ccea4daada163f2ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "57b742a5b8945118022973e6416b71351df512fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/dart_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: Add missing of_node_put in iommu_init_early_dart\n\nThe device_node pointer is returned by of_find_compatible_node\nwith refcount incremented. We should use of_node_put() to avoid\nthe refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:31.350Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb4f2dc513e99c5d0485661f114e4dda73612d10"
},
{
"url": "https://git.kernel.org/stable/c/dfc308d6f29aa28463deb9a12278a85a382385ca"
},
{
"url": "https://git.kernel.org/stable/c/df6d8b689252c0acc0448d4ae3d33f2d6db048ab"
},
{
"url": "https://git.kernel.org/stable/c/8657e8ea23325949091da72453ba84fb73cc2bd9"
},
{
"url": "https://git.kernel.org/stable/c/7e3f1dfb9e21733d7276bc9ccea4daada163f2ba"
},
{
"url": "https://git.kernel.org/stable/c/57b742a5b8945118022973e6416b71351df512fb"
}
],
"title": "powerpc/iommu: Add missing of_node_put in iommu_init_early_dart",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49431",
"datePublished": "2025-02-26T02:12:49.592Z",
"dateReserved": "2025-02-26T02:08:31.569Z",
"dateUpdated": "2025-05-04T08:37:31.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49151 (GCVE-0-2022-49151)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: properly check endpoint type
Syzbot reported warning in usb_submit_urb() which is caused by wrong
endpoint type. We should check that in endpoint is actually present to
prevent this warning.
Found pipes are now saved to struct mcba_priv and code uses them
directly instead of making pipes in place.
Fail log:
| usb 5-1: BOGUS urb xfer, pipe 3 != type 1
| WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
| Modules linked in:
| CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0
| Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
| Workqueue: usb_hub_wq hub_event
| RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
| ...
| Call Trace:
| <TASK>
| mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline]
| mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858
| usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
| call_driver_probe drivers/base/dd.c:517 [inline]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 Version: 51f3baad7de943780ce0c17bd7975df567dd6e14 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5598442edc29e8f6f2380e4b471dc1a3fcd80508",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "b48d1bb3f1ca337ad653022aefb5a40a47dfe5cd",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "cbd110b8dd7ad763bf413f71c0484116ae9302d4",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "ef0acc514123140157b19a9ff2e2de5d91d612bc",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "fa9c1f14002dc0d5293e16a2007bd89b6e79207b",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "88272b4a37913bdf6f339162a7920bd8e9b49de2",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "f2ec3cd0f34f8c3f94bc21fbba14868301c9c49d",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
},
{
"lessThan": "136bed0bfd3bc9c95c88aafff2d22ecb3a919f23",
"status": "affected",
"version": "51f3baad7de943780ce0c17bd7975df567dd6e14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/mcba_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. We should check that in endpoint is actually present to\nprevent this warning.\n\nFound pipes are now saved to struct mcba_priv and code uses them\ndirectly instead of making pipes in place.\n\nFail log:\n\n| usb 5-1: BOGUS urb xfer, pipe 3 != type 1\n| WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n| Modules linked in:\n| CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0\n| Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\n| Workqueue: usb_hub_wq hub_event\n| RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n| ...\n| Call Trace:\n| \u003cTASK\u003e\n| mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline]\n| mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858\n| usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n| call_driver_probe drivers/base/dd.c:517 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:05.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5598442edc29e8f6f2380e4b471dc1a3fcd80508"
},
{
"url": "https://git.kernel.org/stable/c/b48d1bb3f1ca337ad653022aefb5a40a47dfe5cd"
},
{
"url": "https://git.kernel.org/stable/c/cbd110b8dd7ad763bf413f71c0484116ae9302d4"
},
{
"url": "https://git.kernel.org/stable/c/ef0acc514123140157b19a9ff2e2de5d91d612bc"
},
{
"url": "https://git.kernel.org/stable/c/fa9c1f14002dc0d5293e16a2007bd89b6e79207b"
},
{
"url": "https://git.kernel.org/stable/c/88272b4a37913bdf6f339162a7920bd8e9b49de2"
},
{
"url": "https://git.kernel.org/stable/c/f2ec3cd0f34f8c3f94bc21fbba14868301c9c49d"
},
{
"url": "https://git.kernel.org/stable/c/136bed0bfd3bc9c95c88aafff2d22ecb3a919f23"
}
],
"title": "can: mcba_usb: properly check endpoint type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49151",
"datePublished": "2025-02-26T01:55:17.665Z",
"dateReserved": "2025-02-26T01:49:39.274Z",
"dateUpdated": "2025-05-04T08:31:05.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49384 (GCVE-0-2022-49384)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix double free of io_acct_set bioset
Now io_acct_set is alloc and free in personality. Remove the codes that
free io_acct_set in md_free and md_stop.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:48.818598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:51.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36a2fc44c574a59ee3b5e2cb327182f227b2b07e",
"status": "affected",
"version": "00e3d58f50a875343124bcf5a9637520a492b0d1",
"versionType": "git"
},
{
"lessThan": "f99d5b5dc8a42c807b5f1176b925aa45d61962ab",
"status": "affected",
"version": "0c031fd37f69deb0cd8c43bbfcfccd62ebd7e952",
"versionType": "git"
},
{
"lessThan": "ea7d7bd90079d96f9c86bdaf0b106e0cd2a70661",
"status": "affected",
"version": "0c031fd37f69deb0cd8c43bbfcfccd62ebd7e952",
"versionType": "git"
},
{
"lessThan": "42b805af102471f53e3c7867b8c2b502ea4eef7e",
"status": "affected",
"version": "0c031fd37f69deb0cd8c43bbfcfccd62ebd7e952",
"versionType": "git"
},
{
"status": "affected",
"version": "92053ae0398a58c6914e807d5e070297ba8cfe88",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix double free of io_acct_set bioset\n\nNow io_acct_set is alloc and free in personality. Remove the codes that\nfree io_acct_set in md_free and md_stop."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:31.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36a2fc44c574a59ee3b5e2cb327182f227b2b07e"
},
{
"url": "https://git.kernel.org/stable/c/f99d5b5dc8a42c807b5f1176b925aa45d61962ab"
},
{
"url": "https://git.kernel.org/stable/c/ea7d7bd90079d96f9c86bdaf0b106e0cd2a70661"
},
{
"url": "https://git.kernel.org/stable/c/42b805af102471f53e3c7867b8c2b502ea4eef7e"
}
],
"title": "md: fix double free of io_acct_set bioset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49384",
"datePublished": "2025-02-26T02:11:20.246Z",
"dateReserved": "2025-02-26T02:08:31.560Z",
"dateUpdated": "2025-10-01T19:46:51.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47652 (GCVE-0-2021-47652)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
I got a null-ptr-deref report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:fb_destroy_modelist+0x38/0x100
...
Call Trace:
ufx_usb_probe.cold+0x2b5/0xac1 [smscufx]
usb_probe_interface+0x1aa/0x3c0 [usbcore]
really_probe+0x167/0x460
...
ret_from_fork+0x1f/0x30
If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will
be called to destroy modelist in the error handling path. But modelist
has not been initialized yet, so it will result in null-ptr-deref.
Initialize modelist before calling fb_alloc_cmap() to fix this bug.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 Version: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:21.892843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:07.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1b6a1f0c23b7164250479bf92e2893291dca539",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "0fd28daec73525382e5c992db8743bf76e42cd5c",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "dd3a6cc7385b89ec2303f39dfc3bafa4e24cec4b",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "da8b269cc0a2526ebeaccbe2484c999eb0f822cf",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "64ec3e678d76419f207b9cdd338dda438ca10b1c",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "c420b540db4b5d69de0a36d8b9d9a6a79a04f05a",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "d396c651e2b508b6179bb678cc029f3becbf5170",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "9280ef235b05e8f19f8bc6d547b992f0a0ef398d",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "1791f487f877a9e83d81c8677bd3e7b259e7cb27",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()\n\nI got a null-ptr-deref report:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nRIP: 0010:fb_destroy_modelist+0x38/0x100\n...\nCall Trace:\n ufx_usb_probe.cold+0x2b5/0xac1 [smscufx]\n usb_probe_interface+0x1aa/0x3c0 [usbcore]\n really_probe+0x167/0x460\n...\n ret_from_fork+0x1f/0x30\n\nIf fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will\nbe called to destroy modelist in the error handling path. But modelist\nhas not been initialized yet, so it will result in null-ptr-deref.\n\nInitialize modelist before calling fb_alloc_cmap() to fix this bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:33.844Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1b6a1f0c23b7164250479bf92e2893291dca539"
},
{
"url": "https://git.kernel.org/stable/c/0fd28daec73525382e5c992db8743bf76e42cd5c"
},
{
"url": "https://git.kernel.org/stable/c/dd3a6cc7385b89ec2303f39dfc3bafa4e24cec4b"
},
{
"url": "https://git.kernel.org/stable/c/da8b269cc0a2526ebeaccbe2484c999eb0f822cf"
},
{
"url": "https://git.kernel.org/stable/c/64ec3e678d76419f207b9cdd338dda438ca10b1c"
},
{
"url": "https://git.kernel.org/stable/c/c420b540db4b5d69de0a36d8b9d9a6a79a04f05a"
},
{
"url": "https://git.kernel.org/stable/c/d396c651e2b508b6179bb678cc029f3becbf5170"
},
{
"url": "https://git.kernel.org/stable/c/9280ef235b05e8f19f8bc6d547b992f0a0ef398d"
},
{
"url": "https://git.kernel.org/stable/c/1791f487f877a9e83d81c8677bd3e7b259e7cb27"
}
],
"title": "video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47652",
"datePublished": "2025-02-26T01:54:18.089Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-10-01T19:57:07.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21718 (GCVE-0-2025-21718)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: fix timer races against user threads
Rose timers only acquire the socket spinlock, without
checking if the socket is owned by one user thread.
Add a check and rearm the timers if needed.
BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
Read of size 2 at addr ffff88802f09b82a by task swapper/0/0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
call_timer_fn+0x187/0x650 kernel/time/timer.c:1793
expire_timers kernel/time/timer.c:1844 [inline]
__run_timers kernel/time/timer.c:2418 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430
run_timer_base kernel/time/timer.c:2439 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449
handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:13.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52f5aff33ca73b2c2fa93f40a3de308012e63cf4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1409b45d4690308c502c6caf22f01c3c205b4717",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f55c88e3ca5939a6a8a329024aed8f3d98eea8e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51c128ba038cf1b79d605cbee325919b45ab95a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1992fb261c90e9827cf5dc3115d89bb0853252c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "58051a284ac18a3bb815aac6289a679903ddcc3f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5de7665e0a0746b5ad7943554b34db8f8614a196",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix timer races against user threads\n\nRose timers only acquire the socket spinlock, without\nchecking if the socket is owned by one user thread.\n\nAdd a check and rearm the timers if needed.\n\nBUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\nRead of size 2 at addr ffff88802f09b82a by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\n call_timer_fn+0x187/0x650 kernel/time/timer.c:1793\n expire_timers kernel/time/timer.c:1844 [inline]\n __run_timers kernel/time/timer.c:2418 [inline]\n __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430\n run_timer_base kernel/time/timer.c:2439 [inline]\n run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:42.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52f5aff33ca73b2c2fa93f40a3de308012e63cf4"
},
{
"url": "https://git.kernel.org/stable/c/0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1"
},
{
"url": "https://git.kernel.org/stable/c/1409b45d4690308c502c6caf22f01c3c205b4717"
},
{
"url": "https://git.kernel.org/stable/c/f55c88e3ca5939a6a8a329024aed8f3d98eea8e4"
},
{
"url": "https://git.kernel.org/stable/c/51c128ba038cf1b79d605cbee325919b45ab95a5"
},
{
"url": "https://git.kernel.org/stable/c/1992fb261c90e9827cf5dc3115d89bb0853252c9"
},
{
"url": "https://git.kernel.org/stable/c/58051a284ac18a3bb815aac6289a679903ddcc3f"
},
{
"url": "https://git.kernel.org/stable/c/5de7665e0a0746b5ad7943554b34db8f8614a196"
}
],
"title": "net: rose: fix timer races against user threads",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21718",
"datePublished": "2025-02-27T02:07:27.971Z",
"dateReserved": "2024-12-29T08:45:45.753Z",
"dateUpdated": "2025-11-03T19:36:13.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49162 (GCVE-0-2022-49162)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: sm712fb: Fix crash in smtcfb_write()
When the sm712fb driver writes three bytes to the framebuffer, the
driver will crash:
BUG: unable to handle page fault for address: ffffc90001ffffff
RIP: 0010:smtcfb_write+0x454/0x5b0
Call Trace:
vfs_write+0x291/0xd60
? do_sys_openat2+0x27d/0x350
? __fget_light+0x54/0x340
ksys_write+0xce/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Fix it by removing the open-coded endianness fixup-code.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/sm712fb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb791514acf9070225eed46e1ccbb0aa7aae5da5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ec746674296c94137f074309c26d17e644c0498",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1aea36a62f0a0ad67eccc945bac0bd6422ef720f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3b36c05f68ba32d0dfb63abc9016d6fe9117829f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1c28577529cdfad40c8242673285f1e1e4c314e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eae90015d10f0c9a47fc4adccba4cd79dce664e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aeb635b49530b7d19e140949753409f759ba99be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "809b8cde86320698661eec677222bc5c5df76176",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f01d09b2bbfbcb47b3eb305560a7f4857a32260",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/sm712fb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: sm712fb: Fix crash in smtcfb_write()\n\nWhen the sm712fb driver writes three bytes to the framebuffer, the\ndriver will crash:\n\n BUG: unable to handle page fault for address: ffffc90001ffffff\n RIP: 0010:smtcfb_write+0x454/0x5b0\n Call Trace:\n vfs_write+0x291/0xd60\n ? do_sys_openat2+0x27d/0x350\n ? __fget_light+0x54/0x340\n ksys_write+0xce/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix it by removing the open-coded endianness fixup-code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:19.568Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb791514acf9070225eed46e1ccbb0aa7aae5da5"
},
{
"url": "https://git.kernel.org/stable/c/0ec746674296c94137f074309c26d17e644c0498"
},
{
"url": "https://git.kernel.org/stable/c/1aea36a62f0a0ad67eccc945bac0bd6422ef720f"
},
{
"url": "https://git.kernel.org/stable/c/3b36c05f68ba32d0dfb63abc9016d6fe9117829f"
},
{
"url": "https://git.kernel.org/stable/c/b1c28577529cdfad40c8242673285f1e1e4c314e"
},
{
"url": "https://git.kernel.org/stable/c/eae90015d10f0c9a47fc4adccba4cd79dce664e4"
},
{
"url": "https://git.kernel.org/stable/c/aeb635b49530b7d19e140949753409f759ba99be"
},
{
"url": "https://git.kernel.org/stable/c/809b8cde86320698661eec677222bc5c5df76176"
},
{
"url": "https://git.kernel.org/stable/c/4f01d09b2bbfbcb47b3eb305560a7f4857a32260"
}
],
"title": "video: fbdev: sm712fb: Fix crash in smtcfb_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49162",
"datePublished": "2025-02-26T01:55:23.548Z",
"dateReserved": "2025-02-26T01:49:39.277Z",
"dateUpdated": "2025-05-04T08:31:19.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49264 (GCVE-0-2022-49264)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exec: Force single empty string when argv is empty
Quoting[1] Ariadne Conill:
"In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[2]:
The argument arg0 should point to a filename string that is
associated with the process being started by one of the exec
functions.
...
Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
of this bug in a shellcode, we can reconsider.
This issue is being tracked in the KSPP issue tracker[5]."
While the initial code searches[6][7] turned up what appeared to be
mostly corner case tests, trying to that just reject argv == NULL
(or an immediately terminated pointer list) quickly started tripping[8]
existing userspace programs.
The next best approach is forcing a single empty string into argv and
adjusting argc to match. The number of programs depending on argc == 0
seems a smaller set than those calling execve with a NULL argv.
Account for the additional stack space in bprm_stack_limits(). Inject an
empty string when argc == 0 (and set argc = 1). Warn about the case so
userspace has some notice about the change:
process './argc0' launched './argc0' with NULL argv: empty string added
Additionally WARN() and reject NULL argv usage for kernel threads.
[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/
[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[5] https://github.com/KSPP/linux/issues/176
[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0
[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0
[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "41f6ea5b9aaa28b740d47ffe995a5013211fdbb0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "98e0c7c702894987732776736c99b85ade6fba45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b50fb8dbc8b81aaa126387de428f4c42a7c72a73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1fe82bfd9e4ce93399d815ca458b58505191c3e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27a6f495b63a1804cc71be45911065db7757a98c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1290eb4412aa0f0e9f3434b406dc8e255da85f9e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8054d3fa5deb84b215d6be1b910a978f3cb840d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfbfff8ce5e3d674947581f1eb9af0a1b1807950",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dcd46d897adb70d63e025f175a00a89797d31a43",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.317",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.282",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.317",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Force single empty string when argv is empty\n\nQuoting[1] Ariadne Conill:\n\n\"In several other operating systems, it is a hard requirement that the\nsecond argument to execve(2) be the name of a program, thus prohibiting\na scenario where argc \u003c 1. POSIX 2017 also recommends this behaviour,\nbut it is not an explicit requirement[2]:\n\n The argument arg0 should point to a filename string that is\n associated with the process being started by one of the exec\n functions.\n...\nInterestingly, Michael Kerrisk opened an issue about this in 2008[3],\nbut there was no consensus to support fixing this issue then.\nHopefully now that CVE-2021-4034 shows practical exploitative use[4]\nof this bug in a shellcode, we can reconsider.\n\nThis issue is being tracked in the KSPP issue tracker[5].\"\n\nWhile the initial code searches[6][7] turned up what appeared to be\nmostly corner case tests, trying to that just reject argv == NULL\n(or an immediately terminated pointer list) quickly started tripping[8]\nexisting userspace programs.\n\nThe next best approach is forcing a single empty string into argv and\nadjusting argc to match. The number of programs depending on argc == 0\nseems a smaller set than those calling execve with a NULL argv.\n\nAccount for the additional stack space in bprm_stack_limits(). Inject an\nempty string when argc == 0 (and set argc = 1). Warn about the case so\nuserspace has some notice about the change:\n\n process \u0027./argc0\u0027 launched \u0027./argc0\u0027 with NULL argv: empty string added\n\nAdditionally WARN() and reject NULL argv usage for kernel threads.\n\n[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/\n[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html\n[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408\n[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\n[5] https://github.com/KSPP/linux/issues/176\n[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL\u0026literal=0\n[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL\u0026literal=0\n[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:39.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/41f6ea5b9aaa28b740d47ffe995a5013211fdbb0"
},
{
"url": "https://git.kernel.org/stable/c/98e0c7c702894987732776736c99b85ade6fba45"
},
{
"url": "https://git.kernel.org/stable/c/b50fb8dbc8b81aaa126387de428f4c42a7c72a73"
},
{
"url": "https://git.kernel.org/stable/c/1fe82bfd9e4ce93399d815ca458b58505191c3e8"
},
{
"url": "https://git.kernel.org/stable/c/27a6f495b63a1804cc71be45911065db7757a98c"
},
{
"url": "https://git.kernel.org/stable/c/1290eb4412aa0f0e9f3434b406dc8e255da85f9e"
},
{
"url": "https://git.kernel.org/stable/c/a8054d3fa5deb84b215d6be1b910a978f3cb840d"
},
{
"url": "https://git.kernel.org/stable/c/cfbfff8ce5e3d674947581f1eb9af0a1b1807950"
},
{
"url": "https://git.kernel.org/stable/c/dcd46d897adb70d63e025f175a00a89797d31a43"
}
],
"title": "exec: Force single empty string when argv is empty",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49264",
"datePublished": "2025-02-26T01:56:14.664Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:39.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49716 (GCVE-0-2022-49716)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3: Fix error handling in gic_populate_ppi_partitions
of_get_child_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
When kcalloc fails, it missing of_node_put() and results in refcount
leak. Fix this by goto out_put_node label.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:16.480466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:44.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58e67c81e229351027d28c610638378606e33a08",
"status": "affected",
"version": "52085d3f2028d853f8d6ce7ead2f8a504f6077fa",
"versionType": "git"
},
{
"lessThan": "7c9dd9d23f26dabcfb14148b9acdfba540418b19",
"status": "affected",
"version": "52085d3f2028d853f8d6ce7ead2f8a504f6077fa",
"versionType": "git"
},
{
"lessThan": "0b325d993995a321f6ab4e6c51f0504ec092bf5b",
"status": "affected",
"version": "52085d3f2028d853f8d6ce7ead2f8a504f6077fa",
"versionType": "git"
},
{
"lessThan": "c83c34c57798fc41faefcf078be78683db2f4beb",
"status": "affected",
"version": "52085d3f2028d853f8d6ce7ead2f8a504f6077fa",
"versionType": "git"
},
{
"lessThan": "ec8401a429ffee34ccf38cebf3443f8d5ae6cb0d",
"status": "affected",
"version": "52085d3f2028d853f8d6ce7ead2f8a504f6077fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Fix error handling in gic_populate_ppi_partitions\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nWhen kcalloc fails, it missing of_node_put() and results in refcount\nleak. Fix this by goto out_put_node label."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:57.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58e67c81e229351027d28c610638378606e33a08"
},
{
"url": "https://git.kernel.org/stable/c/7c9dd9d23f26dabcfb14148b9acdfba540418b19"
},
{
"url": "https://git.kernel.org/stable/c/0b325d993995a321f6ab4e6c51f0504ec092bf5b"
},
{
"url": "https://git.kernel.org/stable/c/c83c34c57798fc41faefcf078be78683db2f4beb"
},
{
"url": "https://git.kernel.org/stable/c/ec8401a429ffee34ccf38cebf3443f8d5ae6cb0d"
}
],
"title": "irqchip/gic-v3: Fix error handling in gic_populate_ppi_partitions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49716",
"datePublished": "2025-02-26T02:24:31.586Z",
"dateReserved": "2025-02-26T02:21:30.445Z",
"dateUpdated": "2025-10-01T19:36:44.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49490 (GCVE-0-2022-49490)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected
mdp5_get_global_state runs the risk of hitting a -EDEADLK when acquiring
the modeset lock, but currently mdp5_pipe_release doesn't check for if
an error is returned. Because of this, there is a possibility of
mdp5_pipe_release hitting a NULL dereference error.
To avoid this, let's have mdp5_pipe_release check if
mdp5_get_global_state returns an error and propogate that error.
Changes since v1:
- Separated declaration and initialization of *new_state to avoid
compiler warning
- Fixed some spelling mistakes in commit message
Changes since v2:
- Return 0 in case where hwpipe is NULL as this is considered normal
behavior
- Added 2nd patch in series to fix a similar NULL dereference issue in
mdp5_mixer_release
Patchwork: https://patchwork.freedesktop.org/patch/485179/
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.h",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "776f5c58bfe16cf322d71eeed3c5dda1eeac7e6b",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "b2aa2c4efe93e2580d6a8774b04fe2b99756a322",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "49dc28b4b2e28ef7564e355c91487996c1cbebd7",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "04bef5f1ba8ea6d7c1c8f5f65e0395c62db59cb8",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "19964dfb39bda4d7716a71009488f0668ecbcf52",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "33dc5aac46e0fad8f5eb193e5906ed0eb6b66ceb",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "d59be579fa932c46b908f37509f319cbd4ca9a68",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.h",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected\n\nmdp5_get_global_state runs the risk of hitting a -EDEADLK when acquiring\nthe modeset lock, but currently mdp5_pipe_release doesn\u0027t check for if\nan error is returned. Because of this, there is a possibility of\nmdp5_pipe_release hitting a NULL dereference error.\n\nTo avoid this, let\u0027s have mdp5_pipe_release check if\nmdp5_get_global_state returns an error and propogate that error.\n\nChanges since v1:\n- Separated declaration and initialization of *new_state to avoid\n compiler warning\n- Fixed some spelling mistakes in commit message\n\nChanges since v2:\n- Return 0 in case where hwpipe is NULL as this is considered normal\n behavior\n- Added 2nd patch in series to fix a similar NULL dereference issue in\n mdp5_mixer_release\n\nPatchwork: https://patchwork.freedesktop.org/patch/485179/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:01.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/776f5c58bfe16cf322d71eeed3c5dda1eeac7e6b"
},
{
"url": "https://git.kernel.org/stable/c/b2aa2c4efe93e2580d6a8774b04fe2b99756a322"
},
{
"url": "https://git.kernel.org/stable/c/49dc28b4b2e28ef7564e355c91487996c1cbebd7"
},
{
"url": "https://git.kernel.org/stable/c/04bef5f1ba8ea6d7c1c8f5f65e0395c62db59cb8"
},
{
"url": "https://git.kernel.org/stable/c/19964dfb39bda4d7716a71009488f0668ecbcf52"
},
{
"url": "https://git.kernel.org/stable/c/33dc5aac46e0fad8f5eb193e5906ed0eb6b66ceb"
},
{
"url": "https://git.kernel.org/stable/c/d59be579fa932c46b908f37509f319cbd4ca9a68"
}
],
"title": "drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49490",
"datePublished": "2025-02-26T02:13:27.529Z",
"dateReserved": "2025-02-26T02:08:31.585Z",
"dateUpdated": "2025-05-04T08:39:01.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49685 (GCVE-0-2022-49685)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: trigger: sysfs: fix use-after-free on remove
Ensure that the irq_work has completed before the trigger is freed.
==================================================================
BUG: KASAN: use-after-free in irq_work_run_list
Read of size 8 at addr 0000000064702248 by task python3/25
Call Trace:
irq_work_run_list
irq_work_tick
update_process_times
tick_sched_handle
tick_sched_timer
__hrtimer_run_queues
hrtimer_interrupt
Allocated by task 25:
kmem_cache_alloc_trace
iio_sysfs_trig_add
dev_attr_store
sysfs_kf_write
kernfs_fop_write_iter
new_sync_write
vfs_write
ksys_write
sys_write
Freed by task 25:
kfree
iio_sysfs_trig_remove
dev_attr_store
sysfs_kf_write
kernfs_fop_write_iter
new_sync_write
vfs_write
ksys_write
sys_write
==================================================================
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c Version: f38bc926d022ebd67baad6ac7fc22c95fbc6238c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:09.914625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:31.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/trigger/iio-trig-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6111e7bdb8ec27eb43d01c4cd4ff1620a75f7f2",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
},
{
"lessThan": "fd5d8fb298a2866c337da635c79d63c3afabcaf7",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
},
{
"lessThan": "31ff3309b47d98313c61b8301bf595820cc3cc33",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
},
{
"lessThan": "5e39397d60dacc7f5d81d442c1c958eaaaf31128",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
},
{
"lessThan": "b07a30a774b3c3e584a68dc91779c68ea2da4813",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
},
{
"lessThan": "4687c3f955240ca2a576bdc3f742d4d915b6272d",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
},
{
"lessThan": "4ef1e521be610b720daeb7cf899fedc7db0274c4",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
},
{
"lessThan": "78601726d4a59a291acc5a52da1d3a0a6831e4e8",
"status": "affected",
"version": "f38bc926d022ebd67baad6ac7fc22c95fbc6238c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/trigger/iio-trig-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.321",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.321",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.286",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.250",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: trigger: sysfs: fix use-after-free on remove\n\nEnsure that the irq_work has completed before the trigger is freed.\n\n ==================================================================\n BUG: KASAN: use-after-free in irq_work_run_list\n Read of size 8 at addr 0000000064702248 by task python3/25\n\n Call Trace:\n irq_work_run_list\n irq_work_tick\n update_process_times\n tick_sched_handle\n tick_sched_timer\n __hrtimer_run_queues\n hrtimer_interrupt\n\n Allocated by task 25:\n kmem_cache_alloc_trace\n iio_sysfs_trig_add\n dev_attr_store\n sysfs_kf_write\n kernfs_fop_write_iter\n new_sync_write\n vfs_write\n ksys_write\n sys_write\n\n Freed by task 25:\n kfree\n iio_sysfs_trig_remove\n dev_attr_store\n sysfs_kf_write\n kernfs_fop_write_iter\n new_sync_write\n vfs_write\n ksys_write\n sys_write\n\n =================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:17.291Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6111e7bdb8ec27eb43d01c4cd4ff1620a75f7f2"
},
{
"url": "https://git.kernel.org/stable/c/fd5d8fb298a2866c337da635c79d63c3afabcaf7"
},
{
"url": "https://git.kernel.org/stable/c/31ff3309b47d98313c61b8301bf595820cc3cc33"
},
{
"url": "https://git.kernel.org/stable/c/5e39397d60dacc7f5d81d442c1c958eaaaf31128"
},
{
"url": "https://git.kernel.org/stable/c/b07a30a774b3c3e584a68dc91779c68ea2da4813"
},
{
"url": "https://git.kernel.org/stable/c/4687c3f955240ca2a576bdc3f742d4d915b6272d"
},
{
"url": "https://git.kernel.org/stable/c/4ef1e521be610b720daeb7cf899fedc7db0274c4"
},
{
"url": "https://git.kernel.org/stable/c/78601726d4a59a291acc5a52da1d3a0a6831e4e8"
}
],
"title": "iio: trigger: sysfs: fix use-after-free on remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49685",
"datePublished": "2025-02-26T02:24:12.143Z",
"dateReserved": "2025-02-26T02:21:30.441Z",
"dateUpdated": "2025-05-04T08:43:17.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49451 (GCVE-0-2022-49451)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scmi: Fix list protocols enumeration in the base protocol
While enumerating protocols implemented by the SCMI platform using
BASE_DISCOVER_LIST_PROTOCOLS, the number of returned protocols is
currently validated in an improper way since the check employs a sum
between unsigned integers that could overflow and cause the check itself
to be silently bypassed if the returned value 'loop_num_ret' is big
enough.
Fix the validation avoiding the addition.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b6f20ff8bd94ad34032804a60bab5ee56752007e Version: b6f20ff8bd94ad34032804a60bab5ee56752007e Version: b6f20ff8bd94ad34032804a60bab5ee56752007e Version: b6f20ff8bd94ad34032804a60bab5ee56752007e Version: b6f20ff8bd94ad34032804a60bab5ee56752007e Version: b6f20ff8bd94ad34032804a60bab5ee56752007e Version: b6f20ff8bd94ad34032804a60bab5ee56752007e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:29.513301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:48.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_scmi/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "444a2d27fe9867d0da4b28fc45b793f32e099ab8",
"status": "affected",
"version": "b6f20ff8bd94ad34032804a60bab5ee56752007e",
"versionType": "git"
},
{
"lessThan": "b0e4bafac8963c2d85ee18d3d01f393735acceec",
"status": "affected",
"version": "b6f20ff8bd94ad34032804a60bab5ee56752007e",
"versionType": "git"
},
{
"lessThan": "1052f22e127d0c34c3387bb389424ba1c61491ff",
"status": "affected",
"version": "b6f20ff8bd94ad34032804a60bab5ee56752007e",
"versionType": "git"
},
{
"lessThan": "98342148a8cd242855d7e257f298c966c96dba9f",
"status": "affected",
"version": "b6f20ff8bd94ad34032804a60bab5ee56752007e",
"versionType": "git"
},
{
"lessThan": "6e7978695f4a6cbd83616b5a702b77fa2087b247",
"status": "affected",
"version": "b6f20ff8bd94ad34032804a60bab5ee56752007e",
"versionType": "git"
},
{
"lessThan": "2ccfcd7a09c826516edcfe464b05071961aada3f",
"status": "affected",
"version": "b6f20ff8bd94ad34032804a60bab5ee56752007e",
"versionType": "git"
},
{
"lessThan": "8009120e0354a67068e920eb10dce532391361d0",
"status": "affected",
"version": "b6f20ff8bd94ad34032804a60bab5ee56752007e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_scmi/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix list protocols enumeration in the base protocol\n\nWhile enumerating protocols implemented by the SCMI platform using\nBASE_DISCOVER_LIST_PROTOCOLS, the number of returned protocols is\ncurrently validated in an improper way since the check employs a sum\nbetween unsigned integers that could overflow and cause the check itself\nto be silently bypassed if the returned value \u0027loop_num_ret\u0027 is big\nenough.\n\nFix the validation avoiding the addition."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:01.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/444a2d27fe9867d0da4b28fc45b793f32e099ab8"
},
{
"url": "https://git.kernel.org/stable/c/b0e4bafac8963c2d85ee18d3d01f393735acceec"
},
{
"url": "https://git.kernel.org/stable/c/1052f22e127d0c34c3387bb389424ba1c61491ff"
},
{
"url": "https://git.kernel.org/stable/c/98342148a8cd242855d7e257f298c966c96dba9f"
},
{
"url": "https://git.kernel.org/stable/c/6e7978695f4a6cbd83616b5a702b77fa2087b247"
},
{
"url": "https://git.kernel.org/stable/c/2ccfcd7a09c826516edcfe464b05071961aada3f"
},
{
"url": "https://git.kernel.org/stable/c/8009120e0354a67068e920eb10dce532391361d0"
}
],
"title": "firmware: arm_scmi: Fix list protocols enumeration in the base protocol",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49451",
"datePublished": "2025-02-26T02:13:01.077Z",
"dateReserved": "2025-02-26T02:08:31.572Z",
"dateUpdated": "2025-10-01T19:46:48.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49527 (GCVE-0-2022-49527)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: venus: hfi: avoid null dereference in deinit
If venus_probe fails at pm_runtime_put_sync the error handling first
calls hfi_destroy and afterwards hfi_core_deinit. As hfi_destroy sets
core->ops to NULL, hfi_core_deinit cannot call the core_deinit function
anymore.
Avoid this null pointer derefence by skipping the call when necessary.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 09c2845e8fe4fcab942929480203f504a6e0a114 Version: 09c2845e8fe4fcab942929480203f504a6e0a114 Version: 09c2845e8fe4fcab942929480203f504a6e0a114 Version: 09c2845e8fe4fcab942929480203f504a6e0a114 Version: 09c2845e8fe4fcab942929480203f504a6e0a114 Version: 09c2845e8fe4fcab942929480203f504a6e0a114 Version: 09c2845e8fe4fcab942929480203f504a6e0a114 Version: 09c2845e8fe4fcab942929480203f504a6e0a114 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:05.634392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:41.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/venus/hfi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2533acb652359c9e097dfa33587896af782e8a91",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
},
{
"lessThan": "a21d15dde21d7e8ae047eb8368677407db45d840",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
},
{
"lessThan": "0ac84ab50712879eac3c1dd2598440652a85d3d0",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
},
{
"lessThan": "27ad46da44177a78a4a0cae6fe03906888c61aa1",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
},
{
"lessThan": "9c385b961d4c378228e80f6abea8509cb67feab6",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
},
{
"lessThan": "0ed5a643b1a4a46b9b7bfba5d468c10cc30e1359",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
},
{
"lessThan": "b73ed0510bb8d9647cd8e8a4c4c8772bbe545c3a",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
},
{
"lessThan": "86594f6af867b5165d2ba7b5a71fae3a5961e56c",
"status": "affected",
"version": "09c2845e8fe4fcab942929480203f504a6e0a114",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/venus/hfi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: avoid null dereference in deinit\n\nIf venus_probe fails at pm_runtime_put_sync the error handling first\ncalls hfi_destroy and afterwards hfi_core_deinit. As hfi_destroy sets\ncore-\u003eops to NULL, hfi_core_deinit cannot call the core_deinit function\nanymore.\n\nAvoid this null pointer derefence by skipping the call when necessary."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:51.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2533acb652359c9e097dfa33587896af782e8a91"
},
{
"url": "https://git.kernel.org/stable/c/a21d15dde21d7e8ae047eb8368677407db45d840"
},
{
"url": "https://git.kernel.org/stable/c/0ac84ab50712879eac3c1dd2598440652a85d3d0"
},
{
"url": "https://git.kernel.org/stable/c/27ad46da44177a78a4a0cae6fe03906888c61aa1"
},
{
"url": "https://git.kernel.org/stable/c/9c385b961d4c378228e80f6abea8509cb67feab6"
},
{
"url": "https://git.kernel.org/stable/c/0ed5a643b1a4a46b9b7bfba5d468c10cc30e1359"
},
{
"url": "https://git.kernel.org/stable/c/b73ed0510bb8d9647cd8e8a4c4c8772bbe545c3a"
},
{
"url": "https://git.kernel.org/stable/c/86594f6af867b5165d2ba7b5a71fae3a5961e56c"
}
],
"title": "media: venus: hfi: avoid null dereference in deinit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49527",
"datePublished": "2025-02-26T02:13:49.627Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-10-01T19:46:41.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50290 (GCVE-0-2024-50290)
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2025-11-03 22:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: cx24116: prevent overflows on SNR calculus
as reported by Coverity, if reading SNR registers fail, a negative
number will be returned, causing an underflow when reading SNR
registers.
Prevent that.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:14:24.422369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:21.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:28:10.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/cx24116.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "127b9076baeadd734b18ddc8f2cd93b47d5a3ea3",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
},
{
"lessThan": "cad97ca8cfd43a78a19b59949f33e3563d369247",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
},
{
"lessThan": "828047c70f4716fde4b1316f7b610e97a4e83824",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
},
{
"lessThan": "f2b4f277c41db8d548f38f1dd091bbdf6a5acb07",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
},
{
"lessThan": "fbefe31e4598cdb0889eee2e74c995b2212efb08",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
},
{
"lessThan": "83c152b55d88cbf6fc4685941fcb31333986774d",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
},
{
"lessThan": "3a1ed994d9454132354b860321414955da289929",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
},
{
"lessThan": "576a307a7650bd544fbb24df801b9b7863b85e2f",
"status": "affected",
"version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/cx24116.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.324",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.230",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.172",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx24116: prevent overflows on SNR calculus\n\nas reported by Coverity, if reading SNR registers fail, a negative\nnumber will be returned, causing an underflow when reading SNR\nregisters.\n\nPrevent that."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:50:57.523Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/127b9076baeadd734b18ddc8f2cd93b47d5a3ea3"
},
{
"url": "https://git.kernel.org/stable/c/cad97ca8cfd43a78a19b59949f33e3563d369247"
},
{
"url": "https://git.kernel.org/stable/c/828047c70f4716fde4b1316f7b610e97a4e83824"
},
{
"url": "https://git.kernel.org/stable/c/f2b4f277c41db8d548f38f1dd091bbdf6a5acb07"
},
{
"url": "https://git.kernel.org/stable/c/fbefe31e4598cdb0889eee2e74c995b2212efb08"
},
{
"url": "https://git.kernel.org/stable/c/83c152b55d88cbf6fc4685941fcb31333986774d"
},
{
"url": "https://git.kernel.org/stable/c/3a1ed994d9454132354b860321414955da289929"
},
{
"url": "https://git.kernel.org/stable/c/576a307a7650bd544fbb24df801b9b7863b85e2f"
}
],
"title": "media: cx24116: prevent overflows on SNR calculus",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50290",
"datePublished": "2024-11-19T01:30:35.352Z",
"dateReserved": "2024-10-21T19:36:19.985Z",
"dateUpdated": "2025-11-03T22:28:10.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0995 (GCVE-0-2022-0995)
Vulnerability from cvelistv5
Published
2022-03-25 18:03
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063786"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220429-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "kernel 5.17 rc8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel\u2019s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-29T13:07:11",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063786"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220429-0001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-0995",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kernel",
"version": {
"version_data": [
{
"version_value": "kernel 5.17 rc8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel\u2019s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2063786",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063786"
},
{
"name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb",
"refsource": "MISC",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb"
},
{
"name": "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html"
},
{
"name": "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220429-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220429-0001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0995",
"datePublished": "2022-03-25T18:03:08",
"dateReserved": "2022-03-16T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49332 (GCVE-0-2022-49332)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Address NULL pointer dereference after starget_to_rport()
Calls to starget_to_rport() may return NULL. Add check for NULL rport
before dereference.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:15.634513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:55.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68fcff1127e4995ddbd4b6861892a25c23db3f70",
"status": "affected",
"version": "bb21fc9911eea92afd476f7e64b327716e042a25",
"versionType": "git"
},
{
"lessThan": "6f808bd78e8296b4ded813b7182988d57e1f6176",
"status": "affected",
"version": "bb21fc9911eea92afd476f7e64b327716e042a25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Address NULL pointer dereference after starget_to_rport()\n\nCalls to starget_to_rport() may return NULL. Add check for NULL rport\nbefore dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:23.474Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68fcff1127e4995ddbd4b6861892a25c23db3f70"
},
{
"url": "https://git.kernel.org/stable/c/6f808bd78e8296b4ded813b7182988d57e1f6176"
}
],
"title": "scsi: lpfc: Address NULL pointer dereference after starget_to_rport()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49332",
"datePublished": "2025-02-26T02:10:51.612Z",
"dateReserved": "2025-02-26T02:08:31.539Z",
"dateUpdated": "2025-10-01T19:46:55.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49433 (GCVE-0-2022-49433)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hfi1: Prevent use of lock before it is initialized
If there is a failure during probe of hfi1 before the sdma_map_lock is
initialized, the call to hfi1_free_devdata() will attempt to use a lock
that has not been initialized. If the locking correctness validator is on
then an INFO message and stack trace resembling the following may be seen:
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
Call Trace:
register_lock_class+0x11b/0x880
__lock_acquire+0xf3/0x7930
lock_acquire+0xff/0x2d0
_raw_spin_lock_irq+0x46/0x60
sdma_clean+0x42a/0x660 [hfi1]
hfi1_free_devdata+0x3a7/0x420 [hfi1]
init_one+0x867/0x11a0 [hfi1]
pci_device_probe+0x40e/0x8d0
The use of sdma_map_lock in sdma_clean() is for freeing the sdma_map
memory, and sdma_map is not allocated/initialized until after
sdma_map_lock has been initialized. This code only needs to be run if
sdma_map is not NULL, and so checking for that condition will avoid trying
to use the lock before it is initialized.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66090815a24ce14cf51ef5453fc0218fe8a39bc2",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "addb192000d8819c0b1553453994df9bb54c28db",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "fc0750e659db7b315bf6348902cc8ca3cdd4b8d8",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "ca55150bff5817af4f857a746ecab9862c23e12a",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "30eb275e7ed588270ae159cc590a96658e0cfd8f",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "288d198f50434f29b4a26a9de4394ae2305ad8af",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "05c03dfd09c069c4ffd783b47b2da5dcc9421f2c",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Prevent use of lock before it is initialized\n\nIf there is a failure during probe of hfi1 before the sdma_map_lock is\ninitialized, the call to hfi1_free_devdata() will attempt to use a lock\nthat has not been initialized. If the locking correctness validator is on\nthen an INFO message and stack trace resembling the following may be seen:\n\n INFO: trying to register non-static key.\n The code is fine but needs lockdep annotation, or maybe\n you didn\u0027t initialize this object before use?\n turning off the locking correctness validator.\n Call Trace:\n register_lock_class+0x11b/0x880\n __lock_acquire+0xf3/0x7930\n lock_acquire+0xff/0x2d0\n _raw_spin_lock_irq+0x46/0x60\n sdma_clean+0x42a/0x660 [hfi1]\n hfi1_free_devdata+0x3a7/0x420 [hfi1]\n init_one+0x867/0x11a0 [hfi1]\n pci_device_probe+0x40e/0x8d0\n\nThe use of sdma_map_lock in sdma_clean() is for freeing the sdma_map\nmemory, and sdma_map is not allocated/initialized until after\nsdma_map_lock has been initialized. This code only needs to be run if\nsdma_map is not NULL, and so checking for that condition will avoid trying\nto use the lock before it is initialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:33.881Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66090815a24ce14cf51ef5453fc0218fe8a39bc2"
},
{
"url": "https://git.kernel.org/stable/c/addb192000d8819c0b1553453994df9bb54c28db"
},
{
"url": "https://git.kernel.org/stable/c/fc0750e659db7b315bf6348902cc8ca3cdd4b8d8"
},
{
"url": "https://git.kernel.org/stable/c/ca55150bff5817af4f857a746ecab9862c23e12a"
},
{
"url": "https://git.kernel.org/stable/c/30eb275e7ed588270ae159cc590a96658e0cfd8f"
},
{
"url": "https://git.kernel.org/stable/c/288d198f50434f29b4a26a9de4394ae2305ad8af"
},
{
"url": "https://git.kernel.org/stable/c/05c03dfd09c069c4ffd783b47b2da5dcc9421f2c"
}
],
"title": "RDMA/hfi1: Prevent use of lock before it is initialized",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49433",
"datePublished": "2025-02-26T02:12:50.553Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-05-04T08:37:33.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57973 (GCVE-0-2024-57973)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rdma/cxgb4: Prevent potential integer overflow on 32bit
The "gl->tot_len" variable is controlled by the user. It comes from
process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct
cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an
integer wrapping bug. Use size_add() to prevent this.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1cab775c3e75f1250c965feafd061d696df36e53 Version: 1cab775c3e75f1250c965feafd061d696df36e53 Version: 1cab775c3e75f1250c965feafd061d696df36e53 Version: 1cab775c3e75f1250c965feafd061d696df36e53 Version: 1cab775c3e75f1250c965feafd061d696df36e53 Version: 1cab775c3e75f1250c965feafd061d696df36e53 Version: 1cab775c3e75f1250c965feafd061d696df36e53 Version: 1cab775c3e75f1250c965feafd061d696df36e53 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:49.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/cxgb4/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b759f78b83221f4a1cae3aeb20b500e375f3ee6",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
},
{
"lessThan": "d64148a10a85952352de6091ceed99fb9ce2d3ee",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
},
{
"lessThan": "e53ca458f543aa352d09b484550de173cb9085c2",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
},
{
"lessThan": "4422f452d028850b9cc4fd8f1cf45a8ff91855eb",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
},
{
"lessThan": "de8d88b68d0cfd41152a7a63d6aec0ed3e1b837a",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
},
{
"lessThan": "dd352107f22bfbecbbf3b74bde14f3f932296309",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
},
{
"lessThan": "aeb814484387811b3579d5c78ad4eb301e3bf1c8",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
},
{
"lessThan": "bd96a3935e89486304461a21752f824fc25e0f0b",
"status": "affected",
"version": "1cab775c3e75f1250c965feafd061d696df36e53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/cxgb4/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrdma/cxgb4: Prevent potential integer overflow on 32bit\n\nThe \"gl-\u003etot_len\" variable is controlled by the user. It comes from\nprocess_responses(). On 32bit systems, the \"gl-\u003etot_len + sizeof(struct\ncpl_pass_accept_req) + sizeof(struct rss_header)\" addition could have an\ninteger wrapping bug. Use size_add() to prevent this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:27.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b759f78b83221f4a1cae3aeb20b500e375f3ee6"
},
{
"url": "https://git.kernel.org/stable/c/d64148a10a85952352de6091ceed99fb9ce2d3ee"
},
{
"url": "https://git.kernel.org/stable/c/e53ca458f543aa352d09b484550de173cb9085c2"
},
{
"url": "https://git.kernel.org/stable/c/4422f452d028850b9cc4fd8f1cf45a8ff91855eb"
},
{
"url": "https://git.kernel.org/stable/c/de8d88b68d0cfd41152a7a63d6aec0ed3e1b837a"
},
{
"url": "https://git.kernel.org/stable/c/dd352107f22bfbecbbf3b74bde14f3f932296309"
},
{
"url": "https://git.kernel.org/stable/c/aeb814484387811b3579d5c78ad4eb301e3bf1c8"
},
{
"url": "https://git.kernel.org/stable/c/bd96a3935e89486304461a21752f824fc25e0f0b"
}
],
"title": "rdma/cxgb4: Prevent potential integer overflow on 32bit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57973",
"datePublished": "2025-02-27T02:07:02.342Z",
"dateReserved": "2025-02-27T02:04:28.911Z",
"dateUpdated": "2025-11-03T19:32:49.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49160 (GCVE-0-2022-49160)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix crash during module load unload test
During purex packet handling the driver was incorrectly freeing a
pre-allocated structure. Fix this by skipping that entry.
System crashed with the following stack during a module unload test.
Call Trace:
sbitmap_init_node+0x7f/0x1e0
sbitmap_queue_init_node+0x24/0x150
blk_mq_init_bitmaps+0x3d/0xa0
blk_mq_init_tags+0x68/0x90
blk_mq_alloc_map_and_rqs+0x44/0x120
blk_mq_alloc_set_map_and_rqs+0x63/0x150
blk_mq_alloc_tag_set+0x11b/0x230
scsi_add_host_with_dma.cold+0x3f/0x245
qla2x00_probe_one+0xd5a/0x1b80 [qla2xxx]
Call Trace with slub_debug and debug kernel:
kasan_report_invalid_free+0x50/0x80
__kasan_slab_free+0x137/0x150
slab_free_freelist_hook+0xc6/0x190
kfree+0xe8/0x2e0
qla2x00_free_device+0x3bb/0x5d0 [qla2xxx]
qla2x00_remove_one+0x668/0xcf0 [qla2xxx]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b7eb92dac240ab3bc83e188d83a3df834b41eb2",
"status": "affected",
"version": "62e9dd177732843ae6c5b9d2ed61e7c9538fa276",
"versionType": "git"
},
{
"lessThan": "213e57b42537f1a2e5395caa9d7189854133ed12",
"status": "affected",
"version": "62e9dd177732843ae6c5b9d2ed61e7c9538fa276",
"versionType": "git"
},
{
"lessThan": "67f744f73eba870ab96411d0310e831a4adc3713",
"status": "affected",
"version": "62e9dd177732843ae6c5b9d2ed61e7c9538fa276",
"versionType": "git"
},
{
"lessThan": "0972252450f90db56dd5415a20e2aec21a08d036",
"status": "affected",
"version": "62e9dd177732843ae6c5b9d2ed61e7c9538fa276",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash during module load unload test\n\nDuring purex packet handling the driver was incorrectly freeing a\npre-allocated structure. Fix this by skipping that entry.\n\nSystem crashed with the following stack during a module unload test.\n\nCall Trace:\n\tsbitmap_init_node+0x7f/0x1e0\n\tsbitmap_queue_init_node+0x24/0x150\n\tblk_mq_init_bitmaps+0x3d/0xa0\n\tblk_mq_init_tags+0x68/0x90\n\tblk_mq_alloc_map_and_rqs+0x44/0x120\n\tblk_mq_alloc_set_map_and_rqs+0x63/0x150\n\tblk_mq_alloc_tag_set+0x11b/0x230\n\tscsi_add_host_with_dma.cold+0x3f/0x245\n\tqla2x00_probe_one+0xd5a/0x1b80 [qla2xxx]\n\nCall Trace with slub_debug and debug kernel:\n\tkasan_report_invalid_free+0x50/0x80\n\t__kasan_slab_free+0x137/0x150\n\tslab_free_freelist_hook+0xc6/0x190\n\tkfree+0xe8/0x2e0\n\tqla2x00_free_device+0x3bb/0x5d0 [qla2xxx]\n\tqla2x00_remove_one+0x668/0xcf0 [qla2xxx]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:16.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b7eb92dac240ab3bc83e188d83a3df834b41eb2"
},
{
"url": "https://git.kernel.org/stable/c/213e57b42537f1a2e5395caa9d7189854133ed12"
},
{
"url": "https://git.kernel.org/stable/c/67f744f73eba870ab96411d0310e831a4adc3713"
},
{
"url": "https://git.kernel.org/stable/c/0972252450f90db56dd5415a20e2aec21a08d036"
}
],
"title": "scsi: qla2xxx: Fix crash during module load unload test",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49160",
"datePublished": "2025-02-26T01:55:22.562Z",
"dateReserved": "2025-02-26T01:49:39.276Z",
"dateUpdated": "2025-05-04T08:31:16.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49122 (GCVE-0-2022-49122)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm ioctl: prevent potential spectre v1 gadget
It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
from being leaked to userspace via speculative execution by using
array_index_nospec.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76c94651005f58885facf9c973007f5ea01ab01f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "58880025e3362024f6d8ea01cb0c7a5df6c84ba6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ae2c5b89da3cfaf856df880af27d3bb32a74b3d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0320bac5801b31407200227173205d017488f140",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71c8df33fd777c7628f6fbc09b14e84806c55914",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02cc46f397eb3691c56affbd5073e54f7a82ac32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "44e6cb3ab177faae840bb2c1ebda9a2539876184",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd86064417de828ff2102ddc6049c829bf7585b4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd9c88da171a62c4b0f1c70e50c75845969fbc18",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm ioctl: prevent potential spectre v1 gadget\n\nIt appears like cmd could be a Spectre v1 gadget as it\u0027s supplied by a\nuser and used as an array index. Prevent the contents of kernel memory\nfrom being leaked to userspace via speculative execution by using\narray_index_nospec."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:21.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76c94651005f58885facf9c973007f5ea01ab01f"
},
{
"url": "https://git.kernel.org/stable/c/58880025e3362024f6d8ea01cb0c7a5df6c84ba6"
},
{
"url": "https://git.kernel.org/stable/c/7ae2c5b89da3cfaf856df880af27d3bb32a74b3d"
},
{
"url": "https://git.kernel.org/stable/c/0320bac5801b31407200227173205d017488f140"
},
{
"url": "https://git.kernel.org/stable/c/71c8df33fd777c7628f6fbc09b14e84806c55914"
},
{
"url": "https://git.kernel.org/stable/c/02cc46f397eb3691c56affbd5073e54f7a82ac32"
},
{
"url": "https://git.kernel.org/stable/c/44e6cb3ab177faae840bb2c1ebda9a2539876184"
},
{
"url": "https://git.kernel.org/stable/c/dd86064417de828ff2102ddc6049c829bf7585b4"
},
{
"url": "https://git.kernel.org/stable/c/cd9c88da171a62c4b0f1c70e50c75845969fbc18"
}
],
"title": "dm ioctl: prevent potential spectre v1 gadget",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49122",
"datePublished": "2025-02-26T01:55:02.161Z",
"dateReserved": "2025-02-26T01:49:39.264Z",
"dateUpdated": "2025-05-04T08:30:21.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49251 (GCVE-0-2022-49251)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: va-macro: fix accessing array out of bounds for enum type
Accessing enums using integer would result in array out of bounds access
on platforms like aarch64 where sizeof(long) is 8 compared to enum size
which is 4 bytes.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-va-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "966408e37d84b762d11978b7bfb03fff0c6222ad",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
},
{
"lessThan": "4a799972a283ab4ec031041304d7e2d34e1a16eb",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
},
{
"lessThan": "c0099bbf8bc85d30c4cf38220fca3c8d4253fa7f",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
},
{
"lessThan": "0ea5eff7c6063a8f124188424f8e4c6727f35051",
"status": "affected",
"version": "908e6b1df26efc9d2df70c9a7bf4f5eae5c5702f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-va-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: va-macro: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:22.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/966408e37d84b762d11978b7bfb03fff0c6222ad"
},
{
"url": "https://git.kernel.org/stable/c/4a799972a283ab4ec031041304d7e2d34e1a16eb"
},
{
"url": "https://git.kernel.org/stable/c/c0099bbf8bc85d30c4cf38220fca3c8d4253fa7f"
},
{
"url": "https://git.kernel.org/stable/c/0ea5eff7c6063a8f124188424f8e4c6727f35051"
}
],
"title": "ASoC: codecs: va-macro: fix accessing array out of bounds for enum type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49251",
"datePublished": "2025-02-26T01:56:08.180Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:22.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49326 (GCVE-0-2022-49326)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtl818x: Prevent using not initialized queues
Using not existing queues can panic the kernel with rtl8180/rtl8185 cards.
Ignore the skb priority for those cards, they only have one tx queue. Pierre
Asselin (pa@panix.com) reported the kernel crash in the Gentoo forum:
https://forums.gentoo.org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html
He also confirmed that this patch fixes the issue. In summary this happened:
After updating wpa_supplicant from 2.9 to 2.10 the kernel crashed with a
"divide error: 0000" when connecting to an AP. Control port tx now tries to
use IEEE80211_AC_VO for the priority, which wpa_supplicants starts to use in
2.10.
Since only the rtl8187se part of the driver supports QoS, the priority
of the skb is set to IEEE80211_AC_BE (2) by mac80211 for rtl8180/rtl8185
cards.
rtl8180 is then unconditionally reading out the priority and finally crashes on
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c line 544 without this
patch:
idx = (ring->idx + skb_queue_len(&ring->queue)) % ring->entries
"ring->entries" is zero for rtl8180/rtl8185 cards, tx_ring[2] never got
initialized.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:30.625103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:56.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5dca2cd3f0239512da808598b4e70557eb4c2a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7e30dfc166d33470bba31a42f9bbc346e5409d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d5e96cc1f1720019ce27b127a31695148d38bb0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b8ce58ab80faaea015c206382041ff3bcf5495ff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "769ec2a824deae2f1268dfda14999a4d14d0d0c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ad81ad0cf5744738ce94c8e64051ddd80a1734c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ad1981fc4de3afb7db3e8eb5a6a52d4c7d0d577",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "98e55b0b876bde3353f4e074883d66ecb55c65a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "746285cf81dc19502ab238249d75f5990bd2d231",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtl818x: Prevent using not initialized queues\n\nUsing not existing queues can panic the kernel with rtl8180/rtl8185 cards.\nIgnore the skb priority for those cards, they only have one tx queue. Pierre\nAsselin (pa@panix.com) reported the kernel crash in the Gentoo forum:\n\nhttps://forums.gentoo.org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html\n\nHe also confirmed that this patch fixes the issue. In summary this happened:\n\nAfter updating wpa_supplicant from 2.9 to 2.10 the kernel crashed with a\n\"divide error: 0000\" when connecting to an AP. Control port tx now tries to\nuse IEEE80211_AC_VO for the priority, which wpa_supplicants starts to use in\n2.10.\n\nSince only the rtl8187se part of the driver supports QoS, the priority\nof the skb is set to IEEE80211_AC_BE (2) by mac80211 for rtl8180/rtl8185\ncards.\n\nrtl8180 is then unconditionally reading out the priority and finally crashes on\ndrivers/net/wireless/realtek/rtl818x/rtl8180/dev.c line 544 without this\npatch:\n\tidx = (ring-\u003eidx + skb_queue_len(\u0026ring-\u003equeue)) % ring-\u003eentries\n\n\"ring-\u003eentries\" is zero for rtl8180/rtl8185 cards, tx_ring[2] never got\ninitialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:15.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5dca2cd3f0239512da808598b4e70557eb4c2a1"
},
{
"url": "https://git.kernel.org/stable/c/d7e30dfc166d33470bba31a42f9bbc346e5409d5"
},
{
"url": "https://git.kernel.org/stable/c/9d5e96cc1f1720019ce27b127a31695148d38bb0"
},
{
"url": "https://git.kernel.org/stable/c/b8ce58ab80faaea015c206382041ff3bcf5495ff"
},
{
"url": "https://git.kernel.org/stable/c/769ec2a824deae2f1268dfda14999a4d14d0d0c5"
},
{
"url": "https://git.kernel.org/stable/c/6ad81ad0cf5744738ce94c8e64051ddd80a1734c"
},
{
"url": "https://git.kernel.org/stable/c/9ad1981fc4de3afb7db3e8eb5a6a52d4c7d0d577"
},
{
"url": "https://git.kernel.org/stable/c/98e55b0b876bde3353f4e074883d66ecb55c65a3"
},
{
"url": "https://git.kernel.org/stable/c/746285cf81dc19502ab238249d75f5990bd2d231"
}
],
"title": "rtl818x: Prevent using not initialized queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49326",
"datePublished": "2025-02-26T02:10:48.630Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-10-01T19:46:56.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49699 (GCVE-0-2022-49699)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
filemap: Handle sibling entries in filemap_get_read_batch()
If a read races with an invalidation followed by another read, it is
possible for a folio to be replaced with a higher-order folio. If that
happens, we'll see a sibling entry for the new folio in the next iteration
of the loop. This manifests as a NULL pointer dereference while holding
the RCU read lock.
Handle this by simply returning. The next call will find the new folio
and handle it correctly. The other ways of handling this rare race are
more complex and it's just not worth it.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/filemap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a66f131d30e53000f08301776bf85c912ef47aad",
"status": "affected",
"version": "cbd59c48ae2bcadc4a7599c29cf32fd3f9b78251",
"versionType": "git"
},
{
"lessThan": "cb995f4eeba9d268fd4b56c2423ad6c1d1ea1b82",
"status": "affected",
"version": "cbd59c48ae2bcadc4a7599c29cf32fd3f9b78251",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/filemap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: Handle sibling entries in filemap_get_read_batch()\n\nIf a read races with an invalidation followed by another read, it is\npossible for a folio to be replaced with a higher-order folio. If that\nhappens, we\u0027ll see a sibling entry for the new folio in the next iteration\nof the loop. This manifests as a NULL pointer dereference while holding\nthe RCU read lock.\n\nHandle this by simply returning. The next call will find the new folio\nand handle it correctly. The other ways of handling this rare race are\nmore complex and it\u0027s just not worth it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:31.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a66f131d30e53000f08301776bf85c912ef47aad"
},
{
"url": "https://git.kernel.org/stable/c/cb995f4eeba9d268fd4b56c2423ad6c1d1ea1b82"
}
],
"title": "filemap: Handle sibling entries in filemap_get_read_batch()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49699",
"datePublished": "2025-02-26T02:24:20.198Z",
"dateReserved": "2025-02-26T02:21:30.443Z",
"dateUpdated": "2025-05-04T08:43:31.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49225 (GCVE-0-2022-49225)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7921s: fix a possible memory leak in mt7921_load_patch
Always release fw data at the end of mt7921_load_patch routine.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:18.830599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:03.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b301043384c5c2447357952be9a536c2026d8ad0",
"status": "affected",
"version": "78b217580c50994ae22dde4ecaaf147de0f355f6",
"versionType": "git"
},
{
"lessThan": "11005b18f453aa192d035d410c11d07edcba5a45",
"status": "affected",
"version": "78b217580c50994ae22dde4ecaaf147de0f355f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921s: fix a possible memory leak in mt7921_load_patch\n\nAlways release fw data at the end of mt7921_load_patch routine."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:50.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b301043384c5c2447357952be9a536c2026d8ad0"
},
{
"url": "https://git.kernel.org/stable/c/11005b18f453aa192d035d410c11d07edcba5a45"
}
],
"title": "mt76: mt7921s: fix a possible memory leak in mt7921_load_patch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49225",
"datePublished": "2025-02-26T01:55:55.244Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-10-01T19:47:03.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49673 (GCVE-0-2022-49673)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm raid: fix KASAN warning in raid5_add_disks
There's a KASAN warning in raid5_add_disk when running the LVM testsuite.
The warning happens in the test
lvconvert-raid-reshape-linear_to_raid6-single-type.sh. We fix the warning
by verifying that rdev->saved_raid_disk is within limits.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d4e7c9898c20fb3d3f55381cab601761aab7d64",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fb2928728038280bd925ce2aafb4997e9d47ee9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3553a69bb52be2deba61d0ca064c41aee842bb35",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f157bd9cf377a947fdb7035e69466b6ecdc17c17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d8bca518d5272fe349e0a722fdb9e3acb661f3f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5b06039b195d4b6f94f5d345b1e4ac1975a9832",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02cffb1921edadd9b6e4eee7ada4a5213e8ba12e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "617b365872a247480e9dcd50a32c8d1806b21861",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix KASAN warning in raid5_add_disks\n\nThere\u0027s a KASAN warning in raid5_add_disk when running the LVM testsuite.\nThe warning happens in the test\nlvconvert-raid-reshape-linear_to_raid6-single-type.sh. We fix the warning\nby verifying that rdev-\u003esaved_raid_disk is within limits."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:02.339Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d4e7c9898c20fb3d3f55381cab601761aab7d64"
},
{
"url": "https://git.kernel.org/stable/c/2fb2928728038280bd925ce2aafb4997e9d47ee9"
},
{
"url": "https://git.kernel.org/stable/c/3553a69bb52be2deba61d0ca064c41aee842bb35"
},
{
"url": "https://git.kernel.org/stable/c/f157bd9cf377a947fdb7035e69466b6ecdc17c17"
},
{
"url": "https://git.kernel.org/stable/c/d8bca518d5272fe349e0a722fdb9e3acb661f3f0"
},
{
"url": "https://git.kernel.org/stable/c/d5b06039b195d4b6f94f5d345b1e4ac1975a9832"
},
{
"url": "https://git.kernel.org/stable/c/02cffb1921edadd9b6e4eee7ada4a5213e8ba12e"
},
{
"url": "https://git.kernel.org/stable/c/617b365872a247480e9dcd50a32c8d1806b21861"
}
],
"title": "dm raid: fix KASAN warning in raid5_add_disks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49673",
"datePublished": "2025-02-26T02:24:05.945Z",
"dateReserved": "2025-02-26T02:21:30.437Z",
"dateUpdated": "2025-05-04T08:43:02.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47644 (GCVE-0-2021-47644)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: staging: media: zoran: move videodev alloc
Move some code out of zr36057_init() and create new functions for handling
zr->video_dev. This permit to ease code reading and fix a zr->video_dev
memory leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:36.427391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:07.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/zoran/zoran.h",
"drivers/staging/media/zoran/zoran_card.c",
"drivers/staging/media/zoran/zoran_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dce4b265a5357731058f69645840dabc718c687",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd01629315ffd5b63da91d0bd529a77d30e55028",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "ff3357bffd9fb78f59762d8955afc7382a279079",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "c1ba65100a359fe28cfe37e09e10c99f247cbf1e",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "1e501ec38796f43e995731d1bcd4173cb1ccfce0",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "82e3a496eb56da0b9f29fdc5b63cedb3289e91de",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/zoran/zoran.h",
"drivers/staging/media/zoran/zoran_card.c",
"drivers/staging/media/zoran/zoran_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "5.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging: media: zoran: move videodev alloc\n\nMove some code out of zr36057_init() and create new functions for handling\nzr-\u003evideo_dev. This permit to ease code reading and fix a zr-\u003evideo_dev\nmemory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T11:16:57.060Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dce4b265a5357731058f69645840dabc718c687"
},
{
"url": "https://git.kernel.org/stable/c/bd01629315ffd5b63da91d0bd529a77d30e55028"
},
{
"url": "https://git.kernel.org/stable/c/ff3357bffd9fb78f59762d8955afc7382a279079"
},
{
"url": "https://git.kernel.org/stable/c/c1ba65100a359fe28cfe37e09e10c99f247cbf1e"
},
{
"url": "https://git.kernel.org/stable/c/1e501ec38796f43e995731d1bcd4173cb1ccfce0"
},
{
"url": "https://git.kernel.org/stable/c/82e3a496eb56da0b9f29fdc5b63cedb3289e91de"
}
],
"title": "media: staging: media: zoran: move videodev alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47644",
"datePublished": "2025-02-26T01:54:14.179Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-10-01T19:57:07.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49216 (GCVE-0-2022-49216)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tegra: Fix reference leak in tegra_dsi_ganged_probe
The reference taken by 'of_find_device_by_node()' must be released when
not needed anymore. Add put_device() call to fix this.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f Version: e94236cde4d519cdecd45e2435defba33abdc99f |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:34.911172Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:04.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e2f4e434e71dffd1085c3dccd676514bd71d316",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "5e8fdb6392d945d33fef959eab73f8c34bc0a63b",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "2d6ae8b747fe55f54de4a4441d636974aa53f56a",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "a725070701883fe62266ee6d2f31d67e6cdd31df",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "1e06710c43a090f14bb67714265a01cd1d7a37c5",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "852c1f5f3119a38ee68e319bab10277fc1ab06b7",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "cd78b74031cbc94133965f1017deb822657fc1a6",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "f3c99c686e098300c246e5e8a1474133e3dacb05",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
},
{
"lessThan": "221e3638feb8bc42143833c9a704fa89b6c366bb",
"status": "affected",
"version": "e94236cde4d519cdecd45e2435defba33abdc99f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Fix reference leak in tegra_dsi_ganged_probe\n\nThe reference taken by \u0027of_find_device_by_node()\u0027 must be released when\nnot needed anymore. Add put_device() call to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:33.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e2f4e434e71dffd1085c3dccd676514bd71d316"
},
{
"url": "https://git.kernel.org/stable/c/5e8fdb6392d945d33fef959eab73f8c34bc0a63b"
},
{
"url": "https://git.kernel.org/stable/c/2d6ae8b747fe55f54de4a4441d636974aa53f56a"
},
{
"url": "https://git.kernel.org/stable/c/a725070701883fe62266ee6d2f31d67e6cdd31df"
},
{
"url": "https://git.kernel.org/stable/c/1e06710c43a090f14bb67714265a01cd1d7a37c5"
},
{
"url": "https://git.kernel.org/stable/c/852c1f5f3119a38ee68e319bab10277fc1ab06b7"
},
{
"url": "https://git.kernel.org/stable/c/cd78b74031cbc94133965f1017deb822657fc1a6"
},
{
"url": "https://git.kernel.org/stable/c/f3c99c686e098300c246e5e8a1474133e3dacb05"
},
{
"url": "https://git.kernel.org/stable/c/221e3638feb8bc42143833c9a704fa89b6c366bb"
}
],
"title": "drm/tegra: Fix reference leak in tegra_dsi_ganged_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49216",
"datePublished": "2025-02-26T01:55:50.651Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-10-01T19:47:04.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53026 (GCVE-0-2023-53026)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix ib block iterator counter overflow
When registering a new DMA MR after selecting the best aligned page size
for it, we iterate over the given sglist to split each entry to smaller,
aligned to the selected page size, DMA blocks.
In given circumstances where the sg entry and page size fit certain
sizes and the sg entry is not aligned to the selected page size, the
total size of the aligned pages we need to cover the sg entry is >= 4GB.
Under this circumstances, while iterating page aligned blocks, the
counter responsible for counting how much we advanced from the start of
the sg entry is overflowed because its type is u32 and we pass 4GB in
size. This can lead to an infinite loop inside the iterator function
because the overflow prevents the counter to be larger
than the size of the sg entry.
Fix the presented problem by changing the advancement condition to
eliminate overflow.
Backtrace:
[ 192.374329] efa_reg_user_mr_dmabuf
[ 192.376783] efa_register_mr
[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000
[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]
[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3
[ 192.399559] hp_cnt[3], pages_in_hp[524288]
[ 192.403690] umem->sgt_append.sgt.nents[1]
[ 192.407905] number entries: [1], pg_bit: [31]
[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472]
[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472]
[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:18:44.025281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:18:47.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "902063a9fea5f8252df392ade746bc9cfd07a5ae",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "d66c1d4178c219b6e7d7a6f714e3e3656faccc36",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "362c9489720b31b6aa7491423ba65a4e98aa9838",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "43811d07ea64366af8ec9e168c558ec51440c39e",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "0afec5e9cea732cb47014655685a2a47fb180c31",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix ib block iterator counter overflow\n\nWhen registering a new DMA MR after selecting the best aligned page size\nfor it, we iterate over the given sglist to split each entry to smaller,\naligned to the selected page size, DMA blocks.\n\nIn given circumstances where the sg entry and page size fit certain\nsizes and the sg entry is not aligned to the selected page size, the\ntotal size of the aligned pages we need to cover the sg entry is \u003e= 4GB.\nUnder this circumstances, while iterating page aligned blocks, the\ncounter responsible for counting how much we advanced from the start of\nthe sg entry is overflowed because its type is u32 and we pass 4GB in\nsize. This can lead to an infinite loop inside the iterator function\nbecause the overflow prevents the counter to be larger\nthan the size of the sg entry.\n\nFix the presented problem by changing the advancement condition to\neliminate overflow.\n\nBacktrace:\n[ 192.374329] efa_reg_user_mr_dmabuf\n[ 192.376783] efa_register_mr\n[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000\n[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]\n[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3\n[ 192.399559] hp_cnt[3], pages_in_hp[524288]\n[ 192.403690] umem-\u003esgt_append.sgt.nents[1]\n[ 192.407905] number entries: [1], pg_bit: [31]\n[ 192.411397] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.415601] biter-\u003e__sg_advance [665837568] sg_dma_len[3221225472]\n[ 192.419823] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.423976] biter-\u003e__sg_advance [2813321216] sg_dma_len[3221225472]\n[ 192.428243] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.432397] biter-\u003e__sg_advance [665837568] sg_dma_len[3221225472]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:48:02.656Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/902063a9fea5f8252df392ade746bc9cfd07a5ae"
},
{
"url": "https://git.kernel.org/stable/c/d66c1d4178c219b6e7d7a6f714e3e3656faccc36"
},
{
"url": "https://git.kernel.org/stable/c/362c9489720b31b6aa7491423ba65a4e98aa9838"
},
{
"url": "https://git.kernel.org/stable/c/43811d07ea64366af8ec9e168c558ec51440c39e"
},
{
"url": "https://git.kernel.org/stable/c/0afec5e9cea732cb47014655685a2a47fb180c31"
}
],
"title": "RDMA/core: Fix ib block iterator counter overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53026",
"datePublished": "2025-03-27T16:43:51.194Z",
"dateReserved": "2025-03-27T16:40:15.756Z",
"dateUpdated": "2025-10-01T17:18:47.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49678 (GCVE-0-2022-49678)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: bcm: brcmstb: pm: pm-arm: Fix refcount leak in brcmstb_pm_probe
of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
In brcmstb_init_sram, it pass dn to of_address_to_resource(),
of_address_to_resource() will call of_find_device_by_node() to take
reference, so we should release the reference returned by
of_find_matching_node().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0b741b8234c86065fb6954d32d427b3f7e14756f Version: 0b741b8234c86065fb6954d32d427b3f7e14756f Version: 0b741b8234c86065fb6954d32d427b3f7e14756f Version: 0b741b8234c86065fb6954d32d427b3f7e14756f Version: 0b741b8234c86065fb6954d32d427b3f7e14756f Version: 0b741b8234c86065fb6954d32d427b3f7e14756f |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:09.025205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:46.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/bcm/brcmstb/pm/pm-arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f5877bdf7b593e988f1924f4c3df6523f80b39c",
"status": "affected",
"version": "0b741b8234c86065fb6954d32d427b3f7e14756f",
"versionType": "git"
},
{
"lessThan": "734a4d15142bb4c8ecad2d8ec70d7564e78ae34d",
"status": "affected",
"version": "0b741b8234c86065fb6954d32d427b3f7e14756f",
"versionType": "git"
},
{
"lessThan": "30bbfeb480ae8b5ee43199d72417b232590440c2",
"status": "affected",
"version": "0b741b8234c86065fb6954d32d427b3f7e14756f",
"versionType": "git"
},
{
"lessThan": "10ba9d499a9fd82ed40897e734ba19870a879407",
"status": "affected",
"version": "0b741b8234c86065fb6954d32d427b3f7e14756f",
"versionType": "git"
},
{
"lessThan": "dcafd5463d8f20c4f90ddc138a5738adb99f74c8",
"status": "affected",
"version": "0b741b8234c86065fb6954d32d427b3f7e14756f",
"versionType": "git"
},
{
"lessThan": "37d838de369b07b596c19ff3662bf0293fdb09ee",
"status": "affected",
"version": "0b741b8234c86065fb6954d32d427b3f7e14756f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/bcm/brcmstb/pm/pm-arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.250",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: bcm: brcmstb: pm: pm-arm: Fix refcount leak in brcmstb_pm_probe\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\n\nIn brcmstb_init_sram, it pass dn to of_address_to_resource(),\nof_address_to_resource() will call of_find_device_by_node() to take\nreference, so we should release the reference returned by\nof_find_matching_node()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:08.661Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f5877bdf7b593e988f1924f4c3df6523f80b39c"
},
{
"url": "https://git.kernel.org/stable/c/734a4d15142bb4c8ecad2d8ec70d7564e78ae34d"
},
{
"url": "https://git.kernel.org/stable/c/30bbfeb480ae8b5ee43199d72417b232590440c2"
},
{
"url": "https://git.kernel.org/stable/c/10ba9d499a9fd82ed40897e734ba19870a879407"
},
{
"url": "https://git.kernel.org/stable/c/dcafd5463d8f20c4f90ddc138a5738adb99f74c8"
},
{
"url": "https://git.kernel.org/stable/c/37d838de369b07b596c19ff3662bf0293fdb09ee"
}
],
"title": "soc: bcm: brcmstb: pm: pm-arm: Fix refcount leak in brcmstb_pm_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49678",
"datePublished": "2025-02-26T02:24:08.833Z",
"dateReserved": "2025-02-26T02:21:30.438Z",
"dateUpdated": "2025-10-01T19:36:46.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21839 (GCVE-0-2025-21839)
Vulnerability from cvelistv5
Published
2025-03-07 09:09
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop
Move the conditional loading of hardware DR6 with the guest's DR6 value
out of the core .vcpu_run() loop to fix a bug where KVM can load hardware
with a stale vcpu->arch.dr6.
When the guest accesses a DR and host userspace isn't debugging the guest,
KVM disables DR interception and loads the guest's values into hardware on
VM-Enter and saves them on VM-Exit. This allows the guest to access DRs
at will, e.g. so that a sequence of DR accesses to configure a breakpoint
only generates one VM-Exit.
For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also
identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest)
and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading
DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop.
But for DR6, the guest's value doesn't need to be loaded into hardware for
KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas
VMX requires software to manually load the guest value, and so loading the
guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done
_inside_ the core run loop.
Unfortunately, saving the guest values on VM-Exit is initiated by common
x86, again outside of the core run loop. If the guest modifies DR6 (in
hardware, when DR interception is disabled), and then the next VM-Exit is
a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and
clobber the guest's actual value.
The bug shows up primarily with nested VMX because KVM handles the VMX
preemption timer in the fastpath, and the window between hardware DR6
being modified (in guest context) and DR6 being read by guest software is
orders of magnitude larger in a nested setup. E.g. in non-nested, the
VMX preemption timer would need to fire precisely between #DB injection
and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the
window where hardware DR6 is "dirty" extends all the way from L1 writing
DR6 to VMRESUME (in L1).
L1's view:
==========
<L1 disables DR interception>
CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0
A: L1 Writes DR6
CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1
B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec
D: L1 reads DR6, arch.dr6 = 0
CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0
CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0
L2 reads DR6, L1 disables DR interception
CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216
CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0
CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0
L2 detects failure
CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT
L1 reads DR6 (confirms failure)
CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0
L0's view:
==========
L2 reads DR6, arch.dr6 = 0
CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216
CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216
L2 => L1 nested VM-Exit
CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216
CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23
CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD
CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23
CPU 23/KVM-5046 [001] d.... 3410.
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d67668e9dd76d98136048935723947156737932b Version: d67668e9dd76d98136048935723947156737932b Version: d67668e9dd76d98136048935723947156737932b Version: d67668e9dd76d98136048935723947156737932b Version: d67668e9dd76d98136048935723947156737932b Version: d67668e9dd76d98136048935723947156737932b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:57.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm-x86-ops.h",
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/vmx/main.c",
"arch/x86/kvm/vmx/vmx.c",
"arch/x86/kvm/vmx/x86_ops.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9efb2b99b96c86664bbdbdd2cdb354ac9627eb20",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "93eeb6df1605b3a24f38afdba7ab903ba6b64133",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "a1723e9c53fe6431415be19302a56543daf503f5",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "d456de38d9eb753a4e9fde053c18d4ef8e485339",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "c2fee09fc167c74a64adb08656cb993ea475197e",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm-x86-ops.h",
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/vmx/main.c",
"arch/x86/kvm/vmx/vmx.c",
"arch/x86/kvm/vmx/x86_ops.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.182",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.182",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop\n\nMove the conditional loading of hardware DR6 with the guest\u0027s DR6 value\nout of the core .vcpu_run() loop to fix a bug where KVM can load hardware\nwith a stale vcpu-\u003earch.dr6.\n\nWhen the guest accesses a DR and host userspace isn\u0027t debugging the guest,\nKVM disables DR interception and loads the guest\u0027s values into hardware on\nVM-Enter and saves them on VM-Exit. This allows the guest to access DRs\nat will, e.g. so that a sequence of DR accesses to configure a breakpoint\nonly generates one VM-Exit.\n\nFor DR0-DR3, the logic/behavior is identical between VMX and SVM, and also\nidentical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest)\nand KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading\nDR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop.\n\nBut for DR6, the guest\u0027s value doesn\u0027t need to be loaded into hardware for\nKVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas\nVMX requires software to manually load the guest value, and so loading the\nguest\u0027s value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done\n_inside_ the core run loop.\n\nUnfortunately, saving the guest values on VM-Exit is initiated by common\nx86, again outside of the core run loop. If the guest modifies DR6 (in\nhardware, when DR interception is disabled), and then the next VM-Exit is\na fastpath VM-Exit, KVM will reload hardware DR6 with vcpu-\u003earch.dr6 and\nclobber the guest\u0027s actual value.\n\nThe bug shows up primarily with nested VMX because KVM handles the VMX\npreemption timer in the fastpath, and the window between hardware DR6\nbeing modified (in guest context) and DR6 being read by guest software is\norders of magnitude larger in a nested setup. E.g. in non-nested, the\nVMX preemption timer would need to fire precisely between #DB injection\nand the #DB handler\u0027s read of DR6, whereas with a KVM-on-KVM setup, the\nwindow where hardware DR6 is \"dirty\" extends all the way from L1 writing\nDR6 to VMRESUME (in L1).\n\n L1\u0027s view:\n ==========\n \u003cL1 disables DR interception\u003e\n CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0\n A: L1 Writes DR6\n CPU 0/KVM-7289 [023] d.... 2925.640963: \u003chack\u003e: Set DRs, DR6 = 0xffff0ff1\n\n B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec\n\n D: L1 reads DR6, arch.dr6 = 0\n CPU 0/KVM-7289 [023] d.... 2925.640969: \u003chack\u003e: Sync DRs, DR6 = 0xffff0ff0\n\n CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0\n L2 reads DR6, L1 disables DR interception\n CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216\n CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0\n\n CPU 0/KVM-7289 [023] d.... 2925.640983: \u003chack\u003e: Set DRs, DR6 = 0xffff0ff0\n\n L2 detects failure\n CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT\n L1 reads DR6 (confirms failure)\n CPU 0/KVM-7289 [023] d.... 2925.640990: \u003chack\u003e: Sync DRs, DR6 = 0xffff0ff0\n\n L0\u0027s view:\n ==========\n L2 reads DR6, arch.dr6 = 0\n CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n\n L2 =\u003e L1 nested VM-Exit\n CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216\n\n CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23\n CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD\n CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23\n CPU 23/KVM-5046 [001] d.... 3410.\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T08:06:11.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9efb2b99b96c86664bbdbdd2cdb354ac9627eb20"
},
{
"url": "https://git.kernel.org/stable/c/93eeb6df1605b3a24f38afdba7ab903ba6b64133"
},
{
"url": "https://git.kernel.org/stable/c/a1723e9c53fe6431415be19302a56543daf503f5"
},
{
"url": "https://git.kernel.org/stable/c/4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55"
},
{
"url": "https://git.kernel.org/stable/c/d456de38d9eb753a4e9fde053c18d4ef8e485339"
},
{
"url": "https://git.kernel.org/stable/c/c2fee09fc167c74a64adb08656cb993ea475197e"
}
],
"title": "KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21839",
"datePublished": "2025-03-07T09:09:58.220Z",
"dateReserved": "2024-12-29T08:45:45.777Z",
"dateUpdated": "2025-11-03T19:37:57.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49356 (GCVE-0-2022-49356)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Trap RDMA segment overflows
Prevent svc_rdma_build_writes() from walking off the end of a Write
chunk's segment array. Caught with KASAN.
The test that this fix replaces is invalid, and might have been left
over from an earlier prototype of the PCL work.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea26bf5eca1459b5a7824997d7823409ce38214e",
"status": "affected",
"version": "7a1cbfa18059a40d4752dab057384c3ca2de326c",
"versionType": "git"
},
{
"lessThan": "812c13521d4a72469c78ce06d8cdc8dc5b5557b5",
"status": "affected",
"version": "7a1cbfa18059a40d4752dab057384c3ca2de326c",
"versionType": "git"
},
{
"lessThan": "659f7568e09593945c221bf20217a82ebdfe1328",
"status": "affected",
"version": "7a1cbfa18059a40d4752dab057384c3ca2de326c",
"versionType": "git"
},
{
"lessThan": "f012e95b377c73c0283f009823c633104dedb337",
"status": "affected",
"version": "7a1cbfa18059a40d4752dab057384c3ca2de326c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Trap RDMA segment overflows\n\nPrevent svc_rdma_build_writes() from walking off the end of a Write\nchunk\u0027s segment array. Caught with KASAN.\n\nThe test that this fix replaces is invalid, and might have been left\nover from an earlier prototype of the PCL work."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:56.828Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea26bf5eca1459b5a7824997d7823409ce38214e"
},
{
"url": "https://git.kernel.org/stable/c/812c13521d4a72469c78ce06d8cdc8dc5b5557b5"
},
{
"url": "https://git.kernel.org/stable/c/659f7568e09593945c221bf20217a82ebdfe1328"
},
{
"url": "https://git.kernel.org/stable/c/f012e95b377c73c0283f009823c633104dedb337"
}
],
"title": "SUNRPC: Trap RDMA segment overflows",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49356",
"datePublished": "2025-02-26T02:11:06.430Z",
"dateReserved": "2025-02-26T02:08:31.545Z",
"dateUpdated": "2025-05-04T08:35:56.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49373 (GCVE-0-2022-49373)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
watchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() in some error paths.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bf9006399939762e6cd32445e848e56727df9d98 Version: bf9006399939762e6cd32445e848e56727df9d98 Version: bf9006399939762e6cd32445e848e56727df9d98 Version: bf9006399939762e6cd32445e848e56727df9d98 Version: bf9006399939762e6cd32445e848e56727df9d98 Version: bf9006399939762e6cd32445e848e56727df9d98 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:11.612020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:52.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/ts4800_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b110d940417942bc87d9e4bea6d4f24e05ed483",
"status": "affected",
"version": "bf9006399939762e6cd32445e848e56727df9d98",
"versionType": "git"
},
{
"lessThan": "910b1cdf6c50ae8fb222e46657d04fb181577017",
"status": "affected",
"version": "bf9006399939762e6cd32445e848e56727df9d98",
"versionType": "git"
},
{
"lessThan": "7a4afd8a003d6abf1f5d159c2bb67e6b7cbde253",
"status": "affected",
"version": "bf9006399939762e6cd32445e848e56727df9d98",
"versionType": "git"
},
{
"lessThan": "91fa5aa53f68b85e779164b3127c7e23cad5c457",
"status": "affected",
"version": "bf9006399939762e6cd32445e848e56727df9d98",
"versionType": "git"
},
{
"lessThan": "f067b5286edfd83d2d3903e8578b561599d62539",
"status": "affected",
"version": "bf9006399939762e6cd32445e848e56727df9d98",
"versionType": "git"
},
{
"lessThan": "5d24df3d690809952528e7a19a43d84bc5b99d44",
"status": "affected",
"version": "bf9006399939762e6cd32445e848e56727df9d98",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/watchdog/ts4800_wdt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() in some error paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:18.473Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b110d940417942bc87d9e4bea6d4f24e05ed483"
},
{
"url": "https://git.kernel.org/stable/c/910b1cdf6c50ae8fb222e46657d04fb181577017"
},
{
"url": "https://git.kernel.org/stable/c/7a4afd8a003d6abf1f5d159c2bb67e6b7cbde253"
},
{
"url": "https://git.kernel.org/stable/c/91fa5aa53f68b85e779164b3127c7e23cad5c457"
},
{
"url": "https://git.kernel.org/stable/c/f067b5286edfd83d2d3903e8578b561599d62539"
},
{
"url": "https://git.kernel.org/stable/c/5d24df3d690809952528e7a19a43d84bc5b99d44"
}
],
"title": "watchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49373",
"datePublished": "2025-02-26T02:11:14.603Z",
"dateReserved": "2025-02-26T02:08:31.556Z",
"dateUpdated": "2025-10-01T19:46:52.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21764 (GCVE-0-2025-21764)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ndisc: use RCU protection in ndisc_alloc_skb()
ndisc_alloc_skb() can be called without RTNL or RCU being held.
Add RCU protection to avoid possible UAF.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 Version: de09334b9326632bbf1a74bfd8b01866cbbf2f61 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:20.278381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:26.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:17.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96fc896d0e5b37c12808df797397fb16f3080879",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "b870256dd2a5648d5ed2f22316b3ac29a7e5ed63",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "3c2d705f5adf5d860aaef90cb4211c0fde2ba66d",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "9e0ec817eb41a55327a46cd3ce331a9868d60304",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "bbec88e4108e8d6fb468d3817fa652140a44ff28",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "cd1065f92eb7ff21b9ba5308a86f33d1670bf926",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "628e6d18930bbd21f2d4562228afe27694f66da9",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: use RCU protection in ndisc_alloc_skb()\n\nndisc_alloc_skb() can be called without RTNL or RCU being held.\n\nAdd RCU protection to avoid possible UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:36.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96fc896d0e5b37c12808df797397fb16f3080879"
},
{
"url": "https://git.kernel.org/stable/c/c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1"
},
{
"url": "https://git.kernel.org/stable/c/b870256dd2a5648d5ed2f22316b3ac29a7e5ed63"
},
{
"url": "https://git.kernel.org/stable/c/3c2d705f5adf5d860aaef90cb4211c0fde2ba66d"
},
{
"url": "https://git.kernel.org/stable/c/9e0ec817eb41a55327a46cd3ce331a9868d60304"
},
{
"url": "https://git.kernel.org/stable/c/bbec88e4108e8d6fb468d3817fa652140a44ff28"
},
{
"url": "https://git.kernel.org/stable/c/cd1065f92eb7ff21b9ba5308a86f33d1670bf926"
},
{
"url": "https://git.kernel.org/stable/c/628e6d18930bbd21f2d4562228afe27694f66da9"
}
],
"title": "ndisc: use RCU protection in ndisc_alloc_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21764",
"datePublished": "2025-02-27T02:18:15.598Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:17.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49494 (GCVE-0-2022-49494)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe()
It will cause null-ptr-deref when using 'res', if platform_get_resource()
returns NULL, so move using 'res' after devm_ioremap_resource() that
will check it to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:52.763047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:43.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81f1ddffdc22ca5789e33b9d4712914e302090c1",
"status": "affected",
"version": "ec4ba01e894d3165e4d1ccbef782ef5593b708b4",
"versionType": "git"
},
{
"lessThan": "0cfee868b89ffa945f3d535ee5c985cb40c5a0f8",
"status": "affected",
"version": "ec4ba01e894d3165e4d1ccbef782ef5593b708b4",
"versionType": "git"
},
{
"lessThan": "069af5e27c1b0f7677ef76d8d3102e503ca4f80b",
"status": "affected",
"version": "ec4ba01e894d3165e4d1ccbef782ef5593b708b4",
"versionType": "git"
},
{
"lessThan": "13b60d3dc84b47307669edb66b633b18466014b4",
"status": "affected",
"version": "ec4ba01e894d3165e4d1ccbef782ef5593b708b4",
"versionType": "git"
},
{
"lessThan": "a28ed09dafee20da51eb26452950839633afd824",
"status": "affected",
"version": "ec4ba01e894d3165e4d1ccbef782ef5593b708b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:07.650Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81f1ddffdc22ca5789e33b9d4712914e302090c1"
},
{
"url": "https://git.kernel.org/stable/c/0cfee868b89ffa945f3d535ee5c985cb40c5a0f8"
},
{
"url": "https://git.kernel.org/stable/c/069af5e27c1b0f7677ef76d8d3102e503ca4f80b"
},
{
"url": "https://git.kernel.org/stable/c/13b60d3dc84b47307669edb66b633b18466014b4"
},
{
"url": "https://git.kernel.org/stable/c/a28ed09dafee20da51eb26452950839633afd824"
}
],
"title": "mtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49494",
"datePublished": "2025-02-26T02:13:30.184Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-10-01T19:46:43.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49668 (GCVE-0-2022-49668)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events
of_get_child_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
This function only calls of_node_put() in normal path,
missing it in error paths.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:24.960757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:47.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/event/exynos-ppmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdecd912e99acfd61507f1720d3f4eed1b3418d8",
"status": "affected",
"version": "f262f28c147051e7aa6daaf4fb5996833ffadff4",
"versionType": "git"
},
{
"lessThan": "e65027fdebbacd40595e96ef7b5d2418f71bddf2",
"status": "affected",
"version": "f262f28c147051e7aa6daaf4fb5996833ffadff4",
"versionType": "git"
},
{
"lessThan": "01121e39ef537289926ae6f5374dce92c796d863",
"status": "affected",
"version": "f262f28c147051e7aa6daaf4fb5996833ffadff4",
"versionType": "git"
},
{
"lessThan": "194781229d4cbc804b8ded13156eb8addce87d6c",
"status": "affected",
"version": "f262f28c147051e7aa6daaf4fb5996833ffadff4",
"versionType": "git"
},
{
"lessThan": "f44b799603a9b5d2e375b0b2d54dd0b791eddfc2",
"status": "affected",
"version": "f262f28c147051e7aa6daaf4fb5996833ffadff4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/event/exynos-ppmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.204",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nThis function only calls of_node_put() in normal path,\nmissing it in error paths.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:56.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdecd912e99acfd61507f1720d3f4eed1b3418d8"
},
{
"url": "https://git.kernel.org/stable/c/e65027fdebbacd40595e96ef7b5d2418f71bddf2"
},
{
"url": "https://git.kernel.org/stable/c/01121e39ef537289926ae6f5374dce92c796d863"
},
{
"url": "https://git.kernel.org/stable/c/194781229d4cbc804b8ded13156eb8addce87d6c"
},
{
"url": "https://git.kernel.org/stable/c/f44b799603a9b5d2e375b0b2d54dd0b791eddfc2"
}
],
"title": "PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49668",
"datePublished": "2025-02-26T02:24:02.662Z",
"dateReserved": "2025-02-26T02:21:30.436Z",
"dateUpdated": "2025-10-01T19:36:47.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49694 (GCVE-0-2022-49694)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: disable the elevator int del_gendisk
The elevator is only used for file system requests, which are stopped in
del_gendisk. Move disabling the elevator and freeing the scheduler tags
to the end of del_gendisk instead of doing that work in disk_release and
blk_cleanup_queue to avoid a use after free on q->tag_set from
disk_release as the tag_set might not be alive at that point.
Move the blk_qos_exit call as well, as it just depends on the elevator
exit and would be the only reason to keep the not exactly cheap queue
freeze in disk_release.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T21:16:23.386514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T21:21:44.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-core.c",
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f28699fafc047ec33299da01e928c3a0073c5cc6",
"status": "affected",
"version": "e155b0c238b20f0a866f4334d292656665836c8a",
"versionType": "git"
},
{
"lessThan": "50e34d78815e474d410f342fbe783b18192ca518",
"status": "affected",
"version": "e155b0c238b20f0a866f4334d292656665836c8a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-core.c",
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: disable the elevator int del_gendisk\n\nThe elevator is only used for file system requests, which are stopped in\ndel_gendisk. Move disabling the elevator and freeing the scheduler tags\nto the end of del_gendisk instead of doing that work in disk_release and\nblk_cleanup_queue to avoid a use after free on q-\u003etag_set from\ndisk_release as the tag_set might not be alive at that point.\n\nMove the blk_qos_exit call as well, as it just depends on the elevator\nexit and would be the only reason to keep the not exactly cheap queue\nfreeze in disk_release."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:25.787Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f28699fafc047ec33299da01e928c3a0073c5cc6"
},
{
"url": "https://git.kernel.org/stable/c/50e34d78815e474d410f342fbe783b18192ca518"
}
],
"title": "block: disable the elevator int del_gendisk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49694",
"datePublished": "2025-02-26T02:24:16.910Z",
"dateReserved": "2025-02-26T02:21:30.442Z",
"dateUpdated": "2025-05-04T08:43:25.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21794 (GCVE-0-2025-21794)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()
Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from
hid-thrustmaster driver. This array is passed to usb_check_int_endpoints
function from usb.c core driver, which executes a for loop that iterates
over the elements of the passed array. Not finding a null element at the end of
the array, it tries to read the next, non-existent element, crashing the kernel.
To fix this, a 0 element was added at the end of the array to break the for
loop.
[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:28:58.615776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:39.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:37.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-thrustmaster.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "436f48c864186e9413d1b7c6e91767cc9e1a65b8",
"status": "affected",
"version": "220883fba32549a34f0734e4859d07f4dcd56992",
"versionType": "git"
},
{
"lessThan": "f3ce05283f6cb6e19c220f5382def43dc5bd56b9",
"status": "affected",
"version": "ae730deded66150204c494282969bfa98dc3ae67",
"versionType": "git"
},
{
"lessThan": "cdd9a1ea23ff1a272547217100663e8de4eada40",
"status": "affected",
"version": "e5bcae4212a6a4b4204f46a1b8bcba08909d2007",
"versionType": "git"
},
{
"lessThan": "73e36a699b9f46322ffb81f072a24e64f728dba7",
"status": "affected",
"version": "816e84602900f7f951458d743fa12769635ebfd5",
"versionType": "git"
},
{
"lessThan": "0b43d98ff29be3144e86294486b1373b5df74c0e",
"status": "affected",
"version": "50420d7c79c37a3efe4010ff9b1bb14bc61ebccf",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-thrustmaster.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.6.79",
"status": "affected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThan": "6.12.16",
"status": "affected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThan": "6.13.4",
"status": "affected",
"version": "6.13.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "6.6.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()\n\nSyzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from\nhid-thrustmaster driver. This array is passed to usb_check_int_endpoints\nfunction from usb.c core driver, which executes a for loop that iterates\nover the elements of the passed array. Not finding a null element at the end of\nthe array, it tries to read the next, non-existent element, crashing the kernel.\n\nTo fix this, a 0 element was added at the end of the array to break the for\nloop.\n\n[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:22.682Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/436f48c864186e9413d1b7c6e91767cc9e1a65b8"
},
{
"url": "https://git.kernel.org/stable/c/f3ce05283f6cb6e19c220f5382def43dc5bd56b9"
},
{
"url": "https://git.kernel.org/stable/c/cdd9a1ea23ff1a272547217100663e8de4eada40"
},
{
"url": "https://git.kernel.org/stable/c/73e36a699b9f46322ffb81f072a24e64f728dba7"
},
{
"url": "https://git.kernel.org/stable/c/0b43d98ff29be3144e86294486b1373b5df74c0e"
}
],
"title": "HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21794",
"datePublished": "2025-02-27T02:18:30.907Z",
"dateReserved": "2024-12-29T08:45:45.767Z",
"dateUpdated": "2025-11-03T20:59:37.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-4453 (GCVE-0-2021-4453)
Vulnerability from cvelistv5
Published
2025-02-26 02:19
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: fix a potential gpu_metrics_table memory leak
Memory is allocated for gpu_metrics_table in renoir_init_smc_tables(),
but not freed in int smu_v12_0_fini_smc_tables(). Free it!
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-4453",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:13.399991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:38.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "222cebd995cdf11fe0d502749560f65e64990e55",
"status": "affected",
"version": "95868b85764aff2dcbf78d3054076df75446ad15",
"versionType": "git"
},
{
"lessThan": "257b3bb16634fd936129fe2f57a91594a75b8751",
"status": "affected",
"version": "95868b85764aff2dcbf78d3054076df75446ad15",
"versionType": "git"
},
{
"lessThan": "aa464957f7e660abd554f2546a588f6533720e21",
"status": "affected",
"version": "95868b85764aff2dcbf78d3054076df75446ad15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.88",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a potential gpu_metrics_table memory leak\n\nMemory is allocated for gpu_metrics_table in renoir_init_smc_tables(),\nbut not freed in int smu_v12_0_fini_smc_tables(). Free it!"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T06:59:57.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/222cebd995cdf11fe0d502749560f65e64990e55"
},
{
"url": "https://git.kernel.org/stable/c/257b3bb16634fd936129fe2f57a91594a75b8751"
},
{
"url": "https://git.kernel.org/stable/c/aa464957f7e660abd554f2546a588f6533720e21"
}
],
"title": "drm/amd/pm: fix a potential gpu_metrics_table memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-4453",
"datePublished": "2025-02-26T02:19:34.893Z",
"dateReserved": "2025-02-26T02:18:22.518Z",
"dateUpdated": "2025-10-01T19:46:38.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47646 (GCVE-0-2021-47646)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "Revert "block, bfq: honor already-setup queue merges""
A crash [1] happened to be triggered in conjunction with commit
2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). The
latter was then reverted by commit ebc69e897e17 ("Revert "block, bfq:
honor already-setup queue merges""). Yet, the reverted commit was not
the one introducing the bug. In fact, it actually triggered a UAF
introduced by a different commit, and now fixed by commit d29bd41428cf
("block, bfq: reset last_bfqq_created on group change").
So, there is no point in keeping commit 2d52c58b9c9b ("block, bfq:
honor already-setup queue merges") out. This commit restores it.
[1] https://bugzilla.kernel.org/show_bug.cgi?id=214503
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47646",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:39.194997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:30.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f990f0985eda59d4f29fc83fcf300c92b1225d39",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "931aff627469a75c77b9fd3823146d0575afffd6",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "cc051f497eac9d8a0d816cd4bffa3415f2724871",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "65d8a737452e88f251fe5d925371de6d606df613",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "abc2129e646af7b43025d90a071f83043f1ae76c",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "4083925bd6dc89216d156474a8076feec904e607",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "15729ff8143f8135b03988a100a19e66d7cb7ecd",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"Revert \"block, bfq: honor already-setup queue merges\"\"\n\nA crash [1] happened to be triggered in conjunction with commit\n2d52c58b9c9b (\"block, bfq: honor already-setup queue merges\"). The\nlatter was then reverted by commit ebc69e897e17 (\"Revert \"block, bfq:\nhonor already-setup queue merges\"\"). Yet, the reverted commit was not\nthe one introducing the bug. In fact, it actually triggered a UAF\nintroduced by a different commit, and now fixed by commit d29bd41428cf\n(\"block, bfq: reset last_bfqq_created on group change\").\n\nSo, there is no point in keeping commit 2d52c58b9c9b (\"block, bfq:\nhonor already-setup queue merges\") out. This commit restores it.\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=214503"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:26.899Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f990f0985eda59d4f29fc83fcf300c92b1225d39"
},
{
"url": "https://git.kernel.org/stable/c/931aff627469a75c77b9fd3823146d0575afffd6"
},
{
"url": "https://git.kernel.org/stable/c/cc051f497eac9d8a0d816cd4bffa3415f2724871"
},
{
"url": "https://git.kernel.org/stable/c/65d8a737452e88f251fe5d925371de6d606df613"
},
{
"url": "https://git.kernel.org/stable/c/abc2129e646af7b43025d90a071f83043f1ae76c"
},
{
"url": "https://git.kernel.org/stable/c/4083925bd6dc89216d156474a8076feec904e607"
},
{
"url": "https://git.kernel.org/stable/c/15729ff8143f8135b03988a100a19e66d7cb7ecd"
}
],
"title": "Revert \"Revert \"block, bfq: honor already-setup queue merges\"\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47646",
"datePublished": "2025-02-26T01:54:15.122Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-05-04T07:15:26.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49311 (GCVE-0-2022-49311)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: staging: rtl8192bs: Fix deadlock in rtw_joinbss_event_prehandle()
There is a deadlock in rtw_joinbss_event_prehandle(), which is shown
below:
(Thread 1) | (Thread 2)
| _set_timer()
rtw_joinbss_event_prehandle()| mod_timer()
spin_lock_bh() //(1) | (wait a time)
... | _rtw_join_timeout_handler()
del_timer_sync() | spin_lock_bh() //(2)
(wait timer to stop) | ...
We hold pmlmepriv->lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need pmlmepriv->lock in position (2) of thread 2.
As a result, rtw_joinbss_event_prehandle() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_bh(), which could let timer handler to obtain
the needed lock. What`s more, we change spin_lock_bh() to
spin_lock_irq() in _rtw_join_timeout_handler() in order to
prevent deadlock.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:17.966247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:58.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae60744d5fad840b9d056d35b4b652d95e755846",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "1f6c99b94ca3caad346876b3e22e3ca3d25bc8ee",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "eca9748d9267a38d532464e3305a38629e9c35a9",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "041879b12ddb0c6c83ed9c0bdd10dc82a056f2fc",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8192bs: Fix deadlock in rtw_joinbss_event_prehandle()\n\nThere is a deadlock in rtw_joinbss_event_prehandle(), which is shown\nbelow:\n\n (Thread 1) | (Thread 2)\n | _set_timer()\nrtw_joinbss_event_prehandle()| mod_timer()\n spin_lock_bh() //(1) | (wait a time)\n ... | _rtw_join_timeout_handler()\n del_timer_sync() | spin_lock_bh() //(2)\n (wait timer to stop) | ...\n\nWe hold pmlmepriv-\u003elock in position (1) of thread 1 and\nuse del_timer_sync() to wait timer to stop, but timer handler\nalso need pmlmepriv-\u003elock in position (2) of thread 2.\nAs a result, rtw_joinbss_event_prehandle() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_bh(), which could let timer handler to obtain\nthe needed lock. What`s more, we change spin_lock_bh() to\nspin_lock_irq() in _rtw_join_timeout_handler() in order to\nprevent deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:56.531Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae60744d5fad840b9d056d35b4b652d95e755846"
},
{
"url": "https://git.kernel.org/stable/c/1f6c99b94ca3caad346876b3e22e3ca3d25bc8ee"
},
{
"url": "https://git.kernel.org/stable/c/eca9748d9267a38d532464e3305a38629e9c35a9"
},
{
"url": "https://git.kernel.org/stable/c/041879b12ddb0c6c83ed9c0bdd10dc82a056f2fc"
}
],
"title": "drivers: staging: rtl8192bs: Fix deadlock in rtw_joinbss_event_prehandle()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49311",
"datePublished": "2025-02-26T02:10:41.139Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-10-01T19:46:58.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21731 (GCVE-0-2025-21731)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: don't allow reconnect after disconnect
Following process can cause nbd_config UAF:
1) grab nbd_config temporarily;
2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:
nbd_genl_disconnect
nbd_disconnect_and_put
nbd_disconnect
flush_workqueue(nbd->recv_workq)
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
nbd_config_put
-> due to step 1), reference is still not zero
3) nbd_genl_reconfigure() queue recv_work() again;
nbd_genl_reconfigure
config = nbd_get_config_unlocked(nbd)
if (!config)
-> succeed
if (!test_bit(NBD_RT_BOUND, ...))
-> succeed
nbd_reconnect_socket
queue_work(nbd->recv_workq, &args->work)
4) step 1) release the reference;
5) Finially, recv_work() will trigger UAF:
recv_work
nbd_config_put(nbd)
-> nbd_config is freed
atomic_dec(&config->recv_threads)
-> UAF
Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b7aa3d39385dc2d95899f9e379623fef446a2acd Version: b7aa3d39385dc2d95899f9e379623fef446a2acd Version: b7aa3d39385dc2d95899f9e379623fef446a2acd Version: b7aa3d39385dc2d95899f9e379623fef446a2acd Version: b7aa3d39385dc2d95899f9e379623fef446a2acd Version: b7aa3d39385dc2d95899f9e379623fef446a2acd Version: b7aa3d39385dc2d95899f9e379623fef446a2acd Version: b7aa3d39385dc2d95899f9e379623fef446a2acd |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:00.860096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:36.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e70a578487a47d7cf058904141e586684d1c3381",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
},
{
"lessThan": "6bef6222a3f6c7adb6396f77f25a3579d821b09a",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
},
{
"lessThan": "e3be8862d73cac833e0fb7602636c19c6cb94b11",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
},
{
"lessThan": "e7343fa33751cb07c1c56b666bf37cfca357130e",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
},
{
"lessThan": "d208d2c52b652913b5eefc8ca434b0d6b757f68f",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
},
{
"lessThan": "a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
},
{
"lessThan": "9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
},
{
"lessThan": "844b8cdc681612ff24df62cdefddeab5772fadf1",
"status": "affected",
"version": "b7aa3d39385dc2d95899f9e379623fef446a2acd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don\u0027t allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n nbd_genl_disconnect\n nbd_disconnect_and_put\n nbd_disconnect\n flush_workqueue(nbd-\u003erecv_workq)\n if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n nbd_config_put\n -\u003e due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n nbd_genl_reconfigure\n config = nbd_get_config_unlocked(nbd)\n if (!config)\n -\u003e succeed\n if (!test_bit(NBD_RT_BOUND, ...))\n -\u003e succeed\n nbd_reconnect_socket\n queue_work(nbd-\u003erecv_workq, \u0026args-\u003ework)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n recv_work\n nbd_config_put(nbd)\n -\u003e nbd_config is freed\n atomic_dec(\u0026config-\u003erecv_threads)\n -\u003e UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:56.650Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381"
},
{
"url": "https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a"
},
{
"url": "https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11"
},
{
"url": "https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e"
},
{
"url": "https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f"
},
{
"url": "https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739"
},
{
"url": "https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302"
},
{
"url": "https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1"
}
],
"title": "nbd: don\u0027t allow reconnect after disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21731",
"datePublished": "2025-02-27T02:07:35.927Z",
"dateReserved": "2024-12-29T08:45:45.755Z",
"dateUpdated": "2025-11-03T19:36:36.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49746 (GCVE-0-2022-49746)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-10-01 17:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init
If the function sdma_load_context() fails, the sdma_desc will be
freed, but the allocated desc->bd is forgot to be freed.
We already met the sdma_load_context() failure case and the log as
below:
[ 450.699064] imx-sdma 30bd0000.dma-controller: Timeout waiting for CH0 ready
...
In this case, the desc->bd will not be freed without this change.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:25:21.461910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:25:25.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/imx-sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80ee99e52936b2c04cc37b17a14b2ae2f9d282ac",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dbe634ce824329d8f14079c3e9f8f11670894bec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd0050b7ffa87c7b260d563646af612f4112a778",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43acd767bd90c5d4172ce7fee5d9007a9a08dea9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce4745a6b8016fae74c95dcd457d4ceef7d98af1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1417f59ac0b02130ee56c0c50794b9b257be3d17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/imx-sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init\n\nIf the function sdma_load_context() fails, the sdma_desc will be\nfreed, but the allocated desc-\u003ebd is forgot to be freed.\n\nWe already met the sdma_load_context() failure case and the log as\nbelow:\n[ 450.699064] imx-sdma 30bd0000.dma-controller: Timeout waiting for CH0 ready\n...\n\nIn this case, the desc-\u003ebd will not be freed without this change."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:29.880Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80ee99e52936b2c04cc37b17a14b2ae2f9d282ac"
},
{
"url": "https://git.kernel.org/stable/c/dbe634ce824329d8f14079c3e9f8f11670894bec"
},
{
"url": "https://git.kernel.org/stable/c/bd0050b7ffa87c7b260d563646af612f4112a778"
},
{
"url": "https://git.kernel.org/stable/c/43acd767bd90c5d4172ce7fee5d9007a9a08dea9"
},
{
"url": "https://git.kernel.org/stable/c/ce4745a6b8016fae74c95dcd457d4ceef7d98af1"
},
{
"url": "https://git.kernel.org/stable/c/1417f59ac0b02130ee56c0c50794b9b257be3d17"
}
],
"title": "dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49746",
"datePublished": "2025-03-27T16:42:56.372Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-10-01T17:25:25.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21732 (GCVE-0-2025-21732)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 07:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error
This patch addresses a race condition for an ODP MR that can result in a
CQE with an error on the UMR QP.
During the __mlx5_ib_dereg_mr() flow, the following sequence of calls
occurs:
mlx5_revoke_mr()
mlx5r_umr_revoke_mr()
mlx5r_umr_post_send_wait()
At this point, the lkey is freed from the hardware's perspective.
However, concurrently, mlx5_ib_invalidate_range() might be triggered by
another task attempting to invalidate a range for the same freed lkey.
This task will:
- Acquire the umem_odp->umem_mutex lock.
- Call mlx5r_umr_update_xlt() on the UMR QP.
- Since the lkey has already been freed, this can lead to a CQE error,
causing the UMR QP to enter an error state [1].
To resolve this race condition, the umem_odp->umem_mutex lock is now also
acquired as part of the mlx5_revoke_mr() scope. Upon successful revoke,
we set umem_odp->private which points to that MR to NULL, preventing any
further invalidation attempts on its lkey.
[1] From dmesg:
infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error
cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2
WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]
Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core
CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]
[..]
Call Trace:
<TASK>
mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib]
mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib]
__mmu_notifier_invalidate_range_start+0x1e1/0x240
zap_page_range_single+0xf1/0x1a0
madvise_vma_behavior+0x677/0x6e0
do_madvise+0x1a2/0x4b0
__x64_sys_madvise+0x25/0x30
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/mr.c",
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b13d32786acabf70a7b04ed24b7468fc3c82977c",
"status": "affected",
"version": "e6fb246ccafbdfc86e0750af021628132fdbceac",
"versionType": "git"
},
{
"lessThan": "5297f5ddffef47b94172ab0d3d62270002a3dcc1",
"status": "affected",
"version": "e6fb246ccafbdfc86e0750af021628132fdbceac",
"versionType": "git"
},
{
"lessThan": "abb604a1a9c87255c7a6f3b784410a9707baf467",
"status": "affected",
"version": "e6fb246ccafbdfc86e0750af021628132fdbceac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/mr.c",
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error\n\nThis patch addresses a race condition for an ODP MR that can result in a\nCQE with an error on the UMR QP.\n\nDuring the __mlx5_ib_dereg_mr() flow, the following sequence of calls\noccurs:\n\nmlx5_revoke_mr()\n mlx5r_umr_revoke_mr()\n mlx5r_umr_post_send_wait()\n\nAt this point, the lkey is freed from the hardware\u0027s perspective.\n\nHowever, concurrently, mlx5_ib_invalidate_range() might be triggered by\nanother task attempting to invalidate a range for the same freed lkey.\n\nThis task will:\n - Acquire the umem_odp-\u003eumem_mutex lock.\n - Call mlx5r_umr_update_xlt() on the UMR QP.\n - Since the lkey has already been freed, this can lead to a CQE error,\n causing the UMR QP to enter an error state [1].\n\nTo resolve this race condition, the umem_odp-\u003eumem_mutex lock is now also\nacquired as part of the mlx5_revoke_mr() scope. Upon successful revoke,\nwe set umem_odp-\u003eprivate which points to that MR to NULL, preventing any\nfurther invalidation attempts on its lkey.\n\n[1] From dmesg:\n\n infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error\n cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2\n\n WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\n CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n [..]\n Call Trace:\n \u003cTASK\u003e\n mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib]\n mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib]\n __mmu_notifier_invalidate_range_start+0x1e1/0x240\n zap_page_range_single+0xf1/0x1a0\n madvise_vma_behavior+0x677/0x6e0\n do_madvise+0x1a2/0x4b0\n __x64_sys_madvise+0x25/0x30\n do_syscall_64+0x6b/0x140\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:58.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b13d32786acabf70a7b04ed24b7468fc3c82977c"
},
{
"url": "https://git.kernel.org/stable/c/5297f5ddffef47b94172ab0d3d62270002a3dcc1"
},
{
"url": "https://git.kernel.org/stable/c/abb604a1a9c87255c7a6f3b784410a9707baf467"
}
],
"title": "RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21732",
"datePublished": "2025-02-27T02:12:10.626Z",
"dateReserved": "2024-12-29T08:45:45.756Z",
"dateUpdated": "2025-05-04T07:19:58.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49729 (GCVE-0-2022-49729)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred
Similar to the handling of play_deferred in commit 19cfe912c37b
("Bluetooth: btusb: Fix memory leak in play_deferred"), we thought
a patch might be needed here as well.
Currently usb_submit_urb is called directly to submit deferred tx
urbs after unanchor them.
So the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb
and cause memory leak.
Put those urbs in tx_anchor to avoid the leak, and also fix the error
handling.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:31:56.699706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:43.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/nfcmrvl/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1eb0afecfb9cd0f38424b82bd9aaa542310934ee",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f21f908347712b8288ffe83b531b5e977042b29c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e7c7df6991ac349f2fa8540047757df666e610f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b4d8b44e7163a77fe942f5b80e1651c1b78c537",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0eeec1a8b0cd38c47edeb042980a6aeacecf35ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6616872cfe7f0474a22dd1f12699f95bcf81a54d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3eadc560c1919b8193d17334145dad9a917960e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a4d480702b71184fabcf379b80bf7539716752e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/nfcmrvl/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.320",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred\n\nSimilar to the handling of play_deferred in commit 19cfe912c37b\n(\"Bluetooth: btusb: Fix memory leak in play_deferred\"), we thought\na patch might be needed here as well.\n\nCurrently usb_submit_urb is called directly to submit deferred tx\nurbs after unanchor them.\n\nSo the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb\nand cause memory leak.\n\nPut those urbs in tx_anchor to avoid the leak, and also fix the error\nhandling."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:13.229Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1eb0afecfb9cd0f38424b82bd9aaa542310934ee"
},
{
"url": "https://git.kernel.org/stable/c/f21f908347712b8288ffe83b531b5e977042b29c"
},
{
"url": "https://git.kernel.org/stable/c/3e7c7df6991ac349f2fa8540047757df666e610f"
},
{
"url": "https://git.kernel.org/stable/c/6b4d8b44e7163a77fe942f5b80e1651c1b78c537"
},
{
"url": "https://git.kernel.org/stable/c/0eeec1a8b0cd38c47edeb042980a6aeacecf35ed"
},
{
"url": "https://git.kernel.org/stable/c/6616872cfe7f0474a22dd1f12699f95bcf81a54d"
},
{
"url": "https://git.kernel.org/stable/c/3eadc560c1919b8193d17334145dad9a917960e4"
},
{
"url": "https://git.kernel.org/stable/c/8a4d480702b71184fabcf379b80bf7539716752e"
}
],
"title": "nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49729",
"datePublished": "2025-02-26T02:24:40.021Z",
"dateReserved": "2025-02-26T02:21:30.448Z",
"dateUpdated": "2025-10-01T19:36:43.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49607 (GCVE-0-2022-49607)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()
Yang Jihing reported a race between perf_event_set_output() and
perf_mmap_close():
CPU1 CPU2
perf_mmap_close(e2)
if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0
detach_rest = true
ioctl(e1, IOC_SET_OUTPUT, e2)
perf_event_set_output(e1, e2)
...
list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)
ring_buffer_attach(e, NULL);
// e1 isn't yet added and
// therefore not detached
ring_buffer_attach(e1, e2->rb)
list_add_rcu(&e1->rb_entry,
&e2->rb->event_list)
After this; e1 is attached to an unmapped rb and a subsequent
perf_mmap() will loop forever more:
again:
mutex_lock(&e->mmap_mutex);
if (event->rb) {
...
if (!atomic_inc_not_zero(&e->rb->mmap_count)) {
...
mutex_unlock(&e->mmap_mutex);
goto again;
}
}
The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach
in perf_event_set_output() holds e1->mmap_mutex. As such there is no
serialization to avoid this race.
Change perf_event_set_output() to take both e1->mmap_mutex and
e2->mmap_mutex to alleviate that problem. Additionally, have the loop
in perf_mmap() detach the rb directly, this avoids having to wait for
the concurrent perf_mmap_close() to get around to doing it to make
progress.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b Version: 2487f0db30527032c4d56fc2d0b1a240fe89fef8 Version: 703197b61d05f5edae54bad3256901c5a5c8794c Version: c52217e88ae0f3a4ae00562d86e338f8f85969b4 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49607",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:35:03.904350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:51.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3bbd868099287ff9027db59029b502fcfa2202a0",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"lessThan": "f836f9ac95df15f1e0af4beb0ec20021e8c91998",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"lessThan": "17f5417194136517ee9bbd6511249e5310e5617c",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"lessThan": "98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"lessThan": "43128b3eee337824158f34da6648163d2f2fb937",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"lessThan": "da3c256e2d0ebc87c7db0c605c9692b6f1722074",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"lessThan": "a9391ff7a7c5f113d6f2bf6621d49110950de49c",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"lessThan": "68e3c69803dada336893640110cb87221bb01dcf",
"status": "affected",
"version": "9bb5d40cd93c9dd4be74834b1dcb1ba03629716b",
"versionType": "git"
},
{
"status": "affected",
"version": "2487f0db30527032c4d56fc2d0b1a240fe89fef8",
"versionType": "git"
},
{
"status": "affected",
"version": "703197b61d05f5edae54bad3256901c5a5c8794c",
"versionType": "git"
},
{
"status": "affected",
"version": "c52217e88ae0f3a4ae00562d86e338f8f85969b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.290",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.325",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.290",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.254",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.9.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix data race between perf_event_set_output() and perf_mmap_close()\n\nYang Jihing reported a race between perf_event_set_output() and\nperf_mmap_close():\n\n\tCPU1\t\t\t\t\tCPU2\n\n\tperf_mmap_close(e2)\n\t if (atomic_dec_and_test(\u0026e2-\u003erb-\u003emmap_count)) // 1 - \u003e 0\n\t detach_rest = true\n\n\t\t\t\t\t\tioctl(e1, IOC_SET_OUTPUT, e2)\n\t\t\t\t\t\t perf_event_set_output(e1, e2)\n\n\t ...\n\t list_for_each_entry_rcu(e, \u0026e2-\u003erb-\u003eevent_list, rb_entry)\n\t ring_buffer_attach(e, NULL);\n\t // e1 isn\u0027t yet added and\n\t // therefore not detached\n\n\t\t\t\t\t\t ring_buffer_attach(e1, e2-\u003erb)\n\t\t\t\t\t\t list_add_rcu(\u0026e1-\u003erb_entry,\n\t\t\t\t\t\t\t\t \u0026e2-\u003erb-\u003eevent_list)\n\nAfter this; e1 is attached to an unmapped rb and a subsequent\nperf_mmap() will loop forever more:\n\n\tagain:\n\t\tmutex_lock(\u0026e-\u003emmap_mutex);\n\t\tif (event-\u003erb) {\n\t\t\t...\n\t\t\tif (!atomic_inc_not_zero(\u0026e-\u003erb-\u003emmap_count)) {\n\t\t\t\t...\n\t\t\t\tmutex_unlock(\u0026e-\u003emmap_mutex);\n\t\t\t\tgoto again;\n\t\t\t}\n\t\t}\n\nThe loop in perf_mmap_close() holds e2-\u003emmap_mutex, while the attach\nin perf_event_set_output() holds e1-\u003emmap_mutex. As such there is no\nserialization to avoid this race.\n\nChange perf_event_set_output() to take both e1-\u003emmap_mutex and\ne2-\u003emmap_mutex to alleviate that problem. Additionally, have the loop\nin perf_mmap() detach the rb directly, this avoids having to wait for\nthe concurrent perf_mmap_close() to get around to doing it to make\nprogress."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:58.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0"
},
{
"url": "https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998"
},
{
"url": "https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c"
},
{
"url": "https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c"
},
{
"url": "https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937"
},
{
"url": "https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074"
},
{
"url": "https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c"
},
{
"url": "https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf"
}
],
"title": "perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49607",
"datePublished": "2025-02-26T02:23:31.823Z",
"dateReserved": "2025-02-26T02:21:30.417Z",
"dateUpdated": "2025-10-01T19:36:51.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21828 (GCVE-0-2025-21828)
Vulnerability from cvelistv5
Published
2025-03-06 16:04
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: don't flush non-uploaded STAs
If STA state is pre-moved to AUTHORIZED (such as in IBSS
scenarios) and insertion fails, the station is freed.
In this case, the driver never knew about the station,
so trying to flush it is unexpected and may crash.
Check if the sta was uploaded to the driver before and
fix this.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/driver-ops.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf21ef3d430847ba864bbc9b2774fffcc03ce321",
"status": "affected",
"version": "d00800a289c9349bb659a698cbd7bc04521dc927",
"versionType": "git"
},
{
"lessThan": "cd10b7fcb95a6a86c67adc54304c59a578ab16af",
"status": "affected",
"version": "d00800a289c9349bb659a698cbd7bc04521dc927",
"versionType": "git"
},
{
"lessThan": "9efb5531271fa7ebae993b2a33a705d9947c7ce6",
"status": "affected",
"version": "d00800a289c9349bb659a698cbd7bc04521dc927",
"versionType": "git"
},
{
"lessThan": "aa3ce3f8fafa0b8fb062f28024855ea8cb3f3450",
"status": "affected",
"version": "d00800a289c9349bb659a698cbd7bc04521dc927",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/driver-ops.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don\u0027t flush non-uploaded STAs\n\nIf STA state is pre-moved to AUTHORIZED (such as in IBSS\nscenarios) and insertion fails, the station is freed.\nIn this case, the driver never knew about the station,\nso trying to flush it is unexpected and may crash.\n\nCheck if the sta was uploaded to the driver before and\nfix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:00.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf21ef3d430847ba864bbc9b2774fffcc03ce321"
},
{
"url": "https://git.kernel.org/stable/c/cd10b7fcb95a6a86c67adc54304c59a578ab16af"
},
{
"url": "https://git.kernel.org/stable/c/9efb5531271fa7ebae993b2a33a705d9947c7ce6"
},
{
"url": "https://git.kernel.org/stable/c/aa3ce3f8fafa0b8fb062f28024855ea8cb3f3450"
}
],
"title": "wifi: mac80211: don\u0027t flush non-uploaded STAs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21828",
"datePublished": "2025-03-06T16:04:33.641Z",
"dateReserved": "2024-12-29T08:45:45.776Z",
"dateUpdated": "2025-05-04T07:22:00.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21825 (GCVE-0-2025-21825)
Vulnerability from cvelistv5
Published
2025-03-06 16:04
Modified
2025-05-04 07:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT
During the update procedure, when overwrite element in a pre-allocated
htab, the freeing of old_element is protected by the bucket lock. The
reason why the bucket lock is necessary is that the old_element has
already been stashed in htab->extra_elems after alloc_htab_elem()
returns. If freeing the old_element after the bucket lock is unlocked,
the stashed element may be reused by concurrent update procedure and the
freeing of old_element will run concurrently with the reuse of the
old_element. However, the invocation of check_and_free_fields() may
acquire a spin-lock which violates the lockdep rule because its caller
has already held a raw-spin-lock (bucket lock). The following warning
will be reported when such race happens:
BUG: scheduling while atomic: test_progs/676/0x00000003
3 locks held by test_progs/676:
#0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830
#1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500
#2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0
Modules linked in: bpf_testmod(O)
Preemption disabled at:
[<ffffffff817837a3>] htab_map_update_elem+0x293/0x1500
CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11
Tainted: [W]=WARN, [O]=OOT_MODULE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)...
Call Trace:
<TASK>
dump_stack_lvl+0x57/0x70
dump_stack+0x10/0x20
__schedule_bug+0x120/0x170
__schedule+0x300c/0x4800
schedule_rtlock+0x37/0x60
rtlock_slowlock_locked+0x6d9/0x54c0
rt_spin_lock+0x168/0x230
hrtimer_cancel_wait_running+0xe9/0x1b0
hrtimer_cancel+0x24/0x30
bpf_timer_delete_work+0x1d/0x40
bpf_timer_cancel_and_free+0x5e/0x80
bpf_obj_free_fields+0x262/0x4a0
check_and_free_fields+0x1d0/0x280
htab_map_update_elem+0x7fc/0x1500
bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43
bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e
bpf_prog_test_run_syscall+0x322/0x830
__sys_bpf+0x135d/0x3ca0
__x64_sys_bpf+0x75/0xb0
x64_sys_call+0x1b5/0xa10
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
...
</TASK>
It seems feasible to break the reuse and refill of per-cpu extra_elems
into two independent parts: reuse the per-cpu extra_elems with bucket
lock being held and refill the old_element as per-cpu extra_elems after
the bucket lock is unlocked. However, it will make the concurrent
overwrite procedures on the same CPU return unexpected -E2BIG error when
the map is full.
Therefore, the patch fixes the lock problem by breaking the cancelling
of bpf_timer into two steps for PREEMPT_RT:
1) use hrtimer_try_to_cancel() and check its return value
2) if the timer is running, use hrtimer_cancel() through a kworker to
cancel it again
Considering that the current implementation of hrtimer_cancel() will try
to acquire a being held softirq_expiry_lock when the current timer is
running, these steps above are reasonable. However, it also has
downside. When the timer is running, the cancelling of the timer is
delayed when releasing the last map uref. The delay is also fixable
(e.g., break the cancelling of bpf timer into two parts: one part in
locked scope, another one in unlocked scope), it can be revised later if
necessary.
It is a bit hard to decide the right fix tag. One reason is that the
problem depends on PREEMPT_RT which is enabled in v6.12. Considering the
softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced
in v5.15, the bpf_timer commit is used in the fixes tag and an extra
depends-on tag is added to state the dependency on PREEMPT_RT.
Depends-on: v6.12+ with PREEMPT_RT enabled
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33e47d9573075342a41783a55c8c67bc71246fc1",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "fbeda3d939ca10063aafa7a77cc0f409d82cda88",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
},
{
"lessThan": "58f038e6d209d2dd862fcf5de55407855856794d",
"status": "affected",
"version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Cancel the running bpf_timer through kworker for PREEMPT_RT\n\nDuring the update procedure, when overwrite element in a pre-allocated\nhtab, the freeing of old_element is protected by the bucket lock. The\nreason why the bucket lock is necessary is that the old_element has\nalready been stashed in htab-\u003eextra_elems after alloc_htab_elem()\nreturns. If freeing the old_element after the bucket lock is unlocked,\nthe stashed element may be reused by concurrent update procedure and the\nfreeing of old_element will run concurrently with the reuse of the\nold_element. However, the invocation of check_and_free_fields() may\nacquire a spin-lock which violates the lockdep rule because its caller\nhas already held a raw-spin-lock (bucket lock). The following warning\nwill be reported when such race happens:\n\n BUG: scheduling while atomic: test_progs/676/0x00000003\n 3 locks held by test_progs/676:\n #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830\n #1: ffff88810e961188 (\u0026htab-\u003elockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500\n #2: ffff8881f4eac1b8 (\u0026base-\u003esoftirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0\n Modules linked in: bpf_testmod(O)\n Preemption disabled at:\n [\u003cffffffff817837a3\u003e] htab_map_update_elem+0x293/0x1500\n CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11\n Tainted: [W]=WARN, [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)...\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x57/0x70\n dump_stack+0x10/0x20\n __schedule_bug+0x120/0x170\n __schedule+0x300c/0x4800\n schedule_rtlock+0x37/0x60\n rtlock_slowlock_locked+0x6d9/0x54c0\n rt_spin_lock+0x168/0x230\n hrtimer_cancel_wait_running+0xe9/0x1b0\n hrtimer_cancel+0x24/0x30\n bpf_timer_delete_work+0x1d/0x40\n bpf_timer_cancel_and_free+0x5e/0x80\n bpf_obj_free_fields+0x262/0x4a0\n check_and_free_fields+0x1d0/0x280\n htab_map_update_elem+0x7fc/0x1500\n bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43\n bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e\n bpf_prog_test_run_syscall+0x322/0x830\n __sys_bpf+0x135d/0x3ca0\n __x64_sys_bpf+0x75/0xb0\n x64_sys_call+0x1b5/0xa10\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ...\n \u003c/TASK\u003e\n\nIt seems feasible to break the reuse and refill of per-cpu extra_elems\ninto two independent parts: reuse the per-cpu extra_elems with bucket\nlock being held and refill the old_element as per-cpu extra_elems after\nthe bucket lock is unlocked. However, it will make the concurrent\noverwrite procedures on the same CPU return unexpected -E2BIG error when\nthe map is full.\n\nTherefore, the patch fixes the lock problem by breaking the cancelling\nof bpf_timer into two steps for PREEMPT_RT:\n1) use hrtimer_try_to_cancel() and check its return value\n2) if the timer is running, use hrtimer_cancel() through a kworker to\n cancel it again\nConsidering that the current implementation of hrtimer_cancel() will try\nto acquire a being held softirq_expiry_lock when the current timer is\nrunning, these steps above are reasonable. However, it also has\ndownside. When the timer is running, the cancelling of the timer is\ndelayed when releasing the last map uref. The delay is also fixable\n(e.g., break the cancelling of bpf timer into two parts: one part in\nlocked scope, another one in unlocked scope), it can be revised later if\nnecessary.\n\nIt is a bit hard to decide the right fix tag. One reason is that the\nproblem depends on PREEMPT_RT which is enabled in v6.12. Considering the\nsoftirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced\nin v5.15, the bpf_timer commit is used in the fixes tag and an extra\ndepends-on tag is added to state the dependency on PREEMPT_RT.\n\nDepends-on: v6.12+ with PREEMPT_RT enabled"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:57.238Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33e47d9573075342a41783a55c8c67bc71246fc1"
},
{
"url": "https://git.kernel.org/stable/c/fbeda3d939ca10063aafa7a77cc0f409d82cda88"
},
{
"url": "https://git.kernel.org/stable/c/58f038e6d209d2dd862fcf5de55407855856794d"
}
],
"title": "bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21825",
"datePublished": "2025-03-06T16:04:31.576Z",
"dateReserved": "2024-12-29T08:45:45.775Z",
"dateUpdated": "2025-05-04T07:21:57.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49144 (GCVE-0-2022-49144)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix memory leak of uid in files registration
When there are no files for __io_sqe_files_scm() to process in the
range, it'll free everything and return. However, it forgets to put uid.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:53.930446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:01.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b27de7011cb3ba14b047be2cee0ed8278368665b",
"status": "affected",
"version": "08a451739a9b5783f67de51e84cb6d9559bb9dc4",
"versionType": "git"
},
{
"lessThan": "0853bd6885c2f293d88aaa7f7f1702c959b31680",
"status": "affected",
"version": "08a451739a9b5783f67de51e84cb6d9559bb9dc4",
"versionType": "git"
},
{
"lessThan": "d6d7a517e81accf6ed22d55684baea763d2dbe43",
"status": "affected",
"version": "08a451739a9b5783f67de51e84cb6d9559bb9dc4",
"versionType": "git"
},
{
"lessThan": "7fa8b228c3f30060b9f4b24bb9aaaf41b0ae83fe",
"status": "affected",
"version": "08a451739a9b5783f67de51e84cb6d9559bb9dc4",
"versionType": "git"
},
{
"lessThan": "c86d18f4aa93e0e66cda0e55827cd03eea6bc5f8",
"status": "affected",
"version": "08a451739a9b5783f67de51e84cb6d9559bb9dc4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memory leak of uid in files registration\n\nWhen there are no files for __io_sqe_files_scm() to process in the\nrange, it\u0027ll free everything and return. However, it forgets to put uid."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:54.883Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b27de7011cb3ba14b047be2cee0ed8278368665b"
},
{
"url": "https://git.kernel.org/stable/c/0853bd6885c2f293d88aaa7f7f1702c959b31680"
},
{
"url": "https://git.kernel.org/stable/c/d6d7a517e81accf6ed22d55684baea763d2dbe43"
},
{
"url": "https://git.kernel.org/stable/c/7fa8b228c3f30060b9f4b24bb9aaaf41b0ae83fe"
},
{
"url": "https://git.kernel.org/stable/c/c86d18f4aa93e0e66cda0e55827cd03eea6bc5f8"
}
],
"title": "io_uring: fix memory leak of uid in files registration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49144",
"datePublished": "2025-02-26T01:55:13.843Z",
"dateReserved": "2025-02-26T01:49:39.270Z",
"dateUpdated": "2025-10-01T19:57:01.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58005 (GCVE-0-2024-58005)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: Change to kvalloc() in eventlog/acpi.c
The following failure was reported on HPE ProLiant D320:
[ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0)
[ 10.848132][ T1] ------------[ cut here ]------------
[ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330
[ 10.862827][ T1] Modules linked in:
[ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375
[ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024
[ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330
[ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1
[ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246
[ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000
[ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0
The above transcript shows that ACPI pointed a 16 MiB buffer for the log
events because RSI maps to the 'order' parameter of __alloc_pages_noprof().
Address the bug by moving from devm_kmalloc() to devm_add_action() and
kvmalloc() and devm_add_action().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988 Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988 Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988 Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988 Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988 Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988 Version: 55a82ab3181be039c6440d3f2f69260ad6fe2988 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:18.687Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/eventlog/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a676c0401de59548a5bc1b7aaf98f556ae8ea6db",
"status": "affected",
"version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
"versionType": "git"
},
{
"lessThan": "0621d2599d6e02d05c85d6bbd58eaea2f15b3503",
"status": "affected",
"version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
"versionType": "git"
},
{
"lessThan": "77779d1258a287f2c5c2c6aeae203e0996209c77",
"status": "affected",
"version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
"versionType": "git"
},
{
"lessThan": "50365a6304a57266e8f4d3078060743c3b7a1e0d",
"status": "affected",
"version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
"versionType": "git"
},
{
"lessThan": "422d7f4e8d817be467986589c7968d3ea402f7da",
"status": "affected",
"version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
"versionType": "git"
},
{
"lessThan": "4c8bfe643bbd00b04ee8f9545ef33bf6a68c38db",
"status": "affected",
"version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
"versionType": "git"
},
{
"lessThan": "a3a860bc0fd6c07332e4911cf9a238d20de90173",
"status": "affected",
"version": "55a82ab3181be039c6440d3f2f69260ad6fe2988",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/eventlog/acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Change to kvalloc() in eventlog/acpi.c\n\nThe following failure was reported on HPE ProLiant D320:\n\n[ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0)\n[ 10.848132][ T1] ------------[ cut here ]------------\n[ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330\n[ 10.862827][ T1] Modules linked in:\n[ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375\n[ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024\n[ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330\n[ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 \u003c0f\u003e 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1\n[ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246\n[ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000\n[ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0\n\nThe above transcript shows that ACPI pointed a 16 MiB buffer for the log\nevents because RSI maps to the \u0027order\u0027 parameter of __alloc_pages_noprof().\nAddress the bug by moving from devm_kmalloc() to devm_add_action() and\nkvmalloc() and devm_add_action()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:13.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a676c0401de59548a5bc1b7aaf98f556ae8ea6db"
},
{
"url": "https://git.kernel.org/stable/c/0621d2599d6e02d05c85d6bbd58eaea2f15b3503"
},
{
"url": "https://git.kernel.org/stable/c/77779d1258a287f2c5c2c6aeae203e0996209c77"
},
{
"url": "https://git.kernel.org/stable/c/50365a6304a57266e8f4d3078060743c3b7a1e0d"
},
{
"url": "https://git.kernel.org/stable/c/422d7f4e8d817be467986589c7968d3ea402f7da"
},
{
"url": "https://git.kernel.org/stable/c/4c8bfe643bbd00b04ee8f9545ef33bf6a68c38db"
},
{
"url": "https://git.kernel.org/stable/c/a3a860bc0fd6c07332e4911cf9a238d20de90173"
}
],
"title": "tpm: Change to kvalloc() in eventlog/acpi.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58005",
"datePublished": "2025-02-27T02:12:02.232Z",
"dateReserved": "2025-02-27T02:10:48.226Z",
"dateUpdated": "2025-11-03T19:33:18.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49503 (GCVE-0-2022-49503)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to
ensure that it is within the bitmap.
drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()
error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 Version: 4ed1a8d4a25711f780b96920fff2bb531229e322 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_drv_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bcb528402cd5e1a6e1833e956fd58a12d509e8e",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "a048e0c3caa852397b7b50d4c82a0415c05f7ac3",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "4bdcf32c965c27f55ccc4ee71c1927131115b0bb",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "2326d398ccd41ba6d93b8346532dfa432ab00fee",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "461e4c1f199076275f16bf6f3d3e42c6b6c79f33",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "7f6defe0fabc79f29603c6fa3c80e4fe0456a3e9",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "eda518db7db16c360bc84379d90675650daa3048",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "3dad3fed5672828c7fb0465cb66a3d9a70952fa6",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
},
{
"lessThan": "2dc509305cf956381532792cb8dceef2b1504765",
"status": "affected",
"version": "4ed1a8d4a25711f780b96920fff2bb531229e322",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_drv_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath9k_htc: fix potential out of bounds access with invalid rxstatus-\u003ers_keyix\n\nThe \"rxstatus-\u003ers_keyix\" eventually gets passed to test_bit() so we need to\nensure that it is within the bitmap.\n\ndrivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()\nerror: passing untrusted data \u0027rx_stats-\u003ers_keyix\u0027 to \u0027test_bit()\u0027"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:20.063Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bcb528402cd5e1a6e1833e956fd58a12d509e8e"
},
{
"url": "https://git.kernel.org/stable/c/a048e0c3caa852397b7b50d4c82a0415c05f7ac3"
},
{
"url": "https://git.kernel.org/stable/c/4bdcf32c965c27f55ccc4ee71c1927131115b0bb"
},
{
"url": "https://git.kernel.org/stable/c/2326d398ccd41ba6d93b8346532dfa432ab00fee"
},
{
"url": "https://git.kernel.org/stable/c/461e4c1f199076275f16bf6f3d3e42c6b6c79f33"
},
{
"url": "https://git.kernel.org/stable/c/7f6defe0fabc79f29603c6fa3c80e4fe0456a3e9"
},
{
"url": "https://git.kernel.org/stable/c/eda518db7db16c360bc84379d90675650daa3048"
},
{
"url": "https://git.kernel.org/stable/c/3dad3fed5672828c7fb0465cb66a3d9a70952fa6"
},
{
"url": "https://git.kernel.org/stable/c/2dc509305cf956381532792cb8dceef2b1504765"
}
],
"title": "ath9k_htc: fix potential out of bounds access with invalid rxstatus-\u003ers_keyix",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49503",
"datePublished": "2025-02-26T02:13:36.149Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-05-04T08:39:20.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49661 (GCVE-0-2022-49661)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_open/close(): fix memory leak
The gs_usb driver appears to suffer from a malady common to many USB
CAN adapter drivers in that it performs usb_alloc_coherent() to
allocate a number of USB request blocks (URBs) for RX, and then later
relies on usb_kill_anchored_urbs() to free them, but this doesn't
actually free them. As a result, this may be leaking DMA memory that's
been used by the driver.
This commit is an adaptation of the techniques found in the esd_usb2
driver where a similar design pattern led to a memory leak. It
explicitly frees the RX URBs and their DMA memory via a call to
usb_free_coherent(). Since the RX URBs were allocated in the
gs_can_open(), we remove them in gs_can_close() rather than in the
disconnect function as was done in esd_usb2.
For more information, see the 928150fad41b ("can: esd_usb2: fix memory
leak").
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d08e973a77d128b25e01a08c34d89593fdf222da Version: d08e973a77d128b25e01a08c34d89593fdf222da Version: d08e973a77d128b25e01a08c34d89593fdf222da Version: d08e973a77d128b25e01a08c34d89593fdf222da Version: d08e973a77d128b25e01a08c34d89593fdf222da Version: d08e973a77d128b25e01a08c34d89593fdf222da Version: d08e973a77d128b25e01a08c34d89593fdf222da Version: d08e973a77d128b25e01a08c34d89593fdf222da |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "339fa9f80d3b94177a7a459c6d115d3b56007d5a",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "d91492638b054f4a359621ef216242be5973ed6b",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "6f655b5e13fa4b27e915b6c209ac0da74fd75963",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "d0b8e223998866b3e7b2895927d4e9689b0a80d8",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "0e60230bc64355c80abe993d1719fdb318094e20",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "2bda24ef95c0311ab93bda00db40486acf30bd0a",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.288",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.323",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.288",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.252",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.205",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.130",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_open/close(): fix memory leak\n\nThe gs_usb driver appears to suffer from a malady common to many USB\nCAN adapter drivers in that it performs usb_alloc_coherent() to\nallocate a number of USB request blocks (URBs) for RX, and then later\nrelies on usb_kill_anchored_urbs() to free them, but this doesn\u0027t\nactually free them. As a result, this may be leaking DMA memory that\u0027s\nbeen used by the driver.\n\nThis commit is an adaptation of the techniques found in the esd_usb2\ndriver where a similar design pattern led to a memory leak. It\nexplicitly frees the RX URBs and their DMA memory via a call to\nusb_free_coherent(). Since the RX URBs were allocated in the\ngs_can_open(), we remove them in gs_can_close() rather than in the\ndisconnect function as was done in esd_usb2.\n\nFor more information, see the 928150fad41b (\"can: esd_usb2: fix memory\nleak\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:47.296Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/339fa9f80d3b94177a7a459c6d115d3b56007d5a"
},
{
"url": "https://git.kernel.org/stable/c/c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0"
},
{
"url": "https://git.kernel.org/stable/c/d91492638b054f4a359621ef216242be5973ed6b"
},
{
"url": "https://git.kernel.org/stable/c/6f655b5e13fa4b27e915b6c209ac0da74fd75963"
},
{
"url": "https://git.kernel.org/stable/c/d0b8e223998866b3e7b2895927d4e9689b0a80d8"
},
{
"url": "https://git.kernel.org/stable/c/0e60230bc64355c80abe993d1719fdb318094e20"
},
{
"url": "https://git.kernel.org/stable/c/ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c"
},
{
"url": "https://git.kernel.org/stable/c/2bda24ef95c0311ab93bda00db40486acf30bd0a"
}
],
"title": "can: gs_usb: gs_usb_open/close(): fix memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49661",
"datePublished": "2025-02-26T02:23:58.352Z",
"dateReserved": "2025-02-26T02:21:30.435Z",
"dateUpdated": "2025-05-04T08:42:47.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49259 (GCVE-0-2022-49259)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: don't delete queue kobject before its children
kobjects aren't supposed to be deleted before their child kobjects are
deleted. Apparently this is usually benign; however, a WARN will be
triggered if one of the child kobjects has a named attribute group:
sysfs group 'modes' not found for kobject 'crypto'
WARNING: CPU: 0 PID: 1 at fs/sysfs/group.c:278 sysfs_remove_group+0x72/0x80
...
Call Trace:
sysfs_remove_groups+0x29/0x40 fs/sysfs/group.c:312
__kobject_del+0x20/0x80 lib/kobject.c:611
kobject_cleanup+0xa4/0x140 lib/kobject.c:696
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x53/0x70 lib/kobject.c:753
blk_crypto_sysfs_unregister+0x10/0x20 block/blk-crypto-sysfs.c:159
blk_unregister_queue+0xb0/0x110 block/blk-sysfs.c:962
del_gendisk+0x117/0x250 block/genhd.c:610
Fix this by moving the kobject_del() and the corresponding
kobject_uevent() to the correct place.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2c2086afc2b8b974fac32cb028e73dc27bfae442 Version: 2c2086afc2b8b974fac32cb028e73dc27bfae442 Version: 2c2086afc2b8b974fac32cb028e73dc27bfae442 Version: 2c2086afc2b8b974fac32cb028e73dc27bfae442 Version: 2c2086afc2b8b974fac32cb028e73dc27bfae442 Version: 2c2086afc2b8b974fac32cb028e73dc27bfae442 Version: 2c2086afc2b8b974fac32cb028e73dc27bfae442 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2001eb10f59363da930cdd6e086a2861986fa18",
"status": "affected",
"version": "2c2086afc2b8b974fac32cb028e73dc27bfae442",
"versionType": "git"
},
{
"lessThan": "84fe3ca6e7910beb47ec13509d484f84fa2a41ad",
"status": "affected",
"version": "2c2086afc2b8b974fac32cb028e73dc27bfae442",
"versionType": "git"
},
{
"lessThan": "0b5924a14d64487ebd51127b0358d06066ef5384",
"status": "affected",
"version": "2c2086afc2b8b974fac32cb028e73dc27bfae442",
"versionType": "git"
},
{
"lessThan": "efaa0e969261e97c1fdd8e0338e5dd3ba5b9219c",
"status": "affected",
"version": "2c2086afc2b8b974fac32cb028e73dc27bfae442",
"versionType": "git"
},
{
"lessThan": "cf0cb8686e55d9c022944bc6ba9e19e832889e83",
"status": "affected",
"version": "2c2086afc2b8b974fac32cb028e73dc27bfae442",
"versionType": "git"
},
{
"lessThan": "3d7e32c8da45957326f56937e0471c686d1a7711",
"status": "affected",
"version": "2c2086afc2b8b974fac32cb028e73dc27bfae442",
"versionType": "git"
},
{
"lessThan": "0f69288253e9fc7c495047720e523b9f1aba5712",
"status": "affected",
"version": "2c2086afc2b8b974fac32cb028e73dc27bfae442",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don\u0027t delete queue kobject before its children\n\nkobjects aren\u0027t supposed to be deleted before their child kobjects are\ndeleted. Apparently this is usually benign; however, a WARN will be\ntriggered if one of the child kobjects has a named attribute group:\n\n sysfs group \u0027modes\u0027 not found for kobject \u0027crypto\u0027\n WARNING: CPU: 0 PID: 1 at fs/sysfs/group.c:278 sysfs_remove_group+0x72/0x80\n ...\n Call Trace:\n sysfs_remove_groups+0x29/0x40 fs/sysfs/group.c:312\n __kobject_del+0x20/0x80 lib/kobject.c:611\n kobject_cleanup+0xa4/0x140 lib/kobject.c:696\n kobject_release lib/kobject.c:736 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x53/0x70 lib/kobject.c:753\n blk_crypto_sysfs_unregister+0x10/0x20 block/blk-crypto-sysfs.c:159\n blk_unregister_queue+0xb0/0x110 block/blk-sysfs.c:962\n del_gendisk+0x117/0x250 block/genhd.c:610\n\nFix this by moving the kobject_del() and the corresponding\nkobject_uevent() to the correct place."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:33.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2001eb10f59363da930cdd6e086a2861986fa18"
},
{
"url": "https://git.kernel.org/stable/c/84fe3ca6e7910beb47ec13509d484f84fa2a41ad"
},
{
"url": "https://git.kernel.org/stable/c/0b5924a14d64487ebd51127b0358d06066ef5384"
},
{
"url": "https://git.kernel.org/stable/c/efaa0e969261e97c1fdd8e0338e5dd3ba5b9219c"
},
{
"url": "https://git.kernel.org/stable/c/cf0cb8686e55d9c022944bc6ba9e19e832889e83"
},
{
"url": "https://git.kernel.org/stable/c/3d7e32c8da45957326f56937e0471c686d1a7711"
},
{
"url": "https://git.kernel.org/stable/c/0f69288253e9fc7c495047720e523b9f1aba5712"
}
],
"title": "block: don\u0027t delete queue kobject before its children",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49259",
"datePublished": "2025-02-26T01:56:12.046Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:33.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49674 (GCVE-0-2022-49674)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm raid: fix accesses beyond end of raid member array
On dm-raid table load (using raid_ctr), dm-raid allocates an array
rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks
is defined by the number of raid metadata and image tupples passed
into the target's constructor.
In the case of RAID layout changes being requested, that number can be
different from the current number of members for existing raid sets as
defined in their superblocks. Example RAID layout changes include:
- raid1 legs being added/removed
- raid4/5/6/10 number of stripes changed (stripe reshaping)
- takeover to higher raid level (e.g. raid5 -> raid6)
When accessing array members, rs->raid_disks must be used in control
loops instead of the potentially larger value in rs->md.raid_disks.
Otherwise it will cause memory access beyond the end of the rs->devs
array.
Fix this by changing code that is prone to out-of-bounds access.
Also fix validate_raid_redundancy() to validate all devices that are
added. Also, use braces to help clean up raid_iterate_devices().
The out-of-bounds memory accesses was discovered using KASAN.
This commit was verified to pass all LVM2 RAID tests (with KASAN
enabled).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e161a8826b63c0b8b43e4a7fad1f956780f42ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90de15357504c8097ab29769dc6852e16281e9e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9bf2b0757b04c78dc5d6e3a198acca98457b32a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6352b2f4d8e95ec0ae576d7705435d64cfa29503",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bcff98500ea3b4e7615ec31d2bdd326bc1ef5134",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "332bd0778775d0cf105c4b9e03e460b590749916",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix accesses beyond end of raid member array\n\nOn dm-raid table load (using raid_ctr), dm-raid allocates an array\nrs-\u003edevs[rs-\u003eraid_disks] for the raid device members. rs-\u003eraid_disks\nis defined by the number of raid metadata and image tupples passed\ninto the target\u0027s constructor.\n\nIn the case of RAID layout changes being requested, that number can be\ndifferent from the current number of members for existing raid sets as\ndefined in their superblocks. Example RAID layout changes include:\n- raid1 legs being added/removed\n- raid4/5/6/10 number of stripes changed (stripe reshaping)\n- takeover to higher raid level (e.g. raid5 -\u003e raid6)\n\nWhen accessing array members, rs-\u003eraid_disks must be used in control\nloops instead of the potentially larger value in rs-\u003emd.raid_disks.\nOtherwise it will cause memory access beyond the end of the rs-\u003edevs\narray.\n\nFix this by changing code that is prone to out-of-bounds access.\nAlso fix validate_raid_redundancy() to validate all devices that are\nadded. Also, use braces to help clean up raid_iterate_devices().\n\nThe out-of-bounds memory accesses was discovered using KASAN.\n\nThis commit was verified to pass all LVM2 RAID tests (with KASAN\nenabled)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:03.651Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e161a8826b63c0b8b43e4a7fad1f956780f42ab"
},
{
"url": "https://git.kernel.org/stable/c/df1a5ab0dd0775f2ea101c71f2addbc4c0ea0f85"
},
{
"url": "https://git.kernel.org/stable/c/90de15357504c8097ab29769dc6852e16281e9e8"
},
{
"url": "https://git.kernel.org/stable/c/9bf2b0757b04c78dc5d6e3a198acca98457b32a1"
},
{
"url": "https://git.kernel.org/stable/c/6352b2f4d8e95ec0ae576d7705435d64cfa29503"
},
{
"url": "https://git.kernel.org/stable/c/bcff98500ea3b4e7615ec31d2bdd326bc1ef5134"
},
{
"url": "https://git.kernel.org/stable/c/332bd0778775d0cf105c4b9e03e460b590749916"
}
],
"title": "dm raid: fix accesses beyond end of raid member array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49674",
"datePublished": "2025-02-26T02:24:06.636Z",
"dateReserved": "2025-02-26T02:21:30.438Z",
"dateUpdated": "2025-05-04T08:43:03.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57981 (GCVE-0-2024-57981)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix NULL pointer dereference on certain command aborts
If a command is queued to the final usable TRB of a ring segment, the
enqueue pointer is advanced to the subsequent link TRB and no further.
If the command is later aborted, when the abort completion is handled
the dequeue pointer is advanced to the first TRB of the next segment.
If no further commands are queued, xhci_handle_stopped_cmd_ring() sees
the ring pointers unequal and assumes that there is a pending command,
so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.
Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell
ring likely is unnecessary too, but it's harmless. Leave it alone.
This is probably Bug 219532, but no confirmation has been received.
The issue has been independently reproduced and confirmed fixed using
a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.
Everything continued working normally after several prevented crashes.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c311e391a7efd101250c0e123286709b7e736249 Version: c311e391a7efd101250c0e123286709b7e736249 Version: c311e391a7efd101250c0e123286709b7e736249 Version: c311e391a7efd101250c0e123286709b7e736249 Version: c311e391a7efd101250c0e123286709b7e736249 Version: c311e391a7efd101250c0e123286709b7e736249 Version: c311e391a7efd101250c0e123286709b7e736249 Version: c311e391a7efd101250c0e123286709b7e736249 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:02.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd8bfaeba4a85b14427899adec0efb3954300653",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
},
{
"lessThan": "b44253956407046e5907d4d72c8fa5b93ae94485",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
},
{
"lessThan": "cf30300a216a4f8dce94e11781a866a09d4b50d4",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
},
{
"lessThan": "4ff18870af793ce2034a6ad746e91d0a3d985b88",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
},
{
"lessThan": "b649f0d5bc256f691c7d234c3986685d54053de1",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
},
{
"lessThan": "ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
},
{
"lessThan": "0ce5c0dac768be14afe2426101b568a0f66bfc4d",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
},
{
"lessThan": "1e0a19912adb68a4b2b74fd77001c96cd83eb073",
"status": "affected",
"version": "c311e391a7efd101250c0e123286709b7e736249",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix NULL pointer dereference on certain command aborts\n\nIf a command is queued to the final usable TRB of a ring segment, the\nenqueue pointer is advanced to the subsequent link TRB and no further.\nIf the command is later aborted, when the abort completion is handled\nthe dequeue pointer is advanced to the first TRB of the next segment.\n\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\nthe ring pointers unequal and assumes that there is a pending command,\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\n\nDon\u0027t attempt timer setup if cur_cmd is NULL. The subsequent doorbell\nring likely is unnecessary too, but it\u0027s harmless. Leave it alone.\n\nThis is probably Bug 219532, but no confirmation has been received.\n\nThe issue has been independently reproduced and confirmed fixed using\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\nEverything continued working normally after several prevented crashes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:39.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653"
},
{
"url": "https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485"
},
{
"url": "https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4"
},
{
"url": "https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88"
},
{
"url": "https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1"
},
{
"url": "https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641"
},
{
"url": "https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d"
},
{
"url": "https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073"
}
],
"title": "usb: xhci: Fix NULL pointer dereference on certain command aborts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57981",
"datePublished": "2025-02-27T02:07:07.489Z",
"dateReserved": "2025-02-27T02:04:28.913Z",
"dateUpdated": "2025-11-03T19:33:02.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49481 (GCVE-0-2022-49481)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt
of_node_get() returns a node with refcount incremented.
Calling of_node_put() to drop the reference when not needed anymore.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 Version: 3784b6d64dc52ed3fbebad61a85ab9b7a687a167 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:23.034632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:45.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/pfuze100-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b74c0dd9179d21b7260260e075d597b23970100c",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "6ca675f4abbc74bc991d154a1ecc8b384dc2aae4",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "984cfef0675ed7398814e14af2c5323911723e1c",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "0be5d9da5743b9825a95baec85a67500b2c1d362",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "9f564e29a51210a49df3d925117777c157a17d6d",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "56ab0c01027492cd161c64148e1dc892c56887ad",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "671be14fc31374b1a10a3abd93db6a8480838fc9",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "49d785baeb91568332197be356d138e5e59c7ddb",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
},
{
"lessThan": "afaa7b933ef00a2d3262f4d1252087613fb5c06d",
"status": "affected",
"version": "3784b6d64dc52ed3fbebad61a85ab9b7a687a167",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/pfuze100-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt\n\nof_node_get() returns a node with refcount incremented.\nCalling of_node_put() to drop the reference when not needed anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:44.611Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b74c0dd9179d21b7260260e075d597b23970100c"
},
{
"url": "https://git.kernel.org/stable/c/6ca675f4abbc74bc991d154a1ecc8b384dc2aae4"
},
{
"url": "https://git.kernel.org/stable/c/984cfef0675ed7398814e14af2c5323911723e1c"
},
{
"url": "https://git.kernel.org/stable/c/0be5d9da5743b9825a95baec85a67500b2c1d362"
},
{
"url": "https://git.kernel.org/stable/c/9f564e29a51210a49df3d925117777c157a17d6d"
},
{
"url": "https://git.kernel.org/stable/c/56ab0c01027492cd161c64148e1dc892c56887ad"
},
{
"url": "https://git.kernel.org/stable/c/671be14fc31374b1a10a3abd93db6a8480838fc9"
},
{
"url": "https://git.kernel.org/stable/c/49d785baeb91568332197be356d138e5e59c7ddb"
},
{
"url": "https://git.kernel.org/stable/c/afaa7b933ef00a2d3262f4d1252087613fb5c06d"
}
],
"title": "regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49481",
"datePublished": "2025-02-26T02:13:21.324Z",
"dateReserved": "2025-02-26T02:08:31.581Z",
"dateUpdated": "2025-10-01T19:46:45.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2162 (GCVE-0-2023-2162)
Vulnerability from cvelistv5
Published
2023-04-19 00:00
Modified
2025-03-19 15:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.spinics.net/lists/linux-scsi/msg181542.html"
},
{
"name": "[debian-lts-announce] 20230502 [SECURITY] [DLA 3404-1] linux-5.10 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-2162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:56:12.536478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:32:43.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Linux Kernel version prior to Kernel 6.2 RC6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-03T13:06:42.883Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://www.spinics.net/lists/linux-scsi/msg181542.html"
},
{
"name": "[debian-lts-announce] 20230502 [SECURITY] [DLA 3404-1] linux-5.10 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-2162",
"datePublished": "2023-04-19T00:00:00.000Z",
"dateReserved": "2023-04-18T00:00:00.000Z",
"dateUpdated": "2025-03-19T15:32:43.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50140 (GCVE-0-2024-50140)
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2025-10-01 20:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Disable page allocation in task_tick_mm_cid()
With KASAN and PREEMPT_RT enabled, calling task_work_add() in
task_tick_mm_cid() may cause the following splat.
[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe
[ 63.696416] preempt_count: 10001, expected: 0
[ 63.696416] RCU nest depth: 1, expected: 1
This problem is caused by the following call trace.
sched_tick() [ acquire rq->__lock ]
-> task_tick_mm_cid()
-> task_work_add()
-> __kasan_record_aux_stack()
-> kasan_save_stack()
-> stack_depot_save_flags()
-> alloc_pages_mpol_noprof()
-> __alloc_pages_noprof()
-> get_page_from_freelist()
-> rmqueue()
-> rmqueue_pcplist()
-> __rmqueue_pcplist()
-> rmqueue_bulk()
-> rt_spin_lock()
The rq lock is a raw_spinlock_t. We can't sleep while holding
it. IOW, we can't call alloc_pages() in stack_depot_save_flags().
The task_tick_mm_cid() function with its task_work_add() call was
introduced by commit 223baf9d17f2 ("sched: Fix performance regression
introduced by mm_cid") in v6.4 kernel.
Fortunately, there is a kasan_record_aux_stack_noalloc() variant that
calls stack_depot_save_flags() while not allowing it to allocate
new pages. To allow task_tick_mm_cid() to use task_work without
page allocation, a new TWAF_NO_ALLOC flag is added to enable calling
kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()
if set. The task_tick_mm_cid() function is modified to add this new flag.
The possible downside is the missing stack trace in a KASAN report due
to new page allocation required when task_work_add_noallloc() is called
which should be rare.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:21:10.724441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:27:14.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/task_work.h",
"kernel/sched/core.c",
"kernel/task_work.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "509c29d0d26f68a6f6d0a05cb1a89725237e2b87",
"status": "affected",
"version": "223baf9d17f25e2608dbdff7232c095c1e612268",
"versionType": "git"
},
{
"lessThan": "ce0241ef83eed55f675376e8a3605d23de53d875",
"status": "affected",
"version": "223baf9d17f25e2608dbdff7232c095c1e612268",
"versionType": "git"
},
{
"lessThan": "73ab05aa46b02d96509cb029a8d04fca7bbde8c7",
"status": "affected",
"version": "223baf9d17f25e2608dbdff7232c095c1e612268",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/task_work.h",
"kernel/sched/core.c",
"kernel/task_work.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Disable page allocation in task_tick_mm_cid()\n\nWith KASAN and PREEMPT_RT enabled, calling task_work_add() in\ntask_tick_mm_cid() may cause the following splat.\n\n[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe\n[ 63.696416] preempt_count: 10001, expected: 0\n[ 63.696416] RCU nest depth: 1, expected: 1\n\nThis problem is caused by the following call trace.\n\n sched_tick() [ acquire rq-\u003e__lock ]\n -\u003e task_tick_mm_cid()\n -\u003e task_work_add()\n -\u003e __kasan_record_aux_stack()\n -\u003e kasan_save_stack()\n -\u003e stack_depot_save_flags()\n -\u003e alloc_pages_mpol_noprof()\n -\u003e __alloc_pages_noprof()\n\t -\u003e get_page_from_freelist()\n\t -\u003e rmqueue()\n\t -\u003e rmqueue_pcplist()\n\t -\u003e __rmqueue_pcplist()\n\t -\u003e rmqueue_bulk()\n\t -\u003e rt_spin_lock()\n\nThe rq lock is a raw_spinlock_t. We can\u0027t sleep while holding\nit. IOW, we can\u0027t call alloc_pages() in stack_depot_save_flags().\n\nThe task_tick_mm_cid() function with its task_work_add() call was\nintroduced by commit 223baf9d17f2 (\"sched: Fix performance regression\nintroduced by mm_cid\") in v6.4 kernel.\n\nFortunately, there is a kasan_record_aux_stack_noalloc() variant that\ncalls stack_depot_save_flags() while not allowing it to allocate\nnew pages. To allow task_tick_mm_cid() to use task_work without\npage allocation, a new TWAF_NO_ALLOC flag is added to enable calling\nkasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()\nif set. The task_tick_mm_cid() function is modified to add this new flag.\n\nThe possible downside is the missing stack trace in a KASAN report due\nto new page allocation required when task_work_add_noallloc() is called\nwhich should be rare."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:47:05.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/509c29d0d26f68a6f6d0a05cb1a89725237e2b87"
},
{
"url": "https://git.kernel.org/stable/c/ce0241ef83eed55f675376e8a3605d23de53d875"
},
{
"url": "https://git.kernel.org/stable/c/73ab05aa46b02d96509cb029a8d04fca7bbde8c7"
}
],
"title": "sched/core: Disable page allocation in task_tick_mm_cid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50140",
"datePublished": "2024-11-07T09:31:17.379Z",
"dateReserved": "2024-10-21T19:36:19.956Z",
"dateUpdated": "2025-10-01T20:27:14.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49128 (GCVE-0-2022-49128)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: Add missing pm_runtime_put_sync
pm_runtime_get_sync() will increase the rumtime PM counter
even when it returns an error. Thus a pairing decrement is needed
to prevent refcount leak. Fix this by replacing this API with
pm_runtime_resume_and_get(), which will not change the runtime
PM counter on error. Besides, a matching decrement is needed
on the error handling path to keep the counter balanced.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:24.636231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:03.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/nwl-dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff13c90d7f7ab606b37be6d15140d19013d6736c",
"status": "affected",
"version": "44cfc6233447cb2cf47aeb99457de35826a363f6",
"versionType": "git"
},
{
"lessThan": "792533e54cd6e89191798ccd1abd590c62b9077e",
"status": "affected",
"version": "44cfc6233447cb2cf47aeb99457de35826a363f6",
"versionType": "git"
},
{
"lessThan": "9df80dc738926a2ea4bd1ce5993c3d0f4b0e855c",
"status": "affected",
"version": "44cfc6233447cb2cf47aeb99457de35826a363f6",
"versionType": "git"
},
{
"lessThan": "46f47807738441e354873546dde0b000106c068a",
"status": "affected",
"version": "44cfc6233447cb2cf47aeb99457de35826a363f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/nwl-dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: Add missing pm_runtime_put_sync\n\npm_runtime_get_sync() will increase the rumtime PM counter\neven when it returns an error. Thus a pairing decrement is needed\nto prevent refcount leak. Fix this by replacing this API with\npm_runtime_resume_and_get(), which will not change the runtime\nPM counter on error. Besides, a matching decrement is needed\non the error handling path to keep the counter balanced."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:35.509Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff13c90d7f7ab606b37be6d15140d19013d6736c"
},
{
"url": "https://git.kernel.org/stable/c/792533e54cd6e89191798ccd1abd590c62b9077e"
},
{
"url": "https://git.kernel.org/stable/c/9df80dc738926a2ea4bd1ce5993c3d0f4b0e855c"
},
{
"url": "https://git.kernel.org/stable/c/46f47807738441e354873546dde0b000106c068a"
}
],
"title": "drm/bridge: Add missing pm_runtime_put_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49128",
"datePublished": "2025-02-26T01:55:05.126Z",
"dateReserved": "2025-02-26T01:49:39.266Z",
"dateUpdated": "2025-10-01T19:57:03.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49924 (GCVE-0-2024-49924)
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2025-11-03 22:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: pxafb: Fix possible use after free in pxafb_task()
In the pxafb_probe function, it calls the pxafb_init_fbinfo function,
after which &fbi->task is associated with pxafb_task. Moreover,
within this pxafb_init_fbinfo function, the pxafb_blank function
within the &pxafb_ops struct is capable of scheduling work.
If we remove the module which will call pxafb_remove to make cleanup,
it will call unregister_framebuffer function which can call
do_unregister_framebuffer to free fbi->fb through
put_fb_info(fb_info), while the work mentioned above will be used.
The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| pxafb_task
pxafb_remove |
unregister_framebuffer(info) |
do_unregister_framebuffer(fb_info) |
put_fb_info(fb_info) |
// free fbi->fb | set_ctrlr_state(fbi, state)
| __pxafb_lcd_power(fbi, 0)
| fbi->lcd_power(on, &fbi->fb.var)
| //use fbi->fb
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in pxafb_remove.
Note that only root user can remove the driver at runtime.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:39:57.349772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:48:44.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:23:13.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/pxafb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6d0a07f68b66269e167def6c0b90a219cd3e7473",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6897e299f57b103e999e62010b88e363b3eebae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4cda484e584be34d55ee17436ebf7ad11922b97a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c0d416eb4bef705f699213cee94bf54b6acdacd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fdda354f60a576d52dcf90351254714681df4370",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aaadc0cb05c999ccd8898a03298b7e5c31509b08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a3a855764dbacbdb1cc51e15dc588f2d21c93e0e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4a6921095eb04a900e0000da83d9475eb958e61e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/pxafb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: pxafb: Fix possible use after free in pxafb_task()\n\nIn the pxafb_probe function, it calls the pxafb_init_fbinfo function,\nafter which \u0026fbi-\u003etask is associated with pxafb_task. Moreover,\nwithin this pxafb_init_fbinfo function, the pxafb_blank function\nwithin the \u0026pxafb_ops struct is capable of scheduling work.\n\nIf we remove the module which will call pxafb_remove to make cleanup,\nit will call unregister_framebuffer function which can call\ndo_unregister_framebuffer to free fbi-\u003efb through\nput_fb_info(fb_info), while the work mentioned above will be used.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | pxafb_task\npxafb_remove |\nunregister_framebuffer(info) |\ndo_unregister_framebuffer(fb_info) |\nput_fb_info(fb_info) |\n// free fbi-\u003efb | set_ctrlr_state(fbi, state)\n | __pxafb_lcd_power(fbi, 0)\n | fbi-\u003elcd_power(on, \u0026fbi-\u003efb.var)\n | //use fbi-\u003efb\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in pxafb_remove.\n\nNote that only root user can remove the driver at runtime."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:41:22.913Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd"
},
{
"url": "https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473"
},
{
"url": "https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae"
},
{
"url": "https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a"
},
{
"url": "https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd"
},
{
"url": "https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370"
},
{
"url": "https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08"
},
{
"url": "https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e"
},
{
"url": "https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e"
}
],
"title": "fbdev: pxafb: Fix possible use after free in pxafb_task()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49924",
"datePublished": "2024-10-21T18:01:49.076Z",
"dateReserved": "2024-10-21T12:17:06.036Z",
"dateUpdated": "2025-11-03T22:23:13.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49491 (GCVE-0-2022-49491)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()
It will cause null-ptr-deref in resource_size(), if platform_get_resource()
returns NULL, move calling resource_size() after devm_ioremap_resource() that
will check 'res' to avoid null-ptr-deref.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 Version: 2048e3286f347db5667708e47448176b5329e8d8 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:59.630683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:44.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/rockchip/rockchip_drm_vop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "452922955df215a417c80d09dab72bbc667a1861",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "fcd6a886443730c39170b8383411e52118aec0a3",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "6ff986e057bf28e2f7690dad410768b2270f9453",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "a9b4599665e437de8a1152799c34841b799a2e1c",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "3451852312303d54a003c73bd0ae39cebb960bd5",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "b54926bd558d97c888c3d2d87886f3c159d3254a",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "769c53bb6116d0eaec0f1fe4ec4b27a74465cad1",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "ecfa52654d0c9c333c1fe1611f47105f6bce9591",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
},
{
"lessThan": "f8c242908ad15bbd604d3bcb54961b7d454c43f8",
"status": "affected",
"version": "2048e3286f347db5667708e47448176b5329e8d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/rockchip/rockchip_drm_vop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: vop: fix possible null-ptr-deref in vop_bind()\n\nIt will cause null-ptr-deref in resource_size(), if platform_get_resource()\nreturns NULL, move calling resource_size() after devm_ioremap_resource() that\nwill check \u0027res\u0027 to avoid null-ptr-deref."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:03.751Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/452922955df215a417c80d09dab72bbc667a1861"
},
{
"url": "https://git.kernel.org/stable/c/fcd6a886443730c39170b8383411e52118aec0a3"
},
{
"url": "https://git.kernel.org/stable/c/6ff986e057bf28e2f7690dad410768b2270f9453"
},
{
"url": "https://git.kernel.org/stable/c/a9b4599665e437de8a1152799c34841b799a2e1c"
},
{
"url": "https://git.kernel.org/stable/c/3451852312303d54a003c73bd0ae39cebb960bd5"
},
{
"url": "https://git.kernel.org/stable/c/b54926bd558d97c888c3d2d87886f3c159d3254a"
},
{
"url": "https://git.kernel.org/stable/c/769c53bb6116d0eaec0f1fe4ec4b27a74465cad1"
},
{
"url": "https://git.kernel.org/stable/c/ecfa52654d0c9c333c1fe1611f47105f6bce9591"
},
{
"url": "https://git.kernel.org/stable/c/f8c242908ad15bbd604d3bcb54961b7d454c43f8"
}
],
"title": "drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49491",
"datePublished": "2025-02-26T02:13:28.158Z",
"dateReserved": "2025-02-26T02:08:31.585Z",
"dateUpdated": "2025-10-01T19:46:44.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42229 (GCVE-0-2024-42229)
Vulnerability from cvelistv5
Published
2024-07-30 07:47
Modified
2025-11-03 22:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: aead,cipher - zeroize key buffer after use
I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
cryptographic information should be zeroized once they are no longer
needed. Accomplish this by using kfree_sensitive for buffers that
previously held the private key.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:02:33.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:14:28.221263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:32.961Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/aead.c",
"crypto/cipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89b9b6fa4463daf820e6a5ef65c3b0c2db239513",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b716e9c3603ee95ed45e938fe47227d22cf3ec35",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9db8c299a521813630fcb4154298cb60c37f3133",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71dd428615375e36523f4d4f7685ddd54113646d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "28c8d274848feba552e95c5c2a7e3cfe8f15c534",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f58679996a831754a356974376f248aa0af2eb8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "23e4099bdc3c8381992f9eb975c79196d6755210",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/aead.c",
"crypto/cipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.222",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.98",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.222",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead,cipher - zeroize key buffer after use\n\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\ncryptographic information should be zeroized once they are no longer\nneeded. Accomplish this by using kfree_sensitive for buffers that\npreviously held the private key."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:24:36.883Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89b9b6fa4463daf820e6a5ef65c3b0c2db239513"
},
{
"url": "https://git.kernel.org/stable/c/b716e9c3603ee95ed45e938fe47227d22cf3ec35"
},
{
"url": "https://git.kernel.org/stable/c/9db8c299a521813630fcb4154298cb60c37f3133"
},
{
"url": "https://git.kernel.org/stable/c/71dd428615375e36523f4d4f7685ddd54113646d"
},
{
"url": "https://git.kernel.org/stable/c/28c8d274848feba552e95c5c2a7e3cfe8f15c534"
},
{
"url": "https://git.kernel.org/stable/c/b502d4a08875ea2b4ea5d5b28dc7c991c8b90cfb"
},
{
"url": "https://git.kernel.org/stable/c/f58679996a831754a356974376f248aa0af2eb8e"
},
{
"url": "https://git.kernel.org/stable/c/23e4099bdc3c8381992f9eb975c79196d6755210"
}
],
"title": "crypto: aead,cipher - zeroize key buffer after use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42229",
"datePublished": "2024-07-30T07:47:09.817Z",
"dateReserved": "2024-07-30T07:40:12.250Z",
"dateUpdated": "2025-11-03T22:02:33.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49098 (GCVE-0-2022-49098)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Fix potential crash on module unload
The vmbus driver relies on the panic notifier infrastructure to perform
some operations when a panic event is detected. Since vmbus can be built
as module, it is required that the driver handles both registering and
unregistering such panic notifier callback.
After commit 74347a99e73a ("x86/Hyper-V: Unload vmbus channel in hv panic callback")
though, the panic notifier registration is done unconditionally in the module
initialization routine whereas the unregistering procedure is conditionally
guarded and executes only if HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE capability
is set.
This patch fixes that by unconditionally unregistering the panic notifier
in the module's exit routine as well.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5e059fc0f054309036d3f612bc8b0a502ca58545 Version: 9f38f7b46de0747c1909e8c557aa21715dce20c5 Version: 74347a99e73ae00b8385f1209aaea193c670f901 Version: 74347a99e73ae00b8385f1209aaea193c670f901 Version: 74347a99e73ae00b8385f1209aaea193c670f901 Version: 74347a99e73ae00b8385f1209aaea193c670f901 Version: 74347a99e73ae00b8385f1209aaea193c670f901 Version: caeeb3787167c884b955404a7e669fd77f267e44 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b4c0149a56147b29169e07000d566162892722a",
"status": "affected",
"version": "5e059fc0f054309036d3f612bc8b0a502ca58545",
"versionType": "git"
},
{
"lessThan": "2133c422a103cf7c7768c37b9ac382e73b691892",
"status": "affected",
"version": "9f38f7b46de0747c1909e8c557aa21715dce20c5",
"versionType": "git"
},
{
"lessThan": "cf580d2e3884dbafd6b90269b03a24d661578624",
"status": "affected",
"version": "74347a99e73ae00b8385f1209aaea193c670f901",
"versionType": "git"
},
{
"lessThan": "dcd6b1a624c0ffa21034d8b1e02e9d068458f596",
"status": "affected",
"version": "74347a99e73ae00b8385f1209aaea193c670f901",
"versionType": "git"
},
{
"lessThan": "5ea98d0f5f035c1bcf1517ccec0e024ae35a48b2",
"status": "affected",
"version": "74347a99e73ae00b8385f1209aaea193c670f901",
"versionType": "git"
},
{
"lessThan": "3d0078f8bddd58d9bb1ad40bbe929f8633abb276",
"status": "affected",
"version": "74347a99e73ae00b8385f1209aaea193c670f901",
"versionType": "git"
},
{
"lessThan": "792f232d57ff28bbd5f9c4abe0466b23d5879dc8",
"status": "affected",
"version": "74347a99e73ae00b8385f1209aaea193c670f901",
"versionType": "git"
},
{
"status": "affected",
"version": "caeeb3787167c884b955404a7e669fd77f267e44",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.19.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.4.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Fix potential crash on module unload\n\nThe vmbus driver relies on the panic notifier infrastructure to perform\nsome operations when a panic event is detected. Since vmbus can be built\nas module, it is required that the driver handles both registering and\nunregistering such panic notifier callback.\n\nAfter commit 74347a99e73a (\"x86/Hyper-V: Unload vmbus channel in hv panic callback\")\nthough, the panic notifier registration is done unconditionally in the module\ninitialization routine whereas the unregistering procedure is conditionally\nguarded and executes only if HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE capability\nis set.\n\nThis patch fixes that by unconditionally unregistering the panic notifier\nin the module\u0027s exit routine as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:17.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b4c0149a56147b29169e07000d566162892722a"
},
{
"url": "https://git.kernel.org/stable/c/2133c422a103cf7c7768c37b9ac382e73b691892"
},
{
"url": "https://git.kernel.org/stable/c/cf580d2e3884dbafd6b90269b03a24d661578624"
},
{
"url": "https://git.kernel.org/stable/c/dcd6b1a624c0ffa21034d8b1e02e9d068458f596"
},
{
"url": "https://git.kernel.org/stable/c/5ea98d0f5f035c1bcf1517ccec0e024ae35a48b2"
},
{
"url": "https://git.kernel.org/stable/c/3d0078f8bddd58d9bb1ad40bbe929f8633abb276"
},
{
"url": "https://git.kernel.org/stable/c/792f232d57ff28bbd5f9c4abe0466b23d5879dc8"
}
],
"title": "Drivers: hv: vmbus: Fix potential crash on module unload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49098",
"datePublished": "2025-02-26T01:54:50.073Z",
"dateReserved": "2025-02-26T01:49:39.250Z",
"dateUpdated": "2025-05-04T12:44:17.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49299 (GCVE-0-2022-49299)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-06-19T13:03:26.154Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49299",
"datePublished": "2025-02-26T02:10:34.977Z",
"dateRejected": "2025-06-19T13:03:26.154Z",
"dateReserved": "2025-02-26T02:08:31.534Z",
"dateUpdated": "2025-06-19T13:03:26.154Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49362 (GCVE-0-2022-49362)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix potential use-after-free in nfsd_file_put()
nfsd_file_put_noref() can free @nf, so don't dereference @nf
immediately upon return from nfsd_file_put_noref().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49362",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:34.174132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/filecache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ada1757b259f353cade47037ee0a0249b4cddad3",
"status": "affected",
"version": "9862064ca81f9b9da8ebe26c86cf2b10c293ba1a",
"versionType": "git"
},
{
"lessThan": "261eabe19cb28e4a8587a4442d257b543d7c2d57",
"status": "affected",
"version": "a98e5b3d958ac697aafb3d077eb2cca4a731b7ee",
"versionType": "git"
},
{
"lessThan": "333dcc94ebf53f79f3dc0e7a7c16700bc7ff7e57",
"status": "affected",
"version": "999397926ab3f78c7d1235cc4ca6e3c89d2769bf",
"versionType": "git"
},
{
"lessThan": "b6c71c66b0ad8f2b59d9bc08c7a5079b110bec01",
"status": "affected",
"version": "999397926ab3f78c7d1235cc4ca6e3c89d2769bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/filecache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix potential use-after-free in nfsd_file_put()\n\nnfsd_file_put_noref() can free @nf, so don\u0027t dereference @nf\nimmediately upon return from nfsd_file_put_noref()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:05.475Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ada1757b259f353cade47037ee0a0249b4cddad3"
},
{
"url": "https://git.kernel.org/stable/c/261eabe19cb28e4a8587a4442d257b543d7c2d57"
},
{
"url": "https://git.kernel.org/stable/c/333dcc94ebf53f79f3dc0e7a7c16700bc7ff7e57"
},
{
"url": "https://git.kernel.org/stable/c/b6c71c66b0ad8f2b59d9bc08c7a5079b110bec01"
}
],
"title": "NFSD: Fix potential use-after-free in nfsd_file_put()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49362",
"datePublished": "2025-02-26T02:11:09.344Z",
"dateReserved": "2025-02-26T02:08:31.547Z",
"dateUpdated": "2025-05-04T08:36:05.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49700 (GCVE-0-2022-49700)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: add missing TID updates on slab deactivation
The fastpath in slab_alloc_node() assumes that c->slab is stable as long as
the TID stays the same. However, two places in __slab_alloc() currently
don't update the TID when deactivating the CPU slab.
If multiple operations race the right way, this could lead to an object
getting lost; or, in an even more unlikely situation, it could even lead to
an object being freed onto the wrong slab's freelist, messing up the
`inuse` counter and eventually causing a page to be freed to the page
allocator while it still contains slab objects.
(I haven't actually tested these cases though, this is just based on
looking at the code. Writing testcases for this stuff seems like it'd be
a pain...)
The race leading to state inconsistency is (all operations on the same CPU
and kmem_cache):
- task A: begin do_slab_free():
- read TID
- read pcpu freelist (==NULL)
- check `slab == c->slab` (true)
- [PREEMPT A->B]
- task B: begin slab_alloc_node():
- fastpath fails (`c->freelist` is NULL)
- enter __slab_alloc()
- slub_get_cpu_ptr() (disables preemption)
- enter ___slab_alloc()
- take local_lock_irqsave()
- read c->freelist as NULL
- get_freelist() returns NULL
- write `c->slab = NULL`
- drop local_unlock_irqrestore()
- goto new_slab
- slub_percpu_partial() is NULL
- get_partial() returns NULL
- slub_put_cpu_ptr() (enables preemption)
- [PREEMPT B->A]
- task A: finish do_slab_free():
- this_cpu_cmpxchg_double() succeeds()
- [CORRUPT STATE: c->slab==NULL, c->freelist!=NULL]
From there, the object on c->freelist will get lost if task B is allowed to
continue from here: It will proceed to the retry_load_slab label,
set c->slab, then jump to load_freelist, which clobbers c->freelist.
But if we instead continue as follows, we get worse corruption:
- task A: run __slab_free() on object from other struct slab:
- CPU_PARTIAL_FREE case (slab was on no list, is now on pcpu partial)
- task A: run slab_alloc_node() with NUMA node constraint:
- fastpath fails (c->slab is NULL)
- call __slab_alloc()
- slub_get_cpu_ptr() (disables preemption)
- enter ___slab_alloc()
- c->slab is NULL: goto new_slab
- slub_percpu_partial() is non-NULL
- set c->slab to slub_percpu_partial(c)
- [CORRUPT STATE: c->slab points to slab-1, c->freelist has objects
from slab-2]
- goto redo
- node_match() fails
- goto deactivate_slab
- existing c->freelist is passed into deactivate_slab()
- inuse count of slab-1 is decremented to account for object from
slab-2
At this point, the inuse count of slab-1 is 1 lower than it should be.
This means that if we free all allocated objects in slab-1 except for one,
SLUB will think that slab-1 is completely unused, and may free its page,
leading to use-after-free.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 03e404af26dc2ea0d278d7a342de0aab394793ce Version: 03e404af26dc2ea0d278d7a342de0aab394793ce Version: 03e404af26dc2ea0d278d7a342de0aab394793ce Version: 03e404af26dc2ea0d278d7a342de0aab394793ce Version: 03e404af26dc2ea0d278d7a342de0aab394793ce Version: 03e404af26dc2ea0d278d7a342de0aab394793ce Version: 03e404af26dc2ea0d278d7a342de0aab394793ce Version: 03e404af26dc2ea0d278d7a342de0aab394793ce |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:14:57.244122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:30.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "308c6d0e1f200fd26c71270c6e6bfcf0fc6ff082",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
},
{
"lessThan": "d6a597450e686d4c6388bd3cdcb17224b4dae7f0",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
},
{
"lessThan": "e2b2f0e2e34d71ae6c2a1114fd3c525930e84bc7",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
},
{
"lessThan": "e7e3e90d671078455a3a08189f89d85b3da2de9e",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
},
{
"lessThan": "6c32496964da0dc230cea763a0e934b2e02dabd5",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
},
{
"lessThan": "0515cc9b6b24877f59b222ade704bfaa42caa2a6",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
},
{
"lessThan": "197e257da473c725dfe47759c3ee02f2398d8ea5",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
},
{
"lessThan": "eeaa345e128515135ccb864c04482180c08e3259",
"status": "affected",
"version": "03e404af26dc2ea0d278d7a342de0aab394793ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.288",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.323",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.288",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.252",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.205",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.130",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: add missing TID updates on slab deactivation\n\nThe fastpath in slab_alloc_node() assumes that c-\u003eslab is stable as long as\nthe TID stays the same. However, two places in __slab_alloc() currently\ndon\u0027t update the TID when deactivating the CPU slab.\n\nIf multiple operations race the right way, this could lead to an object\ngetting lost; or, in an even more unlikely situation, it could even lead to\nan object being freed onto the wrong slab\u0027s freelist, messing up the\n`inuse` counter and eventually causing a page to be freed to the page\nallocator while it still contains slab objects.\n\n(I haven\u0027t actually tested these cases though, this is just based on\nlooking at the code. Writing testcases for this stuff seems like it\u0027d be\na pain...)\n\nThe race leading to state inconsistency is (all operations on the same CPU\nand kmem_cache):\n\n - task A: begin do_slab_free():\n - read TID\n - read pcpu freelist (==NULL)\n - check `slab == c-\u003eslab` (true)\n - [PREEMPT A-\u003eB]\n - task B: begin slab_alloc_node():\n - fastpath fails (`c-\u003efreelist` is NULL)\n - enter __slab_alloc()\n - slub_get_cpu_ptr() (disables preemption)\n - enter ___slab_alloc()\n - take local_lock_irqsave()\n - read c-\u003efreelist as NULL\n - get_freelist() returns NULL\n - write `c-\u003eslab = NULL`\n - drop local_unlock_irqrestore()\n - goto new_slab\n - slub_percpu_partial() is NULL\n - get_partial() returns NULL\n - slub_put_cpu_ptr() (enables preemption)\n - [PREEMPT B-\u003eA]\n - task A: finish do_slab_free():\n - this_cpu_cmpxchg_double() succeeds()\n - [CORRUPT STATE: c-\u003eslab==NULL, c-\u003efreelist!=NULL]\n\nFrom there, the object on c-\u003efreelist will get lost if task B is allowed to\ncontinue from here: It will proceed to the retry_load_slab label,\nset c-\u003eslab, then jump to load_freelist, which clobbers c-\u003efreelist.\n\nBut if we instead continue as follows, we get worse corruption:\n\n - task A: run __slab_free() on object from other struct slab:\n - CPU_PARTIAL_FREE case (slab was on no list, is now on pcpu partial)\n - task A: run slab_alloc_node() with NUMA node constraint:\n - fastpath fails (c-\u003eslab is NULL)\n - call __slab_alloc()\n - slub_get_cpu_ptr() (disables preemption)\n - enter ___slab_alloc()\n - c-\u003eslab is NULL: goto new_slab\n - slub_percpu_partial() is non-NULL\n - set c-\u003eslab to slub_percpu_partial(c)\n - [CORRUPT STATE: c-\u003eslab points to slab-1, c-\u003efreelist has objects\n from slab-2]\n - goto redo\n - node_match() fails\n - goto deactivate_slab\n - existing c-\u003efreelist is passed into deactivate_slab()\n - inuse count of slab-1 is decremented to account for object from\n slab-2\n\nAt this point, the inuse count of slab-1 is 1 lower than it should be.\nThis means that if we free all allocated objects in slab-1 except for one,\nSLUB will think that slab-1 is completely unused, and may free its page,\nleading to use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:32.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/308c6d0e1f200fd26c71270c6e6bfcf0fc6ff082"
},
{
"url": "https://git.kernel.org/stable/c/d6a597450e686d4c6388bd3cdcb17224b4dae7f0"
},
{
"url": "https://git.kernel.org/stable/c/e2b2f0e2e34d71ae6c2a1114fd3c525930e84bc7"
},
{
"url": "https://git.kernel.org/stable/c/e7e3e90d671078455a3a08189f89d85b3da2de9e"
},
{
"url": "https://git.kernel.org/stable/c/6c32496964da0dc230cea763a0e934b2e02dabd5"
},
{
"url": "https://git.kernel.org/stable/c/0515cc9b6b24877f59b222ade704bfaa42caa2a6"
},
{
"url": "https://git.kernel.org/stable/c/197e257da473c725dfe47759c3ee02f2398d8ea5"
},
{
"url": "https://git.kernel.org/stable/c/eeaa345e128515135ccb864c04482180c08e3259"
}
],
"title": "mm/slub: add missing TID updates on slab deactivation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49700",
"datePublished": "2025-02-26T02:24:20.878Z",
"dateReserved": "2025-02-26T02:21:30.443Z",
"dateUpdated": "2025-05-04T08:43:32.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47638 (GCVE-0-2021-47638)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: rename_whiteout: Fix double free for whiteout_ui->data
'whiteout_ui->data' will be freed twice if space budget fail for
rename whiteout operation as following process:
rename_whiteout
dev = kmalloc
whiteout_ui->data = dev
kfree(whiteout_ui->data) // Free first time
iput(whiteout)
ubifs_free_inode
kfree(ui->data) // Double free!
KASAN reports:
==================================================================
BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70
Call Trace:
kfree+0x117/0x490
ubifs_free_inode+0x4f/0x70 [ubifs]
i_callback+0x30/0x60
rcu_do_batch+0x366/0xac0
__do_softirq+0x133/0x57f
Allocated by task 1506:
kmem_cache_alloc_trace+0x3c2/0x7a0
do_rename+0x9b7/0x1150 [ubifs]
ubifs_rename+0x106/0x1f0 [ubifs]
do_syscall_64+0x35/0x80
Freed by task 1506:
kfree+0x117/0x490
do_rename.cold+0x53/0x8a [ubifs]
ubifs_rename+0x106/0x1f0 [ubifs]
do_syscall_64+0x35/0x80
The buggy address belongs to the object at ffff88810238bed8 which
belongs to the cache kmalloc-8 of size 8
==================================================================
Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused
assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()
-> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it
(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',
and the nlink of whiteout inode is 0).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:47.905064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:08.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b3c7be16f3f4dfd6e15ac651484e59d3fa36274",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "2b3236ecf96db7af5836e1366ce39ace8ce832fa",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "14276d38c89a170363e90b6ac0a53c3cf61b87fc",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "a90e2dbe66d2647ff95a0442ad2e86482d977fd8",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "2ad07009c459e56ebdcc089d850d664660fdb742",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "b9a937f096e608b3368c1abc920d4d640ba2c94f",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "6d7a158a7363c1f6604aa47ae1a280a5c65123dd",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "40a8f0d5e7b3999f096570edab71c345da812e3e",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: rename_whiteout: Fix double free for whiteout_ui-\u003edata\n\n\u0027whiteout_ui-\u003edata\u0027 will be freed twice if space budget fail for\nrename whiteout operation as following process:\n\nrename_whiteout\n dev = kmalloc\n whiteout_ui-\u003edata = dev\n kfree(whiteout_ui-\u003edata) // Free first time\n iput(whiteout)\n ubifs_free_inode\n kfree(ui-\u003edata)\t // Double free!\n\nKASAN reports:\n==================================================================\nBUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70\nCall Trace:\n kfree+0x117/0x490\n ubifs_free_inode+0x4f/0x70 [ubifs]\n i_callback+0x30/0x60\n rcu_do_batch+0x366/0xac0\n __do_softirq+0x133/0x57f\n\nAllocated by task 1506:\n kmem_cache_alloc_trace+0x3c2/0x7a0\n do_rename+0x9b7/0x1150 [ubifs]\n ubifs_rename+0x106/0x1f0 [ubifs]\n do_syscall_64+0x35/0x80\n\nFreed by task 1506:\n kfree+0x117/0x490\n do_rename.cold+0x53/0x8a [ubifs]\n ubifs_rename+0x106/0x1f0 [ubifs]\n do_syscall_64+0x35/0x80\n\nThe buggy address belongs to the object at ffff88810238bed8 which\nbelongs to the cache kmalloc-8 of size 8\n==================================================================\n\nLet ubifs_free_inode() free \u0027whiteout_ui-\u003edata\u0027. BTW, delete unused\nassignment \u0027whiteout_ui-\u003edata_len = 0\u0027, process \u0027ubifs_evict_inode()\n-\u003e ubifs_jnl_delete_inode() -\u003e ubifs_jnl_write_inode()\u0027 doesn\u0027t need it\n(because \u0027inc_nlink(whiteout)\u0027 won\u0027t be excuted by \u0027goto out_release\u0027,\n and the nlink of whiteout inode is 0)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:17.543Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b3c7be16f3f4dfd6e15ac651484e59d3fa36274"
},
{
"url": "https://git.kernel.org/stable/c/2b3236ecf96db7af5836e1366ce39ace8ce832fa"
},
{
"url": "https://git.kernel.org/stable/c/14276d38c89a170363e90b6ac0a53c3cf61b87fc"
},
{
"url": "https://git.kernel.org/stable/c/a90e2dbe66d2647ff95a0442ad2e86482d977fd8"
},
{
"url": "https://git.kernel.org/stable/c/2ad07009c459e56ebdcc089d850d664660fdb742"
},
{
"url": "https://git.kernel.org/stable/c/b9a937f096e608b3368c1abc920d4d640ba2c94f"
},
{
"url": "https://git.kernel.org/stable/c/6d7a158a7363c1f6604aa47ae1a280a5c65123dd"
},
{
"url": "https://git.kernel.org/stable/c/40a8f0d5e7b3999f096570edab71c345da812e3e"
}
],
"title": "ubifs: rename_whiteout: Fix double free for whiteout_ui-\u003edata",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47638",
"datePublished": "2025-02-26T01:54:11.178Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-10-01T19:57:08.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43820 (GCVE-0-2024-43820)
Vulnerability from cvelistv5
Published
2024-08-17 09:21
Modified
2025-05-04 12:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume
rm-raid devices will occasionally trigger the following warning when
being resumed after a table load because DM_RECOVERY_RUNNING is set:
WARNING: CPU: 7 PID: 5660 at drivers/md/dm-raid.c:4105 raid_resume+0xee/0x100 [dm_raid]
The failing check is:
WARN_ON_ONCE(test_bit(MD_RECOVERY_RUNNING, &mddev->recovery));
This check is designed to make sure that the sync thread isn't
registered, but md_check_recovery can set MD_RECOVERY_RUNNING without
the sync_thread ever getting registered. Instead of checking if
MD_RECOVERY_RUNNING is set, check if sync_thread is non-NULL.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:09:03.715774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:25.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5c15a78c0e1631b7df822b56e8b6424e4d1ca3e",
"status": "affected",
"version": "16c4770c75b1223998adbeb7286f9a15c65fba73",
"versionType": "git"
},
{
"lessThan": "3199a34bfaf7561410e0be1e33a61eba870768fc",
"status": "affected",
"version": "16c4770c75b1223998adbeb7286f9a15c65fba73",
"versionType": "git"
},
{
"status": "affected",
"version": "af916cb66a80597f3523bc85812e790bcdcfd62b",
"versionType": "git"
},
{
"status": "affected",
"version": "eaa8fc9b092837cf2c754bde1a15d784ce9a85ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-raid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.3",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume\n\nrm-raid devices will occasionally trigger the following warning when\nbeing resumed after a table load because DM_RECOVERY_RUNNING is set:\n\nWARNING: CPU: 7 PID: 5660 at drivers/md/dm-raid.c:4105 raid_resume+0xee/0x100 [dm_raid]\n\nThe failing check is:\nWARN_ON_ONCE(test_bit(MD_RECOVERY_RUNNING, \u0026mddev-\u003erecovery));\n\nThis check is designed to make sure that the sync thread isn\u0027t\nregistered, but md_check_recovery can set MD_RECOVERY_RUNNING without\nthe sync_thread ever getting registered. Instead of checking if\nMD_RECOVERY_RUNNING is set, check if sync_thread is non-NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:58:08.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5c15a78c0e1631b7df822b56e8b6424e4d1ca3e"
},
{
"url": "https://git.kernel.org/stable/c/3199a34bfaf7561410e0be1e33a61eba870768fc"
}
],
"title": "dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-43820",
"datePublished": "2024-08-17T09:21:41.674Z",
"dateReserved": "2024-08-17T09:11:59.271Z",
"dateUpdated": "2025-05-04T12:58:08.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49519 (GCVE-0-2022-49519)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-09-15 12:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath10k: skip ath10k_halt during suspend for driver state RESTARTING
Double free crash is observed when FW recovery(caused by wmi
timeout/crash) is followed by immediate suspend event. The FW recovery
is triggered by ath10k_core_restart() which calls driver clean up via
ath10k_halt(). When the suspend event occurs between the FW recovery,
the restart worker thread is put into frozen state until suspend completes.
The suspend event triggers ath10k_stop() which again triggers ath10k_halt()
The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be
called twice(Note: ath10k_htt_rx_alloc was not called by restart worker
thread because of its frozen state), causing the crash.
To fix this, during the suspend flow, skip call to ath10k_halt() in
ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING.
Also, for driver state ATH10K_STATE_RESTARTING, call
ath10k_wait_for_suspend() in ath10k_stop(). This is because call to
ath10k_wait_for_suspend() is skipped later in
[ath10k_halt() > ath10k_core_stop()] for the driver state
ATH10K_STATE_RESTARTING.
The frozen restart worker thread will be cancelled during resume when the
device comes out of suspend.
Below is the crash stack for reference:
[ 428.469167] ------------[ cut here ]------------
[ 428.469180] kernel BUG at mm/slub.c:4150!
[ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 428.469219] Workqueue: events_unbound async_run_entry_fn
[ 428.469230] RIP: 0010:kfree+0x319/0x31b
[ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246
[ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000
[ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000
[ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000
[ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 428.469285] Call Trace:
[ 428.469295] ? dma_free_attrs+0x5f/0x7d
[ 428.469320] ath10k_core_stop+0x5b/0x6f
[ 428.469336] ath10k_halt+0x126/0x177
[ 428.469352] ath10k_stop+0x41/0x7e
[ 428.469387] drv_stop+0x88/0x10e
[ 428.469410] __ieee80211_suspend+0x297/0x411
[ 428.469441] rdev_suspend+0x6e/0xd0
[ 428.469462] wiphy_suspend+0xb1/0x105
[ 428.469483] ? name_show+0x2d/0x2d
[ 428.469490] dpm_run_callback+0x8c/0x126
[ 428.469511] ? name_show+0x2d/0x2d
[ 428.469517] __device_suspend+0x2e7/0x41b
[ 428.469523] async_suspend+0x1f/0x93
[ 428.469529] async_run_entry_fn+0x3d/0xd1
[ 428.469535] process_one_work+0x1b1/0x329
[ 428.469541] worker_thread+0x213/0x372
[ 428.469547] kthread+0x150/0x15f
[ 428.469552] ? pr_cont_work+0x58/0x58
[ 428.469558] ? kthread_blkcg+0x31/0x31
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8aa3750986ffcf73e0692db3b40dd3a8e8c0c575",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
},
{
"lessThan": "c2272428090d0d215a3f017cbbbad731c07eee53",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
},
{
"lessThan": "7eb14cb604f49e58b7cf6faa87961a865a3c8649",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
},
{
"lessThan": "5321e5211b5dc873e2e3d0deb749e69ecf4dbfe5",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
},
{
"lessThan": "b72a4aff947ba807177bdabb43debaf2c66bee05",
"status": "affected",
"version": "5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: skip ath10k_halt during suspend for driver state RESTARTING\n\nDouble free crash is observed when FW recovery(caused by wmi\ntimeout/crash) is followed by immediate suspend event. The FW recovery\nis triggered by ath10k_core_restart() which calls driver clean up via\nath10k_halt(). When the suspend event occurs between the FW recovery,\nthe restart worker thread is put into frozen state until suspend completes.\nThe suspend event triggers ath10k_stop() which again triggers ath10k_halt()\nThe double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be\ncalled twice(Note: ath10k_htt_rx_alloc was not called by restart worker\nthread because of its frozen state), causing the crash.\n\nTo fix this, during the suspend flow, skip call to ath10k_halt() in\nath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING.\nAlso, for driver state ATH10K_STATE_RESTARTING, call\nath10k_wait_for_suspend() in ath10k_stop(). This is because call to\nath10k_wait_for_suspend() is skipped later in\n[ath10k_halt() \u003e ath10k_core_stop()] for the driver state\nATH10K_STATE_RESTARTING.\n\nThe frozen restart worker thread will be cancelled during resume when the\ndevice comes out of suspend.\n\nBelow is the crash stack for reference:\n\n[ 428.469167] ------------[ cut here ]------------\n[ 428.469180] kernel BUG at mm/slub.c:4150!\n[ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 428.469219] Workqueue: events_unbound async_run_entry_fn\n[ 428.469230] RIP: 0010:kfree+0x319/0x31b\n[ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246\n[ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000\n[ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000\n[ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000\n[ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 428.469285] Call Trace:\n[ 428.469295] ? dma_free_attrs+0x5f/0x7d\n[ 428.469320] ath10k_core_stop+0x5b/0x6f\n[ 428.469336] ath10k_halt+0x126/0x177\n[ 428.469352] ath10k_stop+0x41/0x7e\n[ 428.469387] drv_stop+0x88/0x10e\n[ 428.469410] __ieee80211_suspend+0x297/0x411\n[ 428.469441] rdev_suspend+0x6e/0xd0\n[ 428.469462] wiphy_suspend+0xb1/0x105\n[ 428.469483] ? name_show+0x2d/0x2d\n[ 428.469490] dpm_run_callback+0x8c/0x126\n[ 428.469511] ? name_show+0x2d/0x2d\n[ 428.469517] __device_suspend+0x2e7/0x41b\n[ 428.469523] async_suspend+0x1f/0x93\n[ 428.469529] async_run_entry_fn+0x3d/0xd1\n[ 428.469535] process_one_work+0x1b1/0x329\n[ 428.469541] worker_thread+0x213/0x372\n[ 428.469547] kthread+0x150/0x15f\n[ 428.469552] ? pr_cont_work+0x58/0x58\n[ 428.469558] ? kthread_blkcg+0x31/0x31\n\nTested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T12:14:07.773Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8aa3750986ffcf73e0692db3b40dd3a8e8c0c575"
},
{
"url": "https://git.kernel.org/stable/c/c2272428090d0d215a3f017cbbbad731c07eee53"
},
{
"url": "https://git.kernel.org/stable/c/7eb14cb604f49e58b7cf6faa87961a865a3c8649"
},
{
"url": "https://git.kernel.org/stable/c/5321e5211b5dc873e2e3d0deb749e69ecf4dbfe5"
},
{
"url": "https://git.kernel.org/stable/c/b72a4aff947ba807177bdabb43debaf2c66bee05"
}
],
"title": "ath10k: skip ath10k_halt during suspend for driver state RESTARTING",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49519",
"datePublished": "2025-02-26T02:13:45.857Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-09-15T12:14:07.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49618 (GCVE-0-2022-49618)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()
pdesc could be null but still dereference pdesc->name and it will lead to
a null pointer access. So we move a null check before dereference.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:48.286581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:51.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/aspeed/pinctrl-aspeed.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef1e38532f4b2f0f3b460e938a2e7076c3bed5ee",
"status": "affected",
"version": "4d3d0e4272d8d660f5f14f5abcf96fb4df1aa94b",
"versionType": "git"
},
{
"lessThan": "3cb392b64304a05bf647e2e44efacd9a1f3c3c6a",
"status": "affected",
"version": "4d3d0e4272d8d660f5f14f5abcf96fb4df1aa94b",
"versionType": "git"
},
{
"lessThan": "e162a24f1dd06c0dcae71f2565c9f3da2827b98e",
"status": "affected",
"version": "4d3d0e4272d8d660f5f14f5abcf96fb4df1aa94b",
"versionType": "git"
},
{
"lessThan": "84a85d3fef2e75b1fe9fc2af6f5267122555a1ed",
"status": "affected",
"version": "4d3d0e4272d8d660f5f14f5abcf96fb4df1aa94b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/aspeed/pinctrl-aspeed.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()\n\npdesc could be null but still dereference pdesc-\u003ename and it will lead to\na null pointer access. So we move a null check before dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:54.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef1e38532f4b2f0f3b460e938a2e7076c3bed5ee"
},
{
"url": "https://git.kernel.org/stable/c/3cb392b64304a05bf647e2e44efacd9a1f3c3c6a"
},
{
"url": "https://git.kernel.org/stable/c/e162a24f1dd06c0dcae71f2565c9f3da2827b98e"
},
{
"url": "https://git.kernel.org/stable/c/84a85d3fef2e75b1fe9fc2af6f5267122555a1ed"
}
],
"title": "pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49618",
"datePublished": "2025-02-26T02:23:37.185Z",
"dateReserved": "2025-02-26T02:21:30.419Z",
"dateUpdated": "2025-10-01T19:36:51.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21671 (GCVE-0-2025-21671)
Vulnerability from cvelistv5
Published
2025-01-31 11:25
Modified
2025-11-03 20:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
zram: fix potential UAF of zram table
If zram_meta_alloc failed early, it frees allocated zram->table without
setting it NULL. Which will potentially cause zram_meta_free to access
the table if user reset an failed and uninitialized device.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:11:50.678589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:21:05.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:58:51.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/zram/zram_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe3de867f94819ba0f28e035c0b0182150147d95",
"status": "affected",
"version": "ac3b5366b9b7c9d97b606532ceab43d2329a22f3",
"versionType": "git"
},
{
"lessThan": "571d3f6045cd3a6d9f6aec33b678f3ffe97582ef",
"status": "affected",
"version": "0b5b0b65561b34e6e360de317e4bcd031bfabf42",
"versionType": "git"
},
{
"lessThan": "902ef8f16d5ca77edc77c30656be54186c1e99b7",
"status": "affected",
"version": "6fb92e9a52e3feae309a213950f21dfcd1eb0b40",
"versionType": "git"
},
{
"lessThan": "212fe1c0df4a150fb6298db2cfff267ceaba5402",
"status": "affected",
"version": "74363ec674cb172d8856de25776c8f3103f05e2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/zram/zram_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.127",
"status": "affected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThan": "6.6.74",
"status": "affected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThan": "6.12.11",
"status": "affected",
"version": "6.12.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.127",
"versionStartIncluding": "6.1.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.74",
"versionStartIncluding": "6.6.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.11",
"versionStartIncluding": "6.12.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix potential UAF of zram table\n\nIf zram_meta_alloc failed early, it frees allocated zram-\u003etable without\nsetting it NULL. Which will potentially cause zram_meta_free to access\nthe table if user reset an failed and uninitialized device."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:18:44.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe3de867f94819ba0f28e035c0b0182150147d95"
},
{
"url": "https://git.kernel.org/stable/c/571d3f6045cd3a6d9f6aec33b678f3ffe97582ef"
},
{
"url": "https://git.kernel.org/stable/c/902ef8f16d5ca77edc77c30656be54186c1e99b7"
},
{
"url": "https://git.kernel.org/stable/c/212fe1c0df4a150fb6298db2cfff267ceaba5402"
}
],
"title": "zram: fix potential UAF of zram table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21671",
"datePublished": "2025-01-31T11:25:34.546Z",
"dateReserved": "2024-12-29T08:45:45.735Z",
"dateUpdated": "2025-11-03T20:58:51.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57990 (GCVE-0-2024-57990)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7925: fix off by one in mt7925_load_clc()
This comparison should be >= instead of > to prevent an out of bounds
read and write.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:31:30.704043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193 Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:42.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7925/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d03b8fe1b518fc2ea2d82588e905f56d80cd64b2",
"status": "affected",
"version": "9679ca7326e52282cc923c4d71d81c999cb6cd55",
"versionType": "git"
},
{
"lessThan": "2d1628d32300e4f67ac0b7409cbfa7b912a8fe9d",
"status": "affected",
"version": "9679ca7326e52282cc923c4d71d81c999cb6cd55",
"versionType": "git"
},
{
"lessThan": "08fa656c91fd5fdf47ba393795b9c0d1e97539ed",
"status": "affected",
"version": "9679ca7326e52282cc923c4d71d81c999cb6cd55",
"versionType": "git"
},
{
"status": "affected",
"version": "fb60020cb5b3ea4715e538c77e745c16516c5656",
"versionType": "git"
},
{
"status": "affected",
"version": "ba09084d81c6480bd02fd74052045e533a5e8469",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7925/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: fix off by one in mt7925_load_clc()\n\nThis comparison should be \u003e= instead of \u003e to prevent an out of bounds\nread and write."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:01:48.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d03b8fe1b518fc2ea2d82588e905f56d80cd64b2"
},
{
"url": "https://git.kernel.org/stable/c/2d1628d32300e4f67ac0b7409cbfa7b912a8fe9d"
},
{
"url": "https://git.kernel.org/stable/c/08fa656c91fd5fdf47ba393795b9c0d1e97539ed"
}
],
"title": "wifi: mt76: mt7925: fix off by one in mt7925_load_clc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57990",
"datePublished": "2025-02-27T02:07:13.010Z",
"dateReserved": "2025-02-27T02:04:28.914Z",
"dateUpdated": "2025-10-01T19:36:42.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49248 (GCVE-0-2022-49248)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA:
firewire-lib: Add support for deferred transaction") while 'deferrable'
flag can be uninitialized for non-control/notify AV/C transactions.
UBSAN reports it:
kernel: ================================================================================
kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9
kernel: load of value 158 is not a valid value for type '_Bool'
kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu
kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019
kernel: Call Trace:
kernel: <IRQ>
kernel: show_stack+0x52/0x58
kernel: dump_stack_lvl+0x4a/0x5f
kernel: dump_stack+0x10/0x12
kernel: ubsan_epilogue+0x9/0x45
kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49
kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]
kernel: fcp_response+0x28/0x30 [snd_firewire_lib]
kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core]
kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci]
kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]
kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core]
kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]
kernel: tasklet_action_common.constprop.0+0xea/0xf0
kernel: tasklet_action+0x22/0x30
kernel: __do_softirq+0xd9/0x2e3
kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0
kernel: do_softirq+0x75/0xa0
kernel: </IRQ>
kernel: <TASK>
kernel: __local_bh_enable_ip+0x50/0x60
kernel: irq_forced_thread_fn+0x7e/0x90
kernel: irq_thread+0xba/0x190
kernel: ? irq_thread_fn+0x60/0x60
kernel: kthread+0x11e/0x140
kernel: ? irq_thread_check_affinity+0xf0/0xf0
kernel: ? set_kthread_struct+0x50/0x50
kernel: ret_from_fork+0x22/0x30
kernel: </TASK>
kernel: ================================================================================
This commit fixes the bug. The bug has no disadvantage for the non-
control/notify AV/C transactions since the flag has an effect for AV/C
response with INTERIM (0x0f) status which is not used for the transactions
in AV/C general specification.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 Version: 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/fcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99582e4b19f367fa95bdd150b3034d7ce8113342",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "b2b65c9013dc28836d82e25d0f0c94d794a14aba",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "60e5d391805d70458a01998de00d0c28cba40bf3",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "7025f40690a235a118c87674cfb93072694aa66d",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "7e6f5786621df060f8296f074efd275eaf20361a",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "eab74c41612083bd627b60da650e19234e4f1051",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "39d2c4a33dc1b4402cec68a3c8f82c6588b6edce",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
},
{
"lessThan": "bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d",
"status": "affected",
"version": "00a7bb81c20f3e81711e28e0f6c08cee8fd18514",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/fcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction\n\nAV/C deferred transaction was supported at a commit 00a7bb81c20f (\"ALSA:\nfirewire-lib: Add support for deferred transaction\") while \u0027deferrable\u0027\nflag can be uninitialized for non-control/notify AV/C transactions.\nUBSAN reports it:\n\nkernel: ================================================================================\nkernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9\nkernel: load of value 158 is not a valid value for type \u0027_Bool\u0027\nkernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu\nkernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019\nkernel: Call Trace:\nkernel: \u003cIRQ\u003e\nkernel: show_stack+0x52/0x58\nkernel: dump_stack_lvl+0x4a/0x5f\nkernel: dump_stack+0x10/0x12\nkernel: ubsan_epilogue+0x9/0x45\nkernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49\nkernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]\nkernel: fcp_response+0x28/0x30 [snd_firewire_lib]\nkernel: fw_core_handle_request+0x230/0x3d0 [firewire_core]\nkernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core]\nkernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]\nkernel: tasklet_action_common.constprop.0+0xea/0xf0\nkernel: tasklet_action+0x22/0x30\nkernel: __do_softirq+0xd9/0x2e3\nkernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0\nkernel: do_softirq+0x75/0xa0\nkernel: \u003c/IRQ\u003e\nkernel: \u003cTASK\u003e\nkernel: __local_bh_enable_ip+0x50/0x60\nkernel: irq_forced_thread_fn+0x7e/0x90\nkernel: irq_thread+0xba/0x190\nkernel: ? irq_thread_fn+0x60/0x60\nkernel: kthread+0x11e/0x140\nkernel: ? irq_thread_check_affinity+0xf0/0xf0\nkernel: ? set_kthread_struct+0x50/0x50\nkernel: ret_from_fork+0x22/0x30\nkernel: \u003c/TASK\u003e\nkernel: ================================================================================\n\nThis commit fixes the bug. The bug has no disadvantage for the non-\ncontrol/notify AV/C transactions since the flag has an effect for AV/C\nresponse with INTERIM (0x0f) status which is not used for the transactions\nin AV/C general specification."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:19.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99582e4b19f367fa95bdd150b3034d7ce8113342"
},
{
"url": "https://git.kernel.org/stable/c/b2b65c9013dc28836d82e25d0f0c94d794a14aba"
},
{
"url": "https://git.kernel.org/stable/c/60e5d391805d70458a01998de00d0c28cba40bf3"
},
{
"url": "https://git.kernel.org/stable/c/7025f40690a235a118c87674cfb93072694aa66d"
},
{
"url": "https://git.kernel.org/stable/c/7e6f5786621df060f8296f074efd275eaf20361a"
},
{
"url": "https://git.kernel.org/stable/c/eab74c41612083bd627b60da650e19234e4f1051"
},
{
"url": "https://git.kernel.org/stable/c/d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e"
},
{
"url": "https://git.kernel.org/stable/c/39d2c4a33dc1b4402cec68a3c8f82c6588b6edce"
},
{
"url": "https://git.kernel.org/stable/c/bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d"
}
],
"title": "ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49248",
"datePublished": "2025-02-26T01:56:06.709Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:19.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49307 (GCVE-0-2022-49307)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()
When the driver fails at alloc_hdlcdev(), and then we remove the driver
module, we will get the following splat:
[ 25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI
[ 25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17]
[ 25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0
[ 25.077709] Call Trace:
[ 25.077924] <TASK>
[ 25.078108] unregister_hdlc_device+0x16/0x30
[ 25.078481] slgt_cleanup+0x157/0x9f0 [synclink_gt]
Fix this by checking whether the 'info->netdev' is a null pointer first.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:25.712102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:58.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/synclink_gt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50c341f9a2adc4c32a8ad5a39eb99d9c4a419e0d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "078212ad15dbd88840c82c97f12c93d83703c8fd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba08cbc5b53e151d0acf1930fb526fc65b7f3e65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6e07eb7ebec53ffe81fc2489589320fbe4a6b75",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d68d5e68b7f64de7170f8e04dd9b995c36b2c71c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a95696bdc0e13f8980f05b54a3b9081963d1256",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ddd67751ab86c6a65f95c35293c42f85a42ac05d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ceb4ca9543a8a788febf6bc8dad2e605e172d5e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "689ca31c542687709ba21ec2195c1fbce34fd029",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/synclink_gt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: synclink_gt: Fix null-pointer-dereference in slgt_clean()\n\nWhen the driver fails at alloc_hdlcdev(), and then we remove the driver\nmodule, we will get the following splat:\n\n[ 25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17]\n[ 25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0\n[ 25.077709] Call Trace:\n[ 25.077924] \u003cTASK\u003e\n[ 25.078108] unregister_hdlc_device+0x16/0x30\n[ 25.078481] slgt_cleanup+0x157/0x9f0 [synclink_gt]\n\nFix this by checking whether the \u0027info-\u003enetdev\u0027 is a null pointer first."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:46.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50c341f9a2adc4c32a8ad5a39eb99d9c4a419e0d"
},
{
"url": "https://git.kernel.org/stable/c/078212ad15dbd88840c82c97f12c93d83703c8fd"
},
{
"url": "https://git.kernel.org/stable/c/ba08cbc5b53e151d0acf1930fb526fc65b7f3e65"
},
{
"url": "https://git.kernel.org/stable/c/f6e07eb7ebec53ffe81fc2489589320fbe4a6b75"
},
{
"url": "https://git.kernel.org/stable/c/d68d5e68b7f64de7170f8e04dd9b995c36b2c71c"
},
{
"url": "https://git.kernel.org/stable/c/8a95696bdc0e13f8980f05b54a3b9081963d1256"
},
{
"url": "https://git.kernel.org/stable/c/ddd67751ab86c6a65f95c35293c42f85a42ac05d"
},
{
"url": "https://git.kernel.org/stable/c/1ceb4ca9543a8a788febf6bc8dad2e605e172d5e"
},
{
"url": "https://git.kernel.org/stable/c/689ca31c542687709ba21ec2195c1fbce34fd029"
}
],
"title": "tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49307",
"datePublished": "2025-02-26T02:10:39.151Z",
"dateReserved": "2025-02-26T02:08:31.535Z",
"dateUpdated": "2025-10-01T19:46:58.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49341 (GCVE-0-2022-49341)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, arm64: Clear prog->jited_len along prog->jited
syzbot reported an illegal copy_to_user() attempt
from bpf_prog_get_info_by_fd() [1]
There was no repro yet on this bug, but I think
that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
is exposing a prior bug in bpf arm64.
bpf_prog_get_info_by_fd() looks at prog->jited_len
to determine if the JIT image can be copied out to user space.
My theory is that syzbot managed to get a prog where prog->jited_len
has been set to 43, while prog->bpf_func has ben cleared.
It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering
this particular warning.
I thought find_vma_area(NULL) would not find a vm_struct.
As we do not hold vmap_area_lock spinlock, it might be possible
that the found vm_struct was garbage.
[1]
usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)!
kernel BUG at mm/usercopy.c:101!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101
lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89
sp : ffff80000b773a20
x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48
x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000
x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001
x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd
x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420
x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031
x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865
x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830
x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000
x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064
Call trace:
usercopy_abort+0x90/0x94 mm/usercopy.c:89
check_heap_object mm/usercopy.c:186 [inline]
__check_object_size mm/usercopy.c:252 [inline]
__check_object_size+0x198/0x36c mm/usercopy.c:214
check_object_size include/linux/thread_info.h:199 [inline]
check_copy_size include/linux/thread_info.h:235 [inline]
copy_to_user include/linux/uaccess.h:159 [inline]
bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993
bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253
__sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956
__do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
__arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52
el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142
do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206
el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624
el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581
Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: db496944fdaaf2a67d2f60529f5dc23abf809506 Version: db496944fdaaf2a67d2f60529f5dc23abf809506 Version: db496944fdaaf2a67d2f60529f5dc23abf809506 Version: db496944fdaaf2a67d2f60529f5dc23abf809506 Version: db496944fdaaf2a67d2f60529f5dc23abf809506 Version: db496944fdaaf2a67d2f60529f5dc23abf809506 Version: db496944fdaaf2a67d2f60529f5dc23abf809506 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/net/bpf_jit_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aaf61a312af63e1cfe2264c4c5b8cd4ea3626025",
"status": "affected",
"version": "db496944fdaaf2a67d2f60529f5dc23abf809506",
"versionType": "git"
},
{
"lessThan": "e412b3d178ea4bf746f6b8ee086761613704c6be",
"status": "affected",
"version": "db496944fdaaf2a67d2f60529f5dc23abf809506",
"versionType": "git"
},
{
"lessThan": "0cf7aaff290cdc4d7cee683d4a18138b0dacac48",
"status": "affected",
"version": "db496944fdaaf2a67d2f60529f5dc23abf809506",
"versionType": "git"
},
{
"lessThan": "3f4d5e727aeaa610688d46c9f101f78b7f712583",
"status": "affected",
"version": "db496944fdaaf2a67d2f60529f5dc23abf809506",
"versionType": "git"
},
{
"lessThan": "5c25a3040bc0486c41a7b63a1fb0de7cdb846ad7",
"status": "affected",
"version": "db496944fdaaf2a67d2f60529f5dc23abf809506",
"versionType": "git"
},
{
"lessThan": "41f7c4f85d402043687e863627a1a84fa867c62d",
"status": "affected",
"version": "db496944fdaaf2a67d2f60529f5dc23abf809506",
"versionType": "git"
},
{
"lessThan": "10f3b29c65bb2fe0d47c2945cd0b4087be1c5218",
"status": "affected",
"version": "db496944fdaaf2a67d2f60529f5dc23abf809506",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/net/bpf_jit_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Clear prog-\u003ejited_len along prog-\u003ejited\n\nsyzbot reported an illegal copy_to_user() attempt\nfrom bpf_prog_get_info_by_fd() [1]\n\nThere was no repro yet on this bug, but I think\nthat commit 0aef499f3172 (\"mm/usercopy: Detect vmalloc overruns\")\nis exposing a prior bug in bpf arm64.\n\nbpf_prog_get_info_by_fd() looks at prog-\u003ejited_len\nto determine if the JIT image can be copied out to user space.\n\nMy theory is that syzbot managed to get a prog where prog-\u003ejited_len\nhas been set to 43, while prog-\u003ebpf_func has ben cleared.\n\nIt is not clear why copy_to_user(uinsns, NULL, ulen) is triggering\nthis particular warning.\n\nI thought find_vma_area(NULL) would not find a vm_struct.\nAs we do not hold vmap_area_lock spinlock, it might be possible\nthat the found vm_struct was garbage.\n\n[1]\nusercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)!\nkernel BUG at mm/usercopy.c:101!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0\nHardware name: linux,dummy-virt (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:101\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:89\nsp : ffff80000b773a20\nx29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48\nx26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000\nx23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001\nx20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd\nx17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420\nx14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031\nx11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865\nx8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830\nx5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064\nCall trace:\n usercopy_abort+0x90/0x94 mm/usercopy.c:89\n check_heap_object mm/usercopy.c:186 [inline]\n __check_object_size mm/usercopy.c:252 [inline]\n __check_object_size+0x198/0x36c mm/usercopy.c:214\n check_object_size include/linux/thread_info.h:199 [inline]\n check_copy_size include/linux/thread_info.h:235 [inline]\n copy_to_user include/linux/uaccess.h:159 [inline]\n bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993\n bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253\n __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956\n __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]\n __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52\n el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142\n do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206\n el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624\n el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581\nCode: aa0003e3 d00038c0 91248000 97fff65f (d4210000)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:40.168Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aaf61a312af63e1cfe2264c4c5b8cd4ea3626025"
},
{
"url": "https://git.kernel.org/stable/c/e412b3d178ea4bf746f6b8ee086761613704c6be"
},
{
"url": "https://git.kernel.org/stable/c/0cf7aaff290cdc4d7cee683d4a18138b0dacac48"
},
{
"url": "https://git.kernel.org/stable/c/3f4d5e727aeaa610688d46c9f101f78b7f712583"
},
{
"url": "https://git.kernel.org/stable/c/5c25a3040bc0486c41a7b63a1fb0de7cdb846ad7"
},
{
"url": "https://git.kernel.org/stable/c/41f7c4f85d402043687e863627a1a84fa867c62d"
},
{
"url": "https://git.kernel.org/stable/c/10f3b29c65bb2fe0d47c2945cd0b4087be1c5218"
}
],
"title": "bpf, arm64: Clear prog-\u003ejited_len along prog-\u003ejited",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49341",
"datePublished": "2025-02-26T02:10:58.118Z",
"dateReserved": "2025-02-26T02:08:31.541Z",
"dateUpdated": "2025-05-04T08:35:40.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49621 (GCVE-0-2022-49621)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: pmac32-cpufreq: Fix refcount leak bug
In pmac_cpufreq_init_MacRISC3(), we need to add corresponding
of_node_put() for the three node pointers whose refcount have
been incremented by of_find_node_by_name().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:37.989846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:50.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/pmac32-cpufreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f242486bf46d314b2e3838cc64b56f008a3c4d7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37c16fc2cb13a13f3c0193bfc6f2edef7d7df7d7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4585890ab2dbf455d80e254d3d859d4c1e357920",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8dda30f81c751b01cd71f2cfaeef26ad4393b1d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ea9dbf7c2f436952bca331c6f5d72f75aca224e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "57289b6601fe78c09921599b042a0b430fb420ec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4513018d0bd739097570d26a7760551cba3deb56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ccd7567d4b6cf187fdfa55f003a9e461ee629e36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/pmac32-cpufreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.289",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: pmac32-cpufreq: Fix refcount leak bug\n\nIn pmac_cpufreq_init_MacRISC3(), we need to add corresponding\nof_node_put() for the three node pointers whose refcount have\nbeen incremented by of_find_node_by_name()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:57.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f242486bf46d314b2e3838cc64b56f008a3c4d7"
},
{
"url": "https://git.kernel.org/stable/c/37c16fc2cb13a13f3c0193bfc6f2edef7d7df7d7"
},
{
"url": "https://git.kernel.org/stable/c/4585890ab2dbf455d80e254d3d859d4c1e357920"
},
{
"url": "https://git.kernel.org/stable/c/8dda30f81c751b01cd71f2cfaeef26ad4393b1d1"
},
{
"url": "https://git.kernel.org/stable/c/3ea9dbf7c2f436952bca331c6f5d72f75aca224e"
},
{
"url": "https://git.kernel.org/stable/c/57289b6601fe78c09921599b042a0b430fb420ec"
},
{
"url": "https://git.kernel.org/stable/c/4513018d0bd739097570d26a7760551cba3deb56"
},
{
"url": "https://git.kernel.org/stable/c/ccd7567d4b6cf187fdfa55f003a9e461ee629e36"
}
],
"title": "cpufreq: pmac32-cpufreq: Fix refcount leak bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49621",
"datePublished": "2025-02-26T02:23:38.850Z",
"dateReserved": "2025-02-26T02:21:30.420Z",
"dateUpdated": "2025-10-01T19:36:50.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49058 (GCVE-0-2022-49058)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: potential buffer overflow in handling symlinks
Smatch printed a warning:
arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error:
__memcpy() 'dctx->buf' too small (16 vs u32max)
It's caused because Smatch marks 'link_len' as untrusted since it comes
from sscanf(). Add a check to ensure that 'link_len' is not larger than
the size of the 'link_str' buffer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:01.997451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e582749e742e662a8e9bb37cffac62dccaaa1e2",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
},
{
"lessThan": "1316c28569a80ab3596eeab05bf5e01991e7e739",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
},
{
"lessThan": "eb5f51756944735ac70cd8bb38637cc202e29c91",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
},
{
"lessThan": "22d658c6c5affed10c8907e67160cef0b6c92186",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
},
{
"lessThan": "4e166a41180be2f1e66bbb6d46448e80a9a5ec05",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
},
{
"lessThan": "9901b07ba42b39266b34a888e48d7306fd707bee",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
},
{
"lessThan": "515e7ba11ef043d6febe69389949c8ef5f25e9d0",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
},
{
"lessThan": "64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304",
"status": "affected",
"version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: potential buffer overflow in handling symlinks\n\nSmatch printed a warning:\n\tarch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error:\n\t__memcpy() \u0027dctx-\u003ebuf\u0027 too small (16 vs u32max)\n\nIt\u0027s caused because Smatch marks \u0027link_len\u0027 as untrusted since it comes\nfrom sscanf(). Add a check to ensure that \u0027link_len\u0027 is not larger than\nthe size of the \u0027link_str\u0027 buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:50.644Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e582749e742e662a8e9bb37cffac62dccaaa1e2"
},
{
"url": "https://git.kernel.org/stable/c/1316c28569a80ab3596eeab05bf5e01991e7e739"
},
{
"url": "https://git.kernel.org/stable/c/eb5f51756944735ac70cd8bb38637cc202e29c91"
},
{
"url": "https://git.kernel.org/stable/c/22d658c6c5affed10c8907e67160cef0b6c92186"
},
{
"url": "https://git.kernel.org/stable/c/4e166a41180be2f1e66bbb6d46448e80a9a5ec05"
},
{
"url": "https://git.kernel.org/stable/c/9901b07ba42b39266b34a888e48d7306fd707bee"
},
{
"url": "https://git.kernel.org/stable/c/515e7ba11ef043d6febe69389949c8ef5f25e9d0"
},
{
"url": "https://git.kernel.org/stable/c/64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304"
}
],
"title": "cifs: potential buffer overflow in handling symlinks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49058",
"datePublished": "2025-02-26T01:54:29.195Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-10-01T19:57:06.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49517 (GCVE-0-2022-49517)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe
This node pointer is returned by of_parse_phandle() with
refcount incremented in this function.
Calling of_node_put() to avoid the refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f Version: 8625c1dbd87631572f8e2c05bc67736b73d6f02f |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:12.821382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:41.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt2701/mt2701-wm8960.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc2afecaabd2a2c9f17e43b4793a30e3461bfb29",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
},
{
"lessThan": "9345122f5fb9f97a206f440f38bb656e53f46912",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
},
{
"lessThan": "c71494f5f2b444adfd992a7359a0d2a791642b39",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
},
{
"lessThan": "f279c49f17ce10866087ea6c0c57382158974b63",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
},
{
"lessThan": "61a85a20e8df5e0a92cfe169c92425c7bae0753b",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
},
{
"lessThan": "318afb1442eeef089fe7f8a8297d97c0302ff6f6",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
},
{
"lessThan": "94587aa17abf8b26f543d2b29c44abc21bc36836",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
},
{
"lessThan": "05654431a18fe24e5e46a375d98904134628a102",
"status": "affected",
"version": "8625c1dbd87631572f8e2c05bc67736b73d6f02f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt2701/mt2701-wm8960.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe\n\nThis node pointer is returned by of_parse_phandle() with\nrefcount incremented in this function.\nCalling of_node_put() to avoid the refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:38.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc2afecaabd2a2c9f17e43b4793a30e3461bfb29"
},
{
"url": "https://git.kernel.org/stable/c/9345122f5fb9f97a206f440f38bb656e53f46912"
},
{
"url": "https://git.kernel.org/stable/c/c71494f5f2b444adfd992a7359a0d2a791642b39"
},
{
"url": "https://git.kernel.org/stable/c/f279c49f17ce10866087ea6c0c57382158974b63"
},
{
"url": "https://git.kernel.org/stable/c/61a85a20e8df5e0a92cfe169c92425c7bae0753b"
},
{
"url": "https://git.kernel.org/stable/c/318afb1442eeef089fe7f8a8297d97c0302ff6f6"
},
{
"url": "https://git.kernel.org/stable/c/94587aa17abf8b26f543d2b29c44abc21bc36836"
},
{
"url": "https://git.kernel.org/stable/c/05654431a18fe24e5e46a375d98904134628a102"
}
],
"title": "ASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49517",
"datePublished": "2025-02-26T02:13:44.853Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-10-01T19:46:41.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49569 (GCVE-0-2022-49569)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers
In case a IRQ based transfer times out the bcm2835_spi_handle_err()
function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop
dma_pending flag") the TX and RX DMA transfers are unconditionally
canceled, leading to NULL pointer derefs if ctlr->dma_tx or
ctlr->dma_rx are not set.
Fix the NULL pointer deref by checking that ctlr->dma_tx and
ctlr->dma_rx are valid pointers before accessing them.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49569",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:36:53.132974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:37.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-bcm2835.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76668d2a2f367d25ff448e6d7087406af7d7bb2b",
"status": "affected",
"version": "1513ceee70f2bd523e025efe0c715328e1a43ffd",
"versionType": "git"
},
{
"lessThan": "684896e675edd8b669fd3e9f547c5038222d85bc",
"status": "affected",
"version": "1513ceee70f2bd523e025efe0c715328e1a43ffd",
"versionType": "git"
},
{
"lessThan": "58466e05390043d2805685c70f55f3f59711bdf2",
"status": "affected",
"version": "1513ceee70f2bd523e025efe0c715328e1a43ffd",
"versionType": "git"
},
{
"lessThan": "49ffa473218012e765682343de2052eb4c1f06a7",
"status": "affected",
"version": "1513ceee70f2bd523e025efe0c715328e1a43ffd",
"versionType": "git"
},
{
"lessThan": "4ceaa684459d414992acbefb4e4c31f2dfc50641",
"status": "affected",
"version": "1513ceee70f2bd523e025efe0c715328e1a43ffd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-bcm2835.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers\n\nIn case a IRQ based transfer times out the bcm2835_spi_handle_err()\nfunction is called. Since commit 1513ceee70f2 (\"spi: bcm2835: Drop\ndma_pending flag\") the TX and RX DMA transfers are unconditionally\ncanceled, leading to NULL pointer derefs if ctlr-\u003edma_tx or\nctlr-\u003edma_rx are not set.\n\nFix the NULL pointer deref by checking that ctlr-\u003edma_tx and\nctlr-\u003edma_rx are valid pointers before accessing them."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:50.800Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76668d2a2f367d25ff448e6d7087406af7d7bb2b"
},
{
"url": "https://git.kernel.org/stable/c/684896e675edd8b669fd3e9f547c5038222d85bc"
},
{
"url": "https://git.kernel.org/stable/c/58466e05390043d2805685c70f55f3f59711bdf2"
},
{
"url": "https://git.kernel.org/stable/c/49ffa473218012e765682343de2052eb4c1f06a7"
},
{
"url": "https://git.kernel.org/stable/c/4ceaa684459d414992acbefb4e4c31f2dfc50641"
}
],
"title": "spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49569",
"datePublished": "2025-02-26T02:23:13.209Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-10-01T19:46:37.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21850 (GCVE-0-2025-21850)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-10-01 19:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: Fix crash when a namespace is disabled
The namespace percpu counter protects pending I/O, and we can
only safely diable the namespace once the counter drop to zero.
Otherwise we end up with a crash when running blktests/nvme/058
(eg for loop transport):
[ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI
[ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232
[ 2352.930438] [ T53909] Tainted: [W]=WARN
[ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
[ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]
[ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180
as the queue is already torn down when calling submit_bio();
So we need to init the percpu counter in nvmet_ns_enable(), and
wait for it to drop to zero in nvmet_ns_disable() to avoid having
I/O pending after the namespace has been disabled.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:26:16.776927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:38.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc0607594f6813342b27c752c6fb6f6eb9980cb5",
"status": "affected",
"version": "74d16965d7ac378d28ebd833ae6d6a097186a4ec",
"versionType": "git"
},
{
"lessThan": "4082326807072b71496501b6a0c55ffe8d5092a5",
"status": "affected",
"version": "74d16965d7ac378d28ebd833ae6d6a097186a4ec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Fix crash when a namespace is disabled\n\nThe namespace percpu counter protects pending I/O, and we can\nonly safely diable the namespace once the counter drop to zero.\nOtherwise we end up with a crash when running blktests/nvme/058\n(eg for loop transport):\n\n[ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n[ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232\n[ 2352.930438] [ T53909] Tainted: [W]=WARN\n[ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\n[ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180\n\nas the queue is already torn down when calling submit_bio();\n\nSo we need to init the percpu counter in nvmet_ns_enable(), and\nwait for it to drop to zero in nvmet_ns_disable() to avoid having\nI/O pending after the namespace has been disabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:31.785Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc0607594f6813342b27c752c6fb6f6eb9980cb5"
},
{
"url": "https://git.kernel.org/stable/c/4082326807072b71496501b6a0c55ffe8d5092a5"
}
],
"title": "nvmet: Fix crash when a namespace is disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21850",
"datePublished": "2025-03-12T09:42:05.761Z",
"dateReserved": "2024-12-29T08:45:45.779Z",
"dateUpdated": "2025-10-01T19:26:38.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49367 (GCVE-0-2022-49367)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register
of_get_child_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
mv88e6xxx_mdio_register() pass the device node to of_mdiobus_register().
We don't need the device node after it.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 Version: a3c53be55c955b7150cda17874c3fcb4eeb97a89 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:31.530867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:53.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/mv88e6xxx/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc1cf8c6f9793546696fded437a5b4c84944c48b",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
},
{
"lessThan": "86c3c5f8e4bd1325e24f6fba9017cade29933377",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
},
{
"lessThan": "a101793994c0a14c70bb4e44c7fda597eeebba0a",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
},
{
"lessThan": "42658e47f1abbbe592007d3ba303de466114d0bb",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
},
{
"lessThan": "c1df9cb756e5a9ba1841648c44ee5d92306b9c65",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
},
{
"lessThan": "e0d763d0c7665c7897e4f5a0847ab0c82543345f",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
},
{
"lessThan": "8a1a1255152da4fb934290e7ababc66f24985520",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
},
{
"lessThan": "02ded5a173619b11728b8bf75a3fd995a2c1ff28",
"status": "affected",
"version": "a3c53be55c955b7150cda17874c3fcb4eeb97a89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/mv88e6xxx/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\n\nmv88e6xxx_mdio_register() pass the device node to of_mdiobus_register().\nWe don\u0027t need the device node after it.\n\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:11.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc1cf8c6f9793546696fded437a5b4c84944c48b"
},
{
"url": "https://git.kernel.org/stable/c/86c3c5f8e4bd1325e24f6fba9017cade29933377"
},
{
"url": "https://git.kernel.org/stable/c/a101793994c0a14c70bb4e44c7fda597eeebba0a"
},
{
"url": "https://git.kernel.org/stable/c/42658e47f1abbbe592007d3ba303de466114d0bb"
},
{
"url": "https://git.kernel.org/stable/c/c1df9cb756e5a9ba1841648c44ee5d92306b9c65"
},
{
"url": "https://git.kernel.org/stable/c/e0d763d0c7665c7897e4f5a0847ab0c82543345f"
},
{
"url": "https://git.kernel.org/stable/c/8a1a1255152da4fb934290e7ababc66f24985520"
},
{
"url": "https://git.kernel.org/stable/c/02ded5a173619b11728b8bf75a3fd995a2c1ff28"
}
],
"title": "net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49367",
"datePublished": "2025-02-26T02:11:11.729Z",
"dateReserved": "2025-02-26T02:08:31.555Z",
"dateUpdated": "2025-10-01T19:46:53.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49194 (GCVE-0-2022-49194)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bcmgenet: Use stronger register read/writes to assure ordering
GCC12 appears to be much smarter about its dependency tracking and is
aware that the relaxed variants are just normal loads and stores and
this is causing problems like:
[ 210.074549] ------------[ cut here ]------------
[ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out
[ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240
[ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat]
[ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110
[ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58
[ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters
[ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022
[ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 210.161358] pc : dev_watchdog+0x234/0x240
[ 210.161364] lr : dev_watchdog+0x234/0x240
[ 210.161368] sp : ffff8000080a3a40
[ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20
[ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08
[ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000
[ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff
[ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a
[ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0
[ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c
[ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000
[ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000
[ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044
[ 210.269682] Call trace:
[ 210.272133] dev_watchdog+0x234/0x240
[ 210.275811] call_timer_fn+0x3c/0x15c
[ 210.279489] __run_timers.part.0+0x288/0x310
[ 210.283777] run_timer_softirq+0x48/0x80
[ 210.287716] __do_softirq+0x128/0x360
[ 210.291392] __irq_exit_rcu+0x138/0x140
[ 210.295243] irq_exit_rcu+0x1c/0x30
[ 210.298745] el1_interrupt+0x38/0x54
[ 210.302334] el1h_64_irq_handler+0x18/0x24
[ 210.306445] el1h_64_irq+0x7c/0x80
[ 210.309857] arch_cpu_idle+0x18/0x2c
[ 210.313445] default_idle_call+0x4c/0x140
[ 210.317470] cpuidle_idle_call+0x14c/0x1a0
[ 210.321584] do_idle+0xb0/0x100
[ 210.324737] cpu_startup_entry+0x30/0x8c
[ 210.328675] secondary_start_kernel+0xe4/0x110
[ 210.333138] __secondary_switched+0x94/0x98
The assumption when these were relaxed seems to be that device memory
would be mapped non reordering, and that other constructs
(spinlocks/etc) would provide the barriers to assure that packet data
and in memory rings/queues were ordered with respect to device
register reads/writes. This itself seems a bit sketchy, but the real
problem with GCC12 is that it is moving the actual reads/writes around
at will as though they were independent operations when in truth they
are not, but the compiler can't know that. When looking at the
assembly dumps for many of these routines its possible to see very
clean, but not strictly in program order operations occurring as the
compiler would be free to do if these weren't actually register
reads/write operations.
Its possible to suppress the timeout with a liberal bit of dma_mb()'s
sprinkled around but the device still seems unable to reliably
send/receive data. A better plan is to use the safer readl/writel
everywhere.
Since this partially reverts an older commit, which notes the use of
the relaxed variants for performance reasons. I would suggest that
any performance problems
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/genet/bcmgenet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b26091a02093104259ca64aeca73601e56160d62",
"status": "affected",
"version": "69d2ea9c798983c4a7157278ec84ff969d1cd8e8",
"versionType": "git"
},
{
"lessThan": "06d836801cd82ded282aaf9e888ff9e7e4a88b91",
"status": "affected",
"version": "69d2ea9c798983c4a7157278ec84ff969d1cd8e8",
"versionType": "git"
},
{
"lessThan": "1d717816189fd68f9e089cf89ed1f7327d2c2e71",
"status": "affected",
"version": "69d2ea9c798983c4a7157278ec84ff969d1cd8e8",
"versionType": "git"
},
{
"lessThan": "f49769b462f282477ca801cf648f875b1c5b59db",
"status": "affected",
"version": "69d2ea9c798983c4a7157278ec84ff969d1cd8e8",
"versionType": "git"
},
{
"lessThan": "8d3ea3d402db94b61075617e71b67459a714a502",
"status": "affected",
"version": "69d2ea9c798983c4a7157278ec84ff969d1cd8e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/genet/bcmgenet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmgenet: Use stronger register read/writes to assure ordering\n\nGCC12 appears to be much smarter about its dependency tracking and is\naware that the relaxed variants are just normal loads and stores and\nthis is causing problems like:\n\n[ 210.074549] ------------[ cut here ]------------\n[ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out\n[ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240\n[ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat]\n[ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110\n[ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58\n[ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters\n[ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022\n[ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 210.161358] pc : dev_watchdog+0x234/0x240\n[ 210.161364] lr : dev_watchdog+0x234/0x240\n[ 210.161368] sp : ffff8000080a3a40\n[ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20\n[ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08\n[ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000\n[ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff\n[ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a\n[ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0\n[ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c\n[ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000\n[ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000\n[ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044\n[ 210.269682] Call trace:\n[ 210.272133] dev_watchdog+0x234/0x240\n[ 210.275811] call_timer_fn+0x3c/0x15c\n[ 210.279489] __run_timers.part.0+0x288/0x310\n[ 210.283777] run_timer_softirq+0x48/0x80\n[ 210.287716] __do_softirq+0x128/0x360\n[ 210.291392] __irq_exit_rcu+0x138/0x140\n[ 210.295243] irq_exit_rcu+0x1c/0x30\n[ 210.298745] el1_interrupt+0x38/0x54\n[ 210.302334] el1h_64_irq_handler+0x18/0x24\n[ 210.306445] el1h_64_irq+0x7c/0x80\n[ 210.309857] arch_cpu_idle+0x18/0x2c\n[ 210.313445] default_idle_call+0x4c/0x140\n[ 210.317470] cpuidle_idle_call+0x14c/0x1a0\n[ 210.321584] do_idle+0xb0/0x100\n[ 210.324737] cpu_startup_entry+0x30/0x8c\n[ 210.328675] secondary_start_kernel+0xe4/0x110\n[ 210.333138] __secondary_switched+0x94/0x98\n\nThe assumption when these were relaxed seems to be that device memory\nwould be mapped non reordering, and that other constructs\n(spinlocks/etc) would provide the barriers to assure that packet data\nand in memory rings/queues were ordered with respect to device\nregister reads/writes. This itself seems a bit sketchy, but the real\nproblem with GCC12 is that it is moving the actual reads/writes around\nat will as though they were independent operations when in truth they\nare not, but the compiler can\u0027t know that. When looking at the\nassembly dumps for many of these routines its possible to see very\nclean, but not strictly in program order operations occurring as the\ncompiler would be free to do if these weren\u0027t actually register\nreads/write operations.\n\nIts possible to suppress the timeout with a liberal bit of dma_mb()\u0027s\nsprinkled around but the device still seems unable to reliably\nsend/receive data. A better plan is to use the safer readl/writel\neverywhere.\n\nSince this partially reverts an older commit, which notes the use of\nthe relaxed variants for performance reasons. I would suggest that\nany performance problems \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:06.187Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b26091a02093104259ca64aeca73601e56160d62"
},
{
"url": "https://git.kernel.org/stable/c/06d836801cd82ded282aaf9e888ff9e7e4a88b91"
},
{
"url": "https://git.kernel.org/stable/c/1d717816189fd68f9e089cf89ed1f7327d2c2e71"
},
{
"url": "https://git.kernel.org/stable/c/f49769b462f282477ca801cf648f875b1c5b59db"
},
{
"url": "https://git.kernel.org/stable/c/8d3ea3d402db94b61075617e71b67459a714a502"
}
],
"title": "net: bcmgenet: Use stronger register read/writes to assure ordering",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49194",
"datePublished": "2025-02-26T01:55:39.581Z",
"dateReserved": "2025-02-26T01:49:39.287Z",
"dateUpdated": "2025-05-04T08:32:06.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52926 (GCVE-0-2023-52926)
Vulnerability from cvelistv5
Published
2025-02-24 09:01
Modified
2025-11-03 20:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IORING_OP_READ did not correctly consume the provided buffer list when
read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return).
This can lead to a potential use-after-free when the completion via
io_rw_done runs at separate context.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T16:27:48.354683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T17:35:11.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:36:19.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72060434a14caea20925e492310d6e680e3f9007",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "6c27fc6a783c8a77c756dd5461b15e465020d075",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
},
{
"lessThan": "a08d195b586a217d76b42062f88f375a3eedda4d",
"status": "affected",
"version": "2b188cc1bb857a9d4701ae59aa7768b5124e262e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.122",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIORING_OP_READ did not correctly consume the provided buffer list when\nread i/o returned \u003c 0 (except for -EAGAIN and -EIOCBQUEUED return).\nThis can lead to a potential use-after-free when the completion via\nio_rw_done runs at separate context."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:08.905Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72060434a14caea20925e492310d6e680e3f9007"
},
{
"url": "https://git.kernel.org/stable/c/6c27fc6a783c8a77c756dd5461b15e465020d075"
},
{
"url": "https://git.kernel.org/stable/c/a08d195b586a217d76b42062f88f375a3eedda4d"
}
],
"title": "io_uring/rw: split io_read() into a helper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52926",
"datePublished": "2025-02-24T09:01:19.209Z",
"dateReserved": "2024-08-21T06:07:11.018Z",
"dateUpdated": "2025-11-03T20:36:19.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49154 (GCVE-0-2022-49154)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-06-19 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: fix panic on out-of-bounds guest IRQ
As guest_irq is coming from KVM_IRQFD API call, it may trigger
crash in svm_update_pi_irte() due to out-of-bounds:
crash> bt
PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8"
#0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397
#1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d
#2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d
#3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d
#4 [ffffb1ba6707fb90] no_context at ffffffff856692c9
#5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51
#6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace
[exception RIP: svm_update_pi_irte+227]
RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086
RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001
RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8
RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200
R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]
#8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]
#9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]
RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246
RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b
RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020
RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0
R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0
R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0
ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b
Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on
out-of-bounds guest IRQ), so we can just copy source from that to fix
this.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fb470eb48892e131d10aa3be6915239e65758f3",
"status": "affected",
"version": "411b44ba80ab0023383fe3f377e903cb0cb7d8bb",
"versionType": "git"
},
{
"lessThan": "3fa2d747960521a646fc1aad7aea82e95e139a68",
"status": "affected",
"version": "411b44ba80ab0023383fe3f377e903cb0cb7d8bb",
"versionType": "git"
},
{
"lessThan": "e4d153d53d9648513481eb4ef8c212e7f1f8173d",
"status": "affected",
"version": "411b44ba80ab0023383fe3f377e903cb0cb7d8bb",
"versionType": "git"
},
{
"lessThan": "a6ffdebfb6a9c2ffeed902b544b96fe67498210e",
"status": "affected",
"version": "411b44ba80ab0023383fe3f377e903cb0cb7d8bb",
"versionType": "git"
},
{
"lessThan": "a80ced6ea514000d34bf1239d47553de0d1ee89e",
"status": "affected",
"version": "411b44ba80ab0023383fe3f377e903cb0cb7d8bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: fix panic on out-of-bounds guest IRQ\n\nAs guest_irq is coming from KVM_IRQFD API call, it may trigger\ncrash in svm_update_pi_irte() due to out-of-bounds:\n\ncrash\u003e bt\nPID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: \"vcpu8\"\n #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397\n #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d\n #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d\n #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d\n #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9\n #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51\n #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace\n [exception RIP: svm_update_pi_irte+227]\n RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086\n RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001\n RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8\n RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200\n R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001\n R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]\n #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]\n #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]\n RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246\n RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b\n RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020\n RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0\n R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0\n R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0\n ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b\n\nVmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on\nout-of-bounds guest IRQ), so we can just copy source from that to fix\nthis."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:15.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fb470eb48892e131d10aa3be6915239e65758f3"
},
{
"url": "https://git.kernel.org/stable/c/3fa2d747960521a646fc1aad7aea82e95e139a68"
},
{
"url": "https://git.kernel.org/stable/c/e4d153d53d9648513481eb4ef8c212e7f1f8173d"
},
{
"url": "https://git.kernel.org/stable/c/a6ffdebfb6a9c2ffeed902b544b96fe67498210e"
},
{
"url": "https://git.kernel.org/stable/c/a80ced6ea514000d34bf1239d47553de0d1ee89e"
}
],
"title": "KVM: SVM: fix panic on out-of-bounds guest IRQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49154",
"datePublished": "2025-02-26T01:55:19.245Z",
"dateReserved": "2025-02-26T01:49:39.275Z",
"dateUpdated": "2025-06-19T12:56:15.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58054 (GCVE-0-2024-58054)
Vulnerability from cvelistv5
Published
2025-03-06 15:53
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: media: max96712: fix kernel oops when removing module
The following kernel oops is thrown when trying to remove the max96712
module:
Unable to handle kernel paging request at virtual address 00007375746174db
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000
[00007375746174db] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan
snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2
imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev
snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils
max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse
[last unloaded: imx8_isi]
CPU: 0 UID: 0 PID: 754 Comm: rmmod
Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17
Tainted: [C]=CRAP
Hardware name: NXP i.MX95 19X19 board (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : led_put+0x1c/0x40
lr : v4l2_subdev_put_privacy_led+0x48/0x58
sp : ffff80008699bbb0
x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8
x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000
x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010
x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1
x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473
Call trace:
led_put+0x1c/0x40
v4l2_subdev_put_privacy_led+0x48/0x58
v4l2_async_unregister_subdev+0x2c/0x1a4
max96712_remove+0x1c/0x38 [max96712]
i2c_device_remove+0x2c/0x9c
device_remove+0x4c/0x80
device_release_driver_internal+0x1cc/0x228
driver_detach+0x4c/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
i2c_del_driver+0x54/0x64
max96712_i2c_driver_exit+0x18/0x1d0 [max96712]
__arm64_sys_delete_module+0x1a4/0x290
invoke_syscall+0x48/0x10c
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xd8
el0t_64_sync_handler+0x120/0x12c
el0t_64_sync+0x190/0x194
Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)
---[ end trace 0000000000000000 ]---
This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()
is called again and the data is overwritten to point to sd, instead of
priv. So, in remove(), the wrong pointer is passed to
v4l2_async_unregister_subdev(), leading to a crash.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:47.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/max96712/max96712.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3311c5395e7322298b659b8addc704b39fb3a59c",
"status": "affected",
"version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
"versionType": "git"
},
{
"lessThan": "dfde3d63afbaae664c4d36e53cfb4045d5374561",
"status": "affected",
"version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
"versionType": "git"
},
{
"lessThan": "278a98f6d8a7bbe1110433b057333536e4490edf",
"status": "affected",
"version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
"versionType": "git"
},
{
"lessThan": "1556b9149b81cc549c13f5e56e81e89404d8a666",
"status": "affected",
"version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
"versionType": "git"
},
{
"lessThan": "ee1b5046d5cd892a0754ab982aeaaad3702083a5",
"status": "affected",
"version": "5814f32fef137e34577c4f053272c53e7ca33cd9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/max96712/max96712.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: max96712: fix kernel oops when removing module\n\nThe following kernel oops is thrown when trying to remove the max96712\nmodule:\n\nUnable to handle kernel paging request at virtual address 00007375746174db\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000\n[00007375746174db] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan\n snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2\n imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev\n snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils\n max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse\n [last unloaded: imx8_isi]\nCPU: 0 UID: 0 PID: 754 Comm: rmmod\n\t Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17\nTainted: [C]=CRAP\nHardware name: NXP i.MX95 19X19 board (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : led_put+0x1c/0x40\nlr : v4l2_subdev_put_privacy_led+0x48/0x58\nsp : ffff80008699bbb0\nx29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000\nx26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8\nx20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000\nx11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010\nx8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\nx5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1\nx2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473\nCall trace:\n led_put+0x1c/0x40\n v4l2_subdev_put_privacy_led+0x48/0x58\n v4l2_async_unregister_subdev+0x2c/0x1a4\n max96712_remove+0x1c/0x38 [max96712]\n i2c_device_remove+0x2c/0x9c\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1cc/0x228\n driver_detach+0x4c/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n i2c_del_driver+0x54/0x64\n max96712_i2c_driver_exit+0x18/0x1d0 [max96712]\n __arm64_sys_delete_module+0x1a4/0x290\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xd8\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x190/0x194\nCode: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)\n---[ end trace 0000000000000000 ]---\n\nThis happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()\nis called again and the data is overwritten to point to sd, instead of\npriv. So, in remove(), the wrong pointer is passed to\nv4l2_async_unregister_subdev(), leading to a crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:48.431Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3311c5395e7322298b659b8addc704b39fb3a59c"
},
{
"url": "https://git.kernel.org/stable/c/dfde3d63afbaae664c4d36e53cfb4045d5374561"
},
{
"url": "https://git.kernel.org/stable/c/278a98f6d8a7bbe1110433b057333536e4490edf"
},
{
"url": "https://git.kernel.org/stable/c/1556b9149b81cc549c13f5e56e81e89404d8a666"
},
{
"url": "https://git.kernel.org/stable/c/ee1b5046d5cd892a0754ab982aeaaad3702083a5"
}
],
"title": "staging: media: max96712: fix kernel oops when removing module",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58054",
"datePublished": "2025-03-06T15:53:58.243Z",
"dateReserved": "2025-03-06T15:52:09.178Z",
"dateUpdated": "2025-11-03T19:33:47.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49529 (GCVE-0-2022-49529)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/pm: fix the null pointer while the smu is disabled
It needs to check if the pp_funcs is initialized while release the
context, otherwise it will trigger null pointer panic while the software
smu is not enabled.
[ 1109.404555] BUG: kernel NULL pointer dereference, address: 0000000000000078
[ 1109.404609] #PF: supervisor read access in kernel mode
[ 1109.404638] #PF: error_code(0x0000) - not-present page
[ 1109.404657] PGD 0 P4D 0
[ 1109.404672] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 1109.404701] CPU: 7 PID: 9150 Comm: amdgpu_test Tainted: G OEL 5.16.0-custom #1
[ 1109.404732] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 1109.404765] RIP: 0010:amdgpu_dpm_force_performance_level+0x1d/0x170 [amdgpu]
[ 1109.405109] Code: 5d c3 44 8b a3 f0 80 00 00 eb e5 66 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 4c 8b b7 f0 7d 00 00 <49> 83 7e 78 00 0f 84 f2 00 00 00 80 bf 87 80 00 00 00 48 89 fb 0f
[ 1109.405176] RSP: 0018:ffffaf3083ad7c20 EFLAGS: 00010282
[ 1109.405203] RAX: 0000000000000000 RBX: ffff9796b1c14600 RCX: 0000000002862007
[ 1109.405229] RDX: ffff97968591c8c0 RSI: 0000000000000001 RDI: ffff9796a3700000
[ 1109.405260] RBP: ffffaf3083ad7c50 R08: ffffffff9897de00 R09: ffff979688d9db60
[ 1109.405286] R10: 0000000000000000 R11: ffff979688d9db90 R12: 0000000000000001
[ 1109.405316] R13: ffff9796a3700000 R14: 0000000000000000 R15: ffff9796a3708fc0
[ 1109.405345] FS: 00007ff055cff180(0000) GS:ffff9796bfdc0000(0000) knlGS:0000000000000000
[ 1109.405378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1109.405400] CR2: 0000000000000078 CR3: 000000000a394000 CR4: 00000000000506e0
[ 1109.405434] Call Trace:
[ 1109.405445] <TASK>
[ 1109.405456] ? delete_object_full+0x1d/0x20
[ 1109.405480] amdgpu_ctx_set_stable_pstate+0x7c/0xa0 [amdgpu]
[ 1109.405698] amdgpu_ctx_fini.part.0+0xcb/0x100 [amdgpu]
[ 1109.405911] amdgpu_ctx_do_release+0x71/0x80 [amdgpu]
[ 1109.406121] amdgpu_ctx_ioctl+0x52d/0x550 [amdgpu]
[ 1109.406327] ? _raw_spin_unlock+0x1a/0x30
[ 1109.406354] ? drm_gem_handle_delete+0x81/0xb0 [drm]
[ 1109.406400] ? amdgpu_ctx_get_entity+0x2c0/0x2c0 [amdgpu]
[ 1109.406609] drm_ioctl_kernel+0xb6/0x140 [drm]
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:02.355108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:41.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/amdgpu_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49ec3441aa5e5940f3e82dd2f0205b9c856e399d",
"status": "affected",
"version": "79c65f3fcbb1288b84473d45e6d001820a971d54",
"versionType": "git"
},
{
"lessThan": "eea5c7b3390c6e006ba4cbd906447dd8cea8cfbf",
"status": "affected",
"version": "79c65f3fcbb1288b84473d45e6d001820a971d54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/amdgpu_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: fix the null pointer while the smu is disabled\n\nIt needs to check if the pp_funcs is initialized while release the\ncontext, otherwise it will trigger null pointer panic while the software\nsmu is not enabled.\n\n[ 1109.404555] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[ 1109.404609] #PF: supervisor read access in kernel mode\n[ 1109.404638] #PF: error_code(0x0000) - not-present page\n[ 1109.404657] PGD 0 P4D 0\n[ 1109.404672] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 1109.404701] CPU: 7 PID: 9150 Comm: amdgpu_test Tainted: G OEL 5.16.0-custom #1\n[ 1109.404732] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\n[ 1109.404765] RIP: 0010:amdgpu_dpm_force_performance_level+0x1d/0x170 [amdgpu]\n[ 1109.405109] Code: 5d c3 44 8b a3 f0 80 00 00 eb e5 66 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 4c 8b b7 f0 7d 00 00 \u003c49\u003e 83 7e 78 00 0f 84 f2 00 00 00 80 bf 87 80 00 00 00 48 89 fb 0f\n[ 1109.405176] RSP: 0018:ffffaf3083ad7c20 EFLAGS: 00010282\n[ 1109.405203] RAX: 0000000000000000 RBX: ffff9796b1c14600 RCX: 0000000002862007\n[ 1109.405229] RDX: ffff97968591c8c0 RSI: 0000000000000001 RDI: ffff9796a3700000\n[ 1109.405260] RBP: ffffaf3083ad7c50 R08: ffffffff9897de00 R09: ffff979688d9db60\n[ 1109.405286] R10: 0000000000000000 R11: ffff979688d9db90 R12: 0000000000000001\n[ 1109.405316] R13: ffff9796a3700000 R14: 0000000000000000 R15: ffff9796a3708fc0\n[ 1109.405345] FS: 00007ff055cff180(0000) GS:ffff9796bfdc0000(0000) knlGS:0000000000000000\n[ 1109.405378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1109.405400] CR2: 0000000000000078 CR3: 000000000a394000 CR4: 00000000000506e0\n[ 1109.405434] Call Trace:\n[ 1109.405445] \u003cTASK\u003e\n[ 1109.405456] ? delete_object_full+0x1d/0x20\n[ 1109.405480] amdgpu_ctx_set_stable_pstate+0x7c/0xa0 [amdgpu]\n[ 1109.405698] amdgpu_ctx_fini.part.0+0xcb/0x100 [amdgpu]\n[ 1109.405911] amdgpu_ctx_do_release+0x71/0x80 [amdgpu]\n[ 1109.406121] amdgpu_ctx_ioctl+0x52d/0x550 [amdgpu]\n[ 1109.406327] ? _raw_spin_unlock+0x1a/0x30\n[ 1109.406354] ? drm_gem_handle_delete+0x81/0xb0 [drm]\n[ 1109.406400] ? amdgpu_ctx_get_entity+0x2c0/0x2c0 [amdgpu]\n[ 1109.406609] drm_ioctl_kernel+0xb6/0x140 [drm]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:58:47.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49ec3441aa5e5940f3e82dd2f0205b9c856e399d"
},
{
"url": "https://git.kernel.org/stable/c/eea5c7b3390c6e006ba4cbd906447dd8cea8cfbf"
}
],
"title": "drm/amdgpu/pm: fix the null pointer while the smu is disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49529",
"datePublished": "2025-02-26T02:13:50.580Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-10-01T19:46:41.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49448 (GCVE-0-2022-49448)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: bcm: Check for NULL return of devm_kzalloc()
As the potential failure of allocation, devm_kzalloc() may return NULL. Then
the 'pd->pmb' and the follow lines of code may bring null pointer dereference.
Therefore, it is better to check the return value of devm_kzalloc() to avoid
this confusion.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:39.579676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:48.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/bcm/bcm63xx/bcm-pmb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5650e103bfc70156001615861fb8aafb3947da6e",
"status": "affected",
"version": "8bcac4011ebe0dbdd46fd55b036ee855c95702d3",
"versionType": "git"
},
{
"lessThan": "36339ea7bae4943be01c8e9545e46e334591fecd",
"status": "affected",
"version": "8bcac4011ebe0dbdd46fd55b036ee855c95702d3",
"versionType": "git"
},
{
"lessThan": "b48b98743b568bb219152ba2e15af6ef0d3d8a9b",
"status": "affected",
"version": "8bcac4011ebe0dbdd46fd55b036ee855c95702d3",
"versionType": "git"
},
{
"lessThan": "b4bd2aafacce48db26b0a213d849818d940556dd",
"status": "affected",
"version": "8bcac4011ebe0dbdd46fd55b036ee855c95702d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/bcm/bcm63xx/bcm-pmb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: bcm: Check for NULL return of devm_kzalloc()\n\nAs the potential failure of allocation, devm_kzalloc() may return NULL. Then\nthe \u0027pd-\u003epmb\u0027 and the follow lines of code may bring null pointer dereference.\n\nTherefore, it is better to check the return value of devm_kzalloc() to avoid\nthis confusion."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:57.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5650e103bfc70156001615861fb8aafb3947da6e"
},
{
"url": "https://git.kernel.org/stable/c/36339ea7bae4943be01c8e9545e46e334591fecd"
},
{
"url": "https://git.kernel.org/stable/c/b48b98743b568bb219152ba2e15af6ef0d3d8a9b"
},
{
"url": "https://git.kernel.org/stable/c/b4bd2aafacce48db26b0a213d849818d940556dd"
}
],
"title": "soc: bcm: Check for NULL return of devm_kzalloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49448",
"datePublished": "2025-02-26T02:12:59.203Z",
"dateReserved": "2025-02-26T02:08:31.572Z",
"dateUpdated": "2025-10-01T19:46:48.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49470 (GCVE-0-2022-49470)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event
We should not access skb buffer data anymore after hci_recv_frame was
called.
[ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0
[ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker
[ 39.634962] Call trace:
[ 39.634974] dump_backtrace+0x0/0x3b8
[ 39.634999] show_stack+0x20/0x2c
[ 39.635016] dump_stack_lvl+0x60/0x78
[ 39.635040] print_address_description+0x70/0x2f0
[ 39.635062] kasan_report+0x154/0x194
[ 39.635079] __asan_report_load1_noabort+0x44/0x50
[ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4
[ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4
[ 39.635157] process_one_work+0x560/0xc5c
[ 39.635177] worker_thread+0x7ec/0xcc0
[ 39.635195] kthread+0x2d0/0x3d0
[ 39.635215] ret_from_fork+0x10/0x20
[ 39.635247] Allocated by task 0:
[ 39.635260] (stack is not available)
[ 39.635281] Freed by task 2392:
[ 39.635295] kasan_save_stack+0x38/0x68
[ 39.635319] kasan_set_track+0x28/0x3c
[ 39.635338] kasan_set_free_info+0x28/0x4c
[ 39.635357] ____kasan_slab_free+0x104/0x150
[ 39.635374] __kasan_slab_free+0x18/0x28
[ 39.635391] slab_free_freelist_hook+0x114/0x248
[ 39.635410] kfree+0xf8/0x2b4
[ 39.635427] skb_free_head+0x58/0x98
[ 39.635447] skb_release_data+0x2f4/0x410
[ 39.635464] skb_release_all+0x50/0x60
[ 39.635481] kfree_skb+0xc8/0x25c
[ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth]
[ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth]
[ 39.635925] process_one_work+0x560/0xc5c
[ 39.635951] worker_thread+0x7ec/0xcc0
[ 39.635970] kthread+0x2d0/0x3d0
[ 39.635990] ret_from_fork+0x10/0x20
[ 39.636021] The buggy address belongs to the object at ffffff80cf28a600
which belongs to the cache kmalloc-512 of size 512
[ 39.636039] The buggy address is located 13 bytes inside of
512-byte region [ffffff80cf28a600, ffffff80cf28a800)
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:58.795301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btmtksdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3cec8a42fcd11d05313c724f27e01b1db77522c",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "02ba31e09a26e8cd4582ac8e6163d80284997727",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "01c6a899fa6be4f4cbf60c4f44f0f6691155415f",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "0fab6361c4ba17d1b43a991bef4238a3c1754d35",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btmtksdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event\n\nWe should not access skb buffer data anymore after hci_recv_frame was\ncalled.\n\n[ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0\n[ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker\n[ 39.634962] Call trace:\n[ 39.634974] dump_backtrace+0x0/0x3b8\n[ 39.634999] show_stack+0x20/0x2c\n[ 39.635016] dump_stack_lvl+0x60/0x78\n[ 39.635040] print_address_description+0x70/0x2f0\n[ 39.635062] kasan_report+0x154/0x194\n[ 39.635079] __asan_report_load1_noabort+0x44/0x50\n[ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4\n[ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4\n[ 39.635157] process_one_work+0x560/0xc5c\n[ 39.635177] worker_thread+0x7ec/0xcc0\n[ 39.635195] kthread+0x2d0/0x3d0\n[ 39.635215] ret_from_fork+0x10/0x20\n[ 39.635247] Allocated by task 0:\n[ 39.635260] (stack is not available)\n[ 39.635281] Freed by task 2392:\n[ 39.635295] kasan_save_stack+0x38/0x68\n[ 39.635319] kasan_set_track+0x28/0x3c\n[ 39.635338] kasan_set_free_info+0x28/0x4c\n[ 39.635357] ____kasan_slab_free+0x104/0x150\n[ 39.635374] __kasan_slab_free+0x18/0x28\n[ 39.635391] slab_free_freelist_hook+0x114/0x248\n[ 39.635410] kfree+0xf8/0x2b4\n[ 39.635427] skb_free_head+0x58/0x98\n[ 39.635447] skb_release_data+0x2f4/0x410\n[ 39.635464] skb_release_all+0x50/0x60\n[ 39.635481] kfree_skb+0xc8/0x25c\n[ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth]\n[ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth]\n[ 39.635925] process_one_work+0x560/0xc5c\n[ 39.635951] worker_thread+0x7ec/0xcc0\n[ 39.635970] kthread+0x2d0/0x3d0\n[ 39.635990] ret_from_fork+0x10/0x20\n[ 39.636021] The buggy address belongs to the object at ffffff80cf28a600\n which belongs to the cache kmalloc-512 of size 512\n[ 39.636039] The buggy address is located 13 bytes inside of\n 512-byte region [ffffff80cf28a600, ffffff80cf28a800)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:25.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3cec8a42fcd11d05313c724f27e01b1db77522c"
},
{
"url": "https://git.kernel.org/stable/c/02ba31e09a26e8cd4582ac8e6163d80284997727"
},
{
"url": "https://git.kernel.org/stable/c/01c6a899fa6be4f4cbf60c4f44f0f6691155415f"
},
{
"url": "https://git.kernel.org/stable/c/0fab6361c4ba17d1b43a991bef4238a3c1754d35"
}
],
"title": "Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49470",
"datePublished": "2025-02-26T02:13:14.024Z",
"dateReserved": "2025-02-26T02:08:31.578Z",
"dateUpdated": "2025-05-04T08:38:25.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49222 (GCVE-0-2022-49222)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: anx7625: Fix overflow issue on reading EDID
The length of EDID block can be longer than 256 bytes, so we should use
`int` instead of `u8` for the `edid_pos` variable.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64c06df2428bb7bb3d8cf5691416001af42d94dd",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "f0d5d938d51af4eb08d9d8684fd9903425a0a87d",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "db1c47d299298a7c52ccb201905d6be979fd7507",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
},
{
"lessThan": "d5c6f647aec9ed524aedd04a3aec5ebc21d39007",
"status": "affected",
"version": "8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/analogix/anx7625.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: anx7625: Fix overflow issue on reading EDID\n\nThe length of EDID block can be longer than 256 bytes, so we should use\n`int` instead of `u8` for the `edid_pos` variable."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:46.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64c06df2428bb7bb3d8cf5691416001af42d94dd"
},
{
"url": "https://git.kernel.org/stable/c/f0d5d938d51af4eb08d9d8684fd9903425a0a87d"
},
{
"url": "https://git.kernel.org/stable/c/db1c47d299298a7c52ccb201905d6be979fd7507"
},
{
"url": "https://git.kernel.org/stable/c/d5c6f647aec9ed524aedd04a3aec5ebc21d39007"
}
],
"title": "drm/bridge: anx7625: Fix overflow issue on reading EDID",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49222",
"datePublished": "2025-02-26T01:55:53.799Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-05-04T08:32:46.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49613 (GCVE-0-2022-49613)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250: Fix PM usage_count for console handover
When console is enabled, univ8250_console_setup() calls
serial8250_console_setup() before .dev is set to uart_port. Therefore,
it will not call pm_runtime_get_sync(). Later, when the actual driver
is going to take over univ8250_console_exit() is called. As .dev is
already set, serial8250_console_exit() makes pm_runtime_put_sync() call
with usage count being zero triggering PM usage count warning
(extra debug for univ8250_console_setup(), univ8250_console_exit(), and
serial8250_register_ports()):
[ 0.068987] univ8250_console_setup ttyS0 nodev
[ 0.499670] printk: console [ttyS0] enabled
[ 0.717955] printk: console [ttyS0] printing thread started
[ 1.960163] serial8250_register_ports assigned dev for ttyS0
[ 1.976830] printk: console [ttyS0] disabled
[ 1.976888] printk: console [ttyS0] printing thread stopped
[ 1.977073] univ8250_console_exit ttyS0 usage:0
[ 1.977075] serial8250 serial8250: Runtime PM usage count underflow!
[ 1.977429] dw-apb-uart.6: ttyS0 at MMIO 0x4010006000 (irq = 33, base_baud = 115200) is a 16550A
[ 1.977812] univ8250_console_setup ttyS0 usage:2
[ 1.978167] printk: console [ttyS0] printing thread started
[ 1.978203] printk: console [ttyS0] enabled
To fix the issue, call pm_runtime_get_sync() in
serial8250_register_ports() as soon as .dev is set for an uart_port
if it has console enabled.
This problem became apparent only recently because 82586a721595 ("PM:
runtime: Avoid device usage count underflows") added the warning
printout. I confirmed this problem also occurs with v5.18 (w/o the
warning printout, obviously).
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_core.c",
"drivers/tty/serial/serial_core.c",
"include/linux/serial_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9cb6fabc90102f9e61fe35bd0160db88f4f53b4",
"status": "affected",
"version": "bedb404e91bb2908d9921fc736a518a9d89525fc",
"versionType": "git"
},
{
"lessThan": "190ce5cdc55d1b66ea582ac2be6fd5a72e3cc486",
"status": "affected",
"version": "bedb404e91bb2908d9921fc736a518a9d89525fc",
"versionType": "git"
},
{
"lessThan": "5df66302f03f87ae8953785a882d78e911f00c55",
"status": "affected",
"version": "bedb404e91bb2908d9921fc736a518a9d89525fc",
"versionType": "git"
},
{
"lessThan": "f9b11229b79c0fb2100b5bb4628a101b1d37fbf6",
"status": "affected",
"version": "bedb404e91bb2908d9921fc736a518a9d89525fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_core.c",
"drivers/tty/serial/serial_core.c",
"include/linux/serial_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Fix PM usage_count for console handover\n\nWhen console is enabled, univ8250_console_setup() calls\nserial8250_console_setup() before .dev is set to uart_port. Therefore,\nit will not call pm_runtime_get_sync(). Later, when the actual driver\nis going to take over univ8250_console_exit() is called. As .dev is\nalready set, serial8250_console_exit() makes pm_runtime_put_sync() call\nwith usage count being zero triggering PM usage count warning\n(extra debug for univ8250_console_setup(), univ8250_console_exit(), and\nserial8250_register_ports()):\n\n[ 0.068987] univ8250_console_setup ttyS0 nodev\n[ 0.499670] printk: console [ttyS0] enabled\n[ 0.717955] printk: console [ttyS0] printing thread started\n[ 1.960163] serial8250_register_ports assigned dev for ttyS0\n[ 1.976830] printk: console [ttyS0] disabled\n[ 1.976888] printk: console [ttyS0] printing thread stopped\n[ 1.977073] univ8250_console_exit ttyS0 usage:0\n[ 1.977075] serial8250 serial8250: Runtime PM usage count underflow!\n[ 1.977429] dw-apb-uart.6: ttyS0 at MMIO 0x4010006000 (irq = 33, base_baud = 115200) is a 16550A\n[ 1.977812] univ8250_console_setup ttyS0 usage:2\n[ 1.978167] printk: console [ttyS0] printing thread started\n[ 1.978203] printk: console [ttyS0] enabled\n\nTo fix the issue, call pm_runtime_get_sync() in\nserial8250_register_ports() as soon as .dev is set for an uart_port\nif it has console enabled.\n\nThis problem became apparent only recently because 82586a721595 (\"PM:\nruntime: Avoid device usage count underflows\") added the warning\nprintout. I confirmed this problem also occurs with v5.18 (w/o the\nwarning printout, obviously)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:48.842Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9cb6fabc90102f9e61fe35bd0160db88f4f53b4"
},
{
"url": "https://git.kernel.org/stable/c/190ce5cdc55d1b66ea582ac2be6fd5a72e3cc486"
},
{
"url": "https://git.kernel.org/stable/c/5df66302f03f87ae8953785a882d78e911f00c55"
},
{
"url": "https://git.kernel.org/stable/c/f9b11229b79c0fb2100b5bb4628a101b1d37fbf6"
}
],
"title": "serial: 8250: Fix PM usage_count for console handover",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49613",
"datePublished": "2025-02-26T02:23:34.739Z",
"dateReserved": "2025-02-26T02:21:30.418Z",
"dateUpdated": "2025-05-04T08:41:48.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49615 (GCVE-0-2022-49615)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error
The initial settings will be written before the codec probe function.
But, the rt711->component doesn't be assigned yet.
If IO error happened during initial settings operations, it will cause the kernel panic.
This patch changed component->dev to slave->dev to fix this issue.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:51.365221Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:51.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt711-sdca.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "269be8b2907378adf72d7347cfa43ef230351a06",
"status": "affected",
"version": "7ad4d237e7c4a5dcc71cf438f646744b4484f1da",
"versionType": "git"
},
{
"lessThan": "7bb71133cae88d3003a3490b97864af76533072b",
"status": "affected",
"version": "7ad4d237e7c4a5dcc71cf438f646744b4484f1da",
"versionType": "git"
},
{
"lessThan": "1df793d479bef546569fc2e409ff8bb3f0fb8e99",
"status": "affected",
"version": "7ad4d237e7c4a5dcc71cf438f646744b4484f1da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt711-sdca.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error\n\nThe initial settings will be written before the codec probe function.\nBut, the rt711-\u003ecomponent doesn\u0027t be assigned yet.\nIf IO error happened during initial settings operations, it will cause the kernel panic.\nThis patch changed component-\u003edev to slave-\u003edev to fix this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:50.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/269be8b2907378adf72d7347cfa43ef230351a06"
},
{
"url": "https://git.kernel.org/stable/c/7bb71133cae88d3003a3490b97864af76533072b"
},
{
"url": "https://git.kernel.org/stable/c/1df793d479bef546569fc2e409ff8bb3f0fb8e99"
}
],
"title": "ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49615",
"datePublished": "2025-02-26T02:23:35.696Z",
"dateReserved": "2025-02-26T02:21:30.419Z",
"dateUpdated": "2025-10-01T19:36:51.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49663 (GCVE-0-2022-49663)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()
Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header
was not set") caught a bug in skb_tunnel_check_pmtu(), as shown
in this syzbot report [1].
In ndo_start_xmit() paths, there is really no need to use skb->mac_header,
because skb->data is supposed to point at it.
[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline]
WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
Modules linked in:
CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline]
RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00
RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212
RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000
RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003
RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff
R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f
FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
geneve_xmit_skb drivers/net/geneve.c:927 [inline]
geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107
__netdev_start_xmit include/linux/netdevice.h:4805 [inline]
netdev_start_xmit include/linux/netdevice.h:4819 [inline]
__dev_direct_xmit+0x500/0x730 net/core/dev.c:4309
dev_direct_xmit include/linux/netdevice.h:3007 [inline]
packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282
packet_snd net/packet/af_packet.c:3073 [inline]
packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x6eb/0x810 net/socket.c:2489
___sys_sendmsg+0xf3/0x170 net/socket.c:2543
__sys_sendmsg net/socket.c:2572 [inline]
__do_sys_sendmsg net/socket.c:2581 [inline]
__se_sys_sendmsg net/socket.c:2579 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2579
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f3baaa89109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109
RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003
RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000
</TASK>
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59c51c3b545128a92ebfb6dbae990d3abee110e7",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
},
{
"lessThan": "674a641e5b67e16ba3112eacd680ff87b38539de",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
},
{
"lessThan": "32dcf62efa0003f92a976aea0c57f118e689de8b",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
},
{
"lessThan": "853a7614880231747040cada91d2b8d2e995c51a",
"status": "affected",
"version": "4cb47a8644cc9eb8ec81190a50e79e6530d0297f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: do not assume mac header is set in skb_tunnel_check_pmtu()\n\nRecently added debug in commit f9aefd6b2aa3 (\"net: warn if mac header\nwas not set\") caught a bug in skb_tunnel_check_pmtu(), as shown\nin this syzbot report [1].\n\nIn ndo_start_xmit() paths, there is really no need to use skb-\u003emac_header,\nbecause skb-\u003edata is supposed to point at it.\n\n[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline]\nWARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413\nModules linked in:\nCPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline]\nRIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413\nCode: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 \u003c0f\u003e 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00\nRSP: 0018:ffffc90002e4f520 EFLAGS: 00010212\nRAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000\nRDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003\nRBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff\nR13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f\nFS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\ngeneve_xmit_skb drivers/net/geneve.c:927 [inline]\ngeneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107\n__netdev_start_xmit include/linux/netdevice.h:4805 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4819 [inline]\n__dev_direct_xmit+0x500/0x730 net/core/dev.c:4309\ndev_direct_xmit include/linux/netdevice.h:3007 [inline]\npacket_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282\npacket_snd net/packet/af_packet.c:3073 [inline]\npacket_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg+0xcf/0x120 net/socket.c:734\n____sys_sendmsg+0x6eb/0x810 net/socket.c:2489\n___sys_sendmsg+0xf3/0x170 net/socket.c:2543\n__sys_sendmsg net/socket.c:2572 [inline]\n__do_sys_sendmsg net/socket.c:2581 [inline]\n__se_sys_sendmsg net/socket.c:2579 [inline]\n__x64_sys_sendmsg+0x132/0x220 net/socket.c:2579\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f3baaa89109\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109\nRDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003\nRBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:50.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59c51c3b545128a92ebfb6dbae990d3abee110e7"
},
{
"url": "https://git.kernel.org/stable/c/674a641e5b67e16ba3112eacd680ff87b38539de"
},
{
"url": "https://git.kernel.org/stable/c/32dcf62efa0003f92a976aea0c57f118e689de8b"
},
{
"url": "https://git.kernel.org/stable/c/853a7614880231747040cada91d2b8d2e995c51a"
}
],
"title": "tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49663",
"datePublished": "2025-02-26T02:23:59.311Z",
"dateReserved": "2025-02-26T02:21:30.435Z",
"dateUpdated": "2025-05-04T08:42:50.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49640 (GCVE-0-2022-49640)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sysctl: Fix data races in proc_douintvec_minmax().
A sysctl variable is accessed concurrently, and there is always a chance
of data-race. So, all readers and writers need some basic protection to
avoid load/store-tearing.
This patch changes proc_douintvec_minmax() to use READ_ONCE() and
WRITE_ONCE() internally to fix data-races on the sysctl side. For now,
proc_douintvec_minmax() itself is tolerant to a data-race, but we still
need to add annotations on the other subsystem's side.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:02.164289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:49.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3a2144b3b6bf9ecafd91087c8b8b48171ec19df",
"status": "affected",
"version": "61d9b56a89208d8cccd0b4cfec7e6959717e16e3",
"versionType": "git"
},
{
"lessThan": "40e0477a7371d101c55b69d9c32a7a1ed82ab5ea",
"status": "affected",
"version": "61d9b56a89208d8cccd0b4cfec7e6959717e16e3",
"versionType": "git"
},
{
"lessThan": "b60eddf98b9716651069dfda296c91311a7a6293",
"status": "affected",
"version": "61d9b56a89208d8cccd0b4cfec7e6959717e16e3",
"versionType": "git"
},
{
"lessThan": "2d3b559df3ed39258737789aae2ae7973d205bc1",
"status": "affected",
"version": "61d9b56a89208d8cccd0b4cfec7e6959717e16e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix data races in proc_douintvec_minmax().\n\nA sysctl variable is accessed concurrently, and there is always a chance\nof data-race. So, all readers and writers need some basic protection to\navoid load/store-tearing.\n\nThis patch changes proc_douintvec_minmax() to use READ_ONCE() and\nWRITE_ONCE() internally to fix data-races on the sysctl side. For now,\nproc_douintvec_minmax() itself is tolerant to a data-race, but we still\nneed to add annotations on the other subsystem\u0027s side."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:22.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3a2144b3b6bf9ecafd91087c8b8b48171ec19df"
},
{
"url": "https://git.kernel.org/stable/c/40e0477a7371d101c55b69d9c32a7a1ed82ab5ea"
},
{
"url": "https://git.kernel.org/stable/c/b60eddf98b9716651069dfda296c91311a7a6293"
},
{
"url": "https://git.kernel.org/stable/c/2d3b559df3ed39258737789aae2ae7973d205bc1"
}
],
"title": "sysctl: Fix data races in proc_douintvec_minmax().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49640",
"datePublished": "2025-02-26T02:23:48.206Z",
"dateReserved": "2025-02-26T02:21:30.430Z",
"dateUpdated": "2025-10-01T19:36:49.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49114 (GCVE-0-2022-49114)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-21 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: libfc: Fix use after free in fc_exch_abts_resp()
fc_exch_release(ep) will decrease the ep's reference count. When the
reference count reaches zero, it is freed. But ep is still used in the
following code, which will lead to a use after free.
Return after the fc_exch_release() call to avoid use after free.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a Version: 42e9a92fe6a9095bd68a379aaec7ad2be0337f7a |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T18:03:27.178498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T18:07:17.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libfc/fc_exch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a131d4ea8b581ac9b01d3a72754db4848be3232",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "499d198494e77b6533251b9b909baf5c101129cb",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "6044ad64f41c87382cfeeca281573d1886d80cbe",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "5cf2ce8967b0d98c8cfa4dc42ef4fcf080f5c836",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "1d7effe5fff9d28e45e18ac3a564067c7ddfe898",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "f581df412bc45c95176e3c808ee2839c05b2ab0c",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "87909291762d08fdb60d19069d7a89b5b308d0ef",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "412dd8299b02e4410fe77b8396953c1a8dde183a",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
},
{
"lessThan": "271add11994ba1a334859069367e04d2be2ebdd4",
"status": "affected",
"version": "42e9a92fe6a9095bd68a379aaec7ad2be0337f7a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libfc/fc_exch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix use after free in fc_exch_abts_resp()\n\nfc_exch_release(ep) will decrease the ep\u0027s reference count. When the\nreference count reaches zero, it is freed. But ep is still used in the\nfollowing code, which will lead to a use after free.\n\nReturn after the fc_exch_release() call to avoid use after free."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:06.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a131d4ea8b581ac9b01d3a72754db4848be3232"
},
{
"url": "https://git.kernel.org/stable/c/499d198494e77b6533251b9b909baf5c101129cb"
},
{
"url": "https://git.kernel.org/stable/c/6044ad64f41c87382cfeeca281573d1886d80cbe"
},
{
"url": "https://git.kernel.org/stable/c/5cf2ce8967b0d98c8cfa4dc42ef4fcf080f5c836"
},
{
"url": "https://git.kernel.org/stable/c/1d7effe5fff9d28e45e18ac3a564067c7ddfe898"
},
{
"url": "https://git.kernel.org/stable/c/f581df412bc45c95176e3c808ee2839c05b2ab0c"
},
{
"url": "https://git.kernel.org/stable/c/87909291762d08fdb60d19069d7a89b5b308d0ef"
},
{
"url": "https://git.kernel.org/stable/c/412dd8299b02e4410fe77b8396953c1a8dde183a"
},
{
"url": "https://git.kernel.org/stable/c/271add11994ba1a334859069367e04d2be2ebdd4"
}
],
"title": "scsi: libfc: Fix use after free in fc_exch_abts_resp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49114",
"datePublished": "2025-02-26T01:54:58.172Z",
"dateReserved": "2025-02-26T01:49:39.262Z",
"dateUpdated": "2025-05-21T08:44:06.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52939 (GCVE-0-2023-52939)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-10-01 17:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()
As commit 18365225f044 ("hwpoison, memcg: forcibly uncharge LRU pages"),
hwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg
could be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could
occurs a NULL pointer dereference, let's do not record the foreign
writebacks for folio memcg is null in mem_cgroup_track_foreign_dirty() to
fix it.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:37:07.765012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:37:10.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/memcontrol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b79ba5953f6fdc5559389ad415620bffc24f024b",
"status": "affected",
"version": "97b27821b4854ca744946dae32a3f2fd55bcd5bc",
"versionType": "git"
},
{
"lessThan": "ac86f547ca1002aec2ef66b9e64d03f45bbbfbb9",
"status": "affected",
"version": "97b27821b4854ca744946dae32a3f2fd55bcd5bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/memcontrol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()\n\nAs commit 18365225f044 (\"hwpoison, memcg: forcibly uncharge LRU pages\"),\nhwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg\ncould be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could\noccurs a NULL pointer dereference, let\u0027s do not record the foreign\nwritebacks for folio memcg is null in mem_cgroup_track_foreign_dirty() to\nfix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:25.338Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b79ba5953f6fdc5559389ad415620bffc24f024b"
},
{
"url": "https://git.kernel.org/stable/c/ac86f547ca1002aec2ef66b9e64d03f45bbbfbb9"
}
],
"title": "mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52939",
"datePublished": "2025-03-27T16:37:18.026Z",
"dateReserved": "2024-08-21T06:07:11.022Z",
"dateUpdated": "2025-10-01T17:37:10.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49274 (GCVE-0-2022-49274)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix crash when mount with quota enabled
There is a reported crash when mounting ocfs2 with quota enabled.
RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2]
Call Trace:
ocfs2_local_read_info+0xb9/0x6f0 [ocfs2]
dquot_load_quota_sb+0x216/0x470
dquot_load_quota_inode+0x85/0x100
ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2]
ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2]
mount_bdev+0x185/0x1b0
legacy_get_tree+0x27/0x40
vfs_get_tree+0x25/0xb0
path_mount+0x465/0xac0
__x64_sys_mount+0x103/0x140
It is caused by when initializing dqi_gqlock, the corresponding dqi_type
and dqi_sb are not properly initialized.
This issue is introduced by commit 6c85c2c72819, which wants to avoid
accessing uninitialized variables in error cases. So make global quota
info properly initialized.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/quota_global.c",
"fs/ocfs2/quota_local.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c5312fdb1dcfdc1951b018669af88d5d6420b31",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
},
{
"lessThan": "01931e1c4e3de5d777253acae64c0e8fd071a1dd",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
},
{
"lessThan": "eda31f77317647b9fbf889779ee1fb6907651865",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
},
{
"lessThan": "de19433423c7bedabbd4f9a25f7dbc62c5e78921",
"status": "affected",
"version": "6c85c2c728193d19d6a908ae9fb312d0325e65ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/quota_global.c",
"fs/ocfs2/quota_local.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix crash when mount with quota enabled\n\nThere is a reported crash when mounting ocfs2 with quota enabled.\n\n RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2]\n Call Trace:\n ocfs2_local_read_info+0xb9/0x6f0 [ocfs2]\n dquot_load_quota_sb+0x216/0x470\n dquot_load_quota_inode+0x85/0x100\n ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2]\n ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2]\n mount_bdev+0x185/0x1b0\n legacy_get_tree+0x27/0x40\n vfs_get_tree+0x25/0xb0\n path_mount+0x465/0xac0\n __x64_sys_mount+0x103/0x140\n\nIt is caused by when initializing dqi_gqlock, the corresponding dqi_type\nand dqi_sb are not properly initialized.\n\nThis issue is introduced by commit 6c85c2c72819, which wants to avoid\naccessing uninitialized variables in error cases. So make global quota\ninfo properly initialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:57.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c5312fdb1dcfdc1951b018669af88d5d6420b31"
},
{
"url": "https://git.kernel.org/stable/c/01931e1c4e3de5d777253acae64c0e8fd071a1dd"
},
{
"url": "https://git.kernel.org/stable/c/eda31f77317647b9fbf889779ee1fb6907651865"
},
{
"url": "https://git.kernel.org/stable/c/de19433423c7bedabbd4f9a25f7dbc62c5e78921"
}
],
"title": "ocfs2: fix crash when mount with quota enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49274",
"datePublished": "2025-02-26T01:56:19.586Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:57.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49670 (GCVE-0-2022-49670)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
linux/dim: Fix divide by 0 in RDMA DIM
Fix a divide 0 error in rdma_dim_stats_compare() when prev->cpe_ratio ==
0.
CallTrace:
Hardware name: H3C R4900 G3/RS33M2C9S, BIOS 2.00.37P21 03/12/2020
task: ffff880194b78000 task.stack: ffffc90006714000
RIP: 0010:backport_rdma_dim+0x10e/0x240 [mlx_compat]
RSP: 0018:ffff880c10e83ec0 EFLAGS: 00010202
RAX: 0000000000002710 RBX: ffff88096cd7f780 RCX: 0000000000000064
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000001d7c6c09
R13: ffff88096cd7f780 R14: ffff880b174fe800 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff880c10e80000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000a0965b00 CR3: 000000000200a003 CR4: 00000000007606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
ib_poll_handler+0x43/0x80 [ib_core]
irq_poll_softirq+0xae/0x110
__do_softirq+0xd1/0x28c
irq_exit+0xde/0xf0
do_IRQ+0x54/0xe0
common_interrupt+0x8f/0x8f
</IRQ>
? cpuidle_enter_state+0xd9/0x2a0
? cpuidle_enter_state+0xc7/0x2a0
? do_idle+0x170/0x1d0
? cpu_startup_entry+0x6f/0x80
? start_secondary+0x1b9/0x210
? secondary_startup_64+0xa5/0xb0
Code: 0f 87 e1 00 00 00 8b 4c 24 14 44 8b 43 14 89 c8 4d 63 c8 44 29 c0 99 31 d0 29 d0 31 d2 48 98 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <49> f7 f1 48 83 f8 0a 0f 86 c1 00 00 00 44 39 c1 7f 10 48 89 df
RIP: backport_rdma_dim+0x10e/0x240 [mlx_compat] RSP: ffff880c10e83ec0
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:21.787883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-369",
"description": "CWE-369 Divide By Zero",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:47.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/dim.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5af106f8e072aebd88b95e164a08fa320651a99a",
"status": "affected",
"version": "f4915455dcf07c4f237d6160a4b6adb0575d2909",
"versionType": "git"
},
{
"lessThan": "fae2a9fb1eaf348ad8732f90d42ebbb971bd7e95",
"status": "affected",
"version": "f4915455dcf07c4f237d6160a4b6adb0575d2909",
"versionType": "git"
},
{
"lessThan": "0b6e0eb5c45e79e9095de2498cc0ca5ec563fc5e",
"status": "affected",
"version": "f4915455dcf07c4f237d6160a4b6adb0575d2909",
"versionType": "git"
},
{
"lessThan": "7c1963391af51ee322378d1b2849c60e9037f069",
"status": "affected",
"version": "f4915455dcf07c4f237d6160a4b6adb0575d2909",
"versionType": "git"
},
{
"lessThan": "0fe3dbbefb74a8575f61d7801b08dbc50523d60d",
"status": "affected",
"version": "f4915455dcf07c4f237d6160a4b6adb0575d2909",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/dim.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.204",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlinux/dim: Fix divide by 0 in RDMA DIM\n\nFix a divide 0 error in rdma_dim_stats_compare() when prev-\u003ecpe_ratio ==\n0.\n\nCallTrace:\n Hardware name: H3C R4900 G3/RS33M2C9S, BIOS 2.00.37P21 03/12/2020\n task: ffff880194b78000 task.stack: ffffc90006714000\n RIP: 0010:backport_rdma_dim+0x10e/0x240 [mlx_compat]\n RSP: 0018:ffff880c10e83ec0 EFLAGS: 00010202\n RAX: 0000000000002710 RBX: ffff88096cd7f780 RCX: 0000000000000064\n RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 000000001d7c6c09\n R13: ffff88096cd7f780 R14: ffff880b174fe800 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff880c10e80000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000a0965b00 CR3: 000000000200a003 CR4: 00000000007606e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n ib_poll_handler+0x43/0x80 [ib_core]\n irq_poll_softirq+0xae/0x110\n __do_softirq+0xd1/0x28c\n irq_exit+0xde/0xf0\n do_IRQ+0x54/0xe0\n common_interrupt+0x8f/0x8f\n \u003c/IRQ\u003e\n ? cpuidle_enter_state+0xd9/0x2a0\n ? cpuidle_enter_state+0xc7/0x2a0\n ? do_idle+0x170/0x1d0\n ? cpu_startup_entry+0x6f/0x80\n ? start_secondary+0x1b9/0x210\n ? secondary_startup_64+0xa5/0xb0\n Code: 0f 87 e1 00 00 00 8b 4c 24 14 44 8b 43 14 89 c8 4d 63 c8 44 29 c0 99 31 d0 29 d0 31 d2 48 98 48 8d 04 80 48 8d 04 80 48 c1 e0 02 \u003c49\u003e f7 f1 48 83 f8 0a 0f 86 c1 00 00 00 44 39 c1 7f 10 48 89 df\n RIP: backport_rdma_dim+0x10e/0x240 [mlx_compat] RSP: ffff880c10e83ec0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:58.686Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5af106f8e072aebd88b95e164a08fa320651a99a"
},
{
"url": "https://git.kernel.org/stable/c/fae2a9fb1eaf348ad8732f90d42ebbb971bd7e95"
},
{
"url": "https://git.kernel.org/stable/c/0b6e0eb5c45e79e9095de2498cc0ca5ec563fc5e"
},
{
"url": "https://git.kernel.org/stable/c/7c1963391af51ee322378d1b2849c60e9037f069"
},
{
"url": "https://git.kernel.org/stable/c/0fe3dbbefb74a8575f61d7801b08dbc50523d60d"
}
],
"title": "linux/dim: Fix divide by 0 in RDMA DIM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49670",
"datePublished": "2025-02-26T02:24:03.938Z",
"dateReserved": "2025-02-26T02:21:30.436Z",
"dateUpdated": "2025-10-01T19:36:47.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49723 (GCVE-0-2022-49723)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/reset: Fix error_state_read ptr + offset use
Fix our pointer offset usage in error_state_read
when there is no i915_gpu_coredump but buf offset
is non-zero.
This fixes a kernel page fault can happen when
multiple tests are running concurrently in a loop
and one is producing engine resets and consuming
the i915 error_state dump while the other is
forcing full GT resets. (takes a while to trigger).
The dmesg call trace:
[ 5590.803000] BUG: unable to handle page fault for address:
ffffffffa0b0e000
[ 5590.803009] #PF: supervisor read access in kernel mode
[ 5590.803013] #PF: error_code(0x0000) - not-present page
[ 5590.803016] PGD 5814067 P4D 5814067 PUD 5815063 PMD 109de4067
PTE 0
[ 5590.803022] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 5590.803026] CPU: 5 PID: 13656 Comm: i915_hangman Tainted: G U
5.17.0-rc5-ups69-guc-err-capt-rev6+ #136
[ 5590.803033] Hardware name: Intel Corporation Alder Lake Client
Platform/AlderLake-M LP4x RVP, BIOS ADLPFWI1.R00.
3031.A02.2201171222 01/17/2022
[ 5590.803039] RIP: 0010:memcpy_erms+0x6/0x10
[ 5590.803045] Code: fe ff ff cc eb 1e 0f 1f 00 48 89 f8 48 89 d1
48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3
66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4
c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20
72 7e 40 38 fe
[ 5590.803054] RSP: 0018:ffffc90003a8fdf0 EFLAGS: 00010282
[ 5590.803057] RAX: ffff888107ee9000 RBX: ffff888108cb1a00
RCX: 0000000000000f8f
[ 5590.803061] RDX: 0000000000001000 RSI: ffffffffa0b0e000
RDI: ffff888107ee9071
[ 5590.803065] RBP: 0000000000000000 R08: 0000000000000001
R09: 0000000000000001
[ 5590.803069] R10: 0000000000000001 R11: 0000000000000002
R12: 0000000000000019
[ 5590.803073] R13: 0000000000174fff R14: 0000000000001000
R15: ffff888107ee9000
[ 5590.803077] FS: 00007f62a99bee80(0000) GS:ffff88849f880000(0000)
knlGS:0000000000000000
[ 5590.803082] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5590.803085] CR2: ffffffffa0b0e000 CR3: 000000010a1a8004
CR4: 0000000000770ee0
[ 5590.803089] PKRU: 55555554
[ 5590.803091] Call Trace:
[ 5590.803093] <TASK>
[ 5590.803096] error_state_read+0xa1/0xd0 [i915]
[ 5590.803175] kernfs_fop_read_iter+0xb2/0x1b0
[ 5590.803180] new_sync_read+0x116/0x1a0
[ 5590.803185] vfs_read+0x114/0x1b0
[ 5590.803189] ksys_read+0x63/0xe0
[ 5590.803193] do_syscall_64+0x38/0xc0
[ 5590.803197] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 5590.803201] RIP: 0033:0x7f62aaea5912
[ 5590.803204] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 5a b9 0c 00 e8 05
19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25
18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff
ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 5590.803213] RSP: 002b:00007fff5b659ae8 EFLAGS: 00000246
ORIG_RAX: 0000000000000000
[ 5590.803218] RAX: ffffffffffffffda RBX: 0000000000100000
RCX: 00007f62aaea5912
[ 5590.803221] RDX: 000000000008b000 RSI: 00007f62a8c4000f
RDI: 0000000000000006
[ 5590.803225] RBP: 00007f62a8bcb00f R08: 0000000000200010
R09: 0000000000101000
[ 5590.803229] R10: 0000000000000001 R11: 0000000000000246
R12: 0000000000000006
[ 5590.803233] R13: 0000000000075000 R14: 00007f62a8acb010
R15: 0000000000200000
[ 5590.803238] </TASK>
[ 5590.803240] Modules linked in: i915 ttm drm_buddy drm_dp_helper
drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops prime_numbers nfnetlink br_netfilter
overlay mei_pxp mei_hdcp x86_pkg_temp_thermal
coretemp kvm_intel snd_hda_codec_hdmi snd_hda_intel
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63b26fe0252f923e6aca373e3ad4b31202dcd331",
"status": "affected",
"version": "0e39037b3165567660b0e03f67534da5269a0465",
"versionType": "git"
},
{
"lessThan": "f4c5eba87675a07a6c28cdaca7366aeb4258ec78",
"status": "affected",
"version": "0e39037b3165567660b0e03f67534da5269a0465",
"versionType": "git"
},
{
"lessThan": "606e5d565605e26bf61a0933a6d56940f339c080",
"status": "affected",
"version": "0e39037b3165567660b0e03f67534da5269a0465",
"versionType": "git"
},
{
"lessThan": "c9b576d0c7bf55aeae1a736da7974fa202c4394d",
"status": "affected",
"version": "0e39037b3165567660b0e03f67534da5269a0465",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/reset: Fix error_state_read ptr + offset use\n\nFix our pointer offset usage in error_state_read\nwhen there is no i915_gpu_coredump but buf offset\nis non-zero.\n\nThis fixes a kernel page fault can happen when\nmultiple tests are running concurrently in a loop\nand one is producing engine resets and consuming\nthe i915 error_state dump while the other is\nforcing full GT resets. (takes a while to trigger).\n\nThe dmesg call trace:\n\n[ 5590.803000] BUG: unable to handle page fault for address:\n ffffffffa0b0e000\n[ 5590.803009] #PF: supervisor read access in kernel mode\n[ 5590.803013] #PF: error_code(0x0000) - not-present page\n[ 5590.803016] PGD 5814067 P4D 5814067 PUD 5815063 PMD 109de4067\n PTE 0\n[ 5590.803022] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 5590.803026] CPU: 5 PID: 13656 Comm: i915_hangman Tainted: G U\n 5.17.0-rc5-ups69-guc-err-capt-rev6+ #136\n[ 5590.803033] Hardware name: Intel Corporation Alder Lake Client\n Platform/AlderLake-M LP4x RVP, BIOS ADLPFWI1.R00.\n 3031.A02.2201171222\t01/17/2022\n[ 5590.803039] RIP: 0010:memcpy_erms+0x6/0x10\n[ 5590.803045] Code: fe ff ff cc eb 1e 0f 1f 00 48 89 f8 48 89 d1\n 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3\n 66 0f 1f 44 00 00 48 89 f8 48 89 d1 \u003cf3\u003e a4\n c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20\n 72 7e 40 38 fe\n[ 5590.803054] RSP: 0018:ffffc90003a8fdf0 EFLAGS: 00010282\n[ 5590.803057] RAX: ffff888107ee9000 RBX: ffff888108cb1a00\n RCX: 0000000000000f8f\n[ 5590.803061] RDX: 0000000000001000 RSI: ffffffffa0b0e000\n RDI: ffff888107ee9071\n[ 5590.803065] RBP: 0000000000000000 R08: 0000000000000001\n R09: 0000000000000001\n[ 5590.803069] R10: 0000000000000001 R11: 0000000000000002\n R12: 0000000000000019\n[ 5590.803073] R13: 0000000000174fff R14: 0000000000001000\n R15: ffff888107ee9000\n[ 5590.803077] FS: 00007f62a99bee80(0000) GS:ffff88849f880000(0000)\n knlGS:0000000000000000\n[ 5590.803082] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5590.803085] CR2: ffffffffa0b0e000 CR3: 000000010a1a8004\n CR4: 0000000000770ee0\n[ 5590.803089] PKRU: 55555554\n[ 5590.803091] Call Trace:\n[ 5590.803093] \u003cTASK\u003e\n[ 5590.803096] error_state_read+0xa1/0xd0 [i915]\n[ 5590.803175] kernfs_fop_read_iter+0xb2/0x1b0\n[ 5590.803180] new_sync_read+0x116/0x1a0\n[ 5590.803185] vfs_read+0x114/0x1b0\n[ 5590.803189] ksys_read+0x63/0xe0\n[ 5590.803193] do_syscall_64+0x38/0xc0\n[ 5590.803197] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 5590.803201] RIP: 0033:0x7f62aaea5912\n[ 5590.803204] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 5a b9 0c 00 e8 05\n 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25\n 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff\n ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[ 5590.803213] RSP: 002b:00007fff5b659ae8 EFLAGS: 00000246\n ORIG_RAX: 0000000000000000\n[ 5590.803218] RAX: ffffffffffffffda RBX: 0000000000100000\n RCX: 00007f62aaea5912\n[ 5590.803221] RDX: 000000000008b000 RSI: 00007f62a8c4000f\n RDI: 0000000000000006\n[ 5590.803225] RBP: 00007f62a8bcb00f R08: 0000000000200010\n R09: 0000000000101000\n[ 5590.803229] R10: 0000000000000001 R11: 0000000000000246\n R12: 0000000000000006\n[ 5590.803233] R13: 0000000000075000 R14: 00007f62a8acb010\n R15: 0000000000200000\n[ 5590.803238] \u003c/TASK\u003e\n[ 5590.803240] Modules linked in: i915 ttm drm_buddy drm_dp_helper\n drm_kms_helper syscopyarea sysfillrect sysimgblt\n fb_sys_fops prime_numbers nfnetlink br_netfilter\n overlay mei_pxp mei_hdcp x86_pkg_temp_thermal\n coretemp kvm_intel snd_hda_codec_hdmi snd_hda_intel\n \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:06.699Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63b26fe0252f923e6aca373e3ad4b31202dcd331"
},
{
"url": "https://git.kernel.org/stable/c/f4c5eba87675a07a6c28cdaca7366aeb4258ec78"
},
{
"url": "https://git.kernel.org/stable/c/606e5d565605e26bf61a0933a6d56940f339c080"
},
{
"url": "https://git.kernel.org/stable/c/c9b576d0c7bf55aeae1a736da7974fa202c4394d"
}
],
"title": "drm/i915/reset: Fix error_state_read ptr + offset use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49723",
"datePublished": "2025-02-26T02:24:36.049Z",
"dateReserved": "2025-02-26T02:21:30.447Z",
"dateUpdated": "2025-05-04T08:44:06.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21820 (GCVE-0-2025-21820)
Vulnerability from cvelistv5
Published
2025-02-27 20:04
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: xilinx_uartps: split sysrq handling
lockdep detects the following circular locking dependency:
CPU 0 CPU 1
========================== ============================
cdns_uart_isr() printk()
uart_port_lock(port) console_lock()
cdns_uart_console_write()
if (!port->sysrq)
uart_port_lock(port)
uart_handle_break()
port->sysrq = ...
uart_handle_sysrq_char()
printk()
console_lock()
The fixed commit attempts to avoid this situation by only taking the
port lock in cdns_uart_console_write if port->sysrq unset. However, if
(as shown above) cdns_uart_console_write runs before port->sysrq is set,
then it will try to take the port lock anyway. This may result in a
deadlock.
Fix this by splitting sysrq handling into two parts. We use the prepare
helper under the port lock and defer handling until we release the lock.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852 Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852 Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852 Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852 Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852 Version: 74ea66d4ca061a3cd4c0e924e51b60e924644852 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:53.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/xilinx_uartps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e22a97700901ba5e8bf8db68056a0d50f9440cae",
"status": "affected",
"version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
"versionType": "git"
},
{
"lessThan": "de5bd24197bd9ee37ec1e379a3d882bbd15c5065",
"status": "affected",
"version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
"versionType": "git"
},
{
"lessThan": "8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c",
"status": "affected",
"version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
"versionType": "git"
},
{
"lessThan": "9b88a7c4584ba67267a051069b8abe44fc9595b2",
"status": "affected",
"version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
"versionType": "git"
},
{
"lessThan": "4410dba9807a17a93f649a9f5870ceaf30a675a3",
"status": "affected",
"version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
"versionType": "git"
},
{
"lessThan": "b06f388994500297bb91be60ffaf6825ecfd2afe",
"status": "affected",
"version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/xilinx_uartps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: xilinx_uartps: split sysrq handling\n\nlockdep detects the following circular locking dependency:\n\nCPU 0 CPU 1\n========================== ============================\ncdns_uart_isr() printk()\n uart_port_lock(port) console_lock()\n\t\t\t cdns_uart_console_write()\n if (!port-\u003esysrq)\n uart_port_lock(port)\n uart_handle_break()\n port-\u003esysrq = ...\n uart_handle_sysrq_char()\n printk()\n console_lock()\n\nThe fixed commit attempts to avoid this situation by only taking the\nport lock in cdns_uart_console_write if port-\u003esysrq unset. However, if\n(as shown above) cdns_uart_console_write runs before port-\u003esysrq is set,\nthen it will try to take the port lock anyway. This may result in a\ndeadlock.\n\nFix this by splitting sysrq handling into two parts. We use the prepare\nhelper under the port lock and defer handling until we release the lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:51.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e22a97700901ba5e8bf8db68056a0d50f9440cae"
},
{
"url": "https://git.kernel.org/stable/c/de5bd24197bd9ee37ec1e379a3d882bbd15c5065"
},
{
"url": "https://git.kernel.org/stable/c/8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c"
},
{
"url": "https://git.kernel.org/stable/c/9b88a7c4584ba67267a051069b8abe44fc9595b2"
},
{
"url": "https://git.kernel.org/stable/c/4410dba9807a17a93f649a9f5870ceaf30a675a3"
},
{
"url": "https://git.kernel.org/stable/c/b06f388994500297bb91be60ffaf6825ecfd2afe"
}
],
"title": "tty: xilinx_uartps: split sysrq handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21820",
"datePublished": "2025-02-27T20:04:17.930Z",
"dateReserved": "2024-12-29T08:45:45.775Z",
"dateUpdated": "2025-11-03T20:59:53.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47654 (GCVE-0-2021-47654)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
samples/landlock: Fix path_list memory leak
Clang static analysis reports this error
sandboxer.c:134:8: warning: Potential leak of memory
pointed to by 'path_list'
ret = 0;
^
path_list is allocated in parse_path() but never freed.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:18.388284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:07.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"samples/landlock/sandboxer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20fbf100f84b9aeb9c91421abe1927bc152bc32b",
"status": "affected",
"version": "ba84b0bf5a164f0f523656c1e37568c30f3f3303",
"versionType": "git"
},
{
"lessThan": "49b0d8bf05809df5f87e5c03e26d74bdfdab4571",
"status": "affected",
"version": "ba84b0bf5a164f0f523656c1e37568c30f3f3303",
"versionType": "git"
},
{
"lessThan": "017196730299ccd6eed24bbfabed8af4ffd81530",
"status": "affected",
"version": "ba84b0bf5a164f0f523656c1e37568c30f3f3303",
"versionType": "git"
},
{
"lessThan": "66b513b7c64a7290c1fbb88e657f7cece992e131",
"status": "affected",
"version": "ba84b0bf5a164f0f523656c1e37568c30f3f3303",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"samples/landlock/sandboxer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsamples/landlock: Fix path_list memory leak\n\nClang static analysis reports this error\n\nsandboxer.c:134:8: warning: Potential leak of memory\n pointed to by \u0027path_list\u0027\n ret = 0;\n ^\npath_list is allocated in parse_path() but never freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:40.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20fbf100f84b9aeb9c91421abe1927bc152bc32b"
},
{
"url": "https://git.kernel.org/stable/c/49b0d8bf05809df5f87e5c03e26d74bdfdab4571"
},
{
"url": "https://git.kernel.org/stable/c/017196730299ccd6eed24bbfabed8af4ffd81530"
},
{
"url": "https://git.kernel.org/stable/c/66b513b7c64a7290c1fbb88e657f7cece992e131"
}
],
"title": "samples/landlock: Fix path_list memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47654",
"datePublished": "2025-02-26T01:54:19.083Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-10-01T19:57:07.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49158 (GCVE-0-2022-49158)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix warning message due to adisc being flushed
Fix warning message due to adisc being flushed. Linux kernel triggered a
warning message where a different error code type is not matching up with
the expected type. Add additional translation of one error code type to
another.
WARNING: CPU: 2 PID: 1131623 at drivers/scsi/qla2xxx/qla_init.c:498
qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]
CPU: 2 PID: 1131623 Comm: drmgr Not tainted 5.13.0-rc1-autotest #1
..
GPR28: c000000aaa9c8890 c0080000079ab678 c00000140a104800 c00000002bd19000
NIP [c00800000790857c] qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]
LR [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx]
Call Trace:
[c00000001cdc3620] [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] (unreliable)
[c00000001cdc3710] [c0080000078f3080] __qla2x00_abort_all_cmds+0x1b8/0x580 [qla2xxx]
[c00000001cdc3840] [c0080000078f589c] qla2x00_abort_all_cmds+0x34/0xd0 [qla2xxx]
[c00000001cdc3880] [c0080000079153d8] qla2x00_abort_isp_cleanup+0x3f0/0x570 [qla2xxx]
[c00000001cdc3920] [c0080000078fb7e8] qla2x00_remove_one+0x3d0/0x480 [qla2xxx]
[c00000001cdc39b0] [c00000000071c274] pci_device_remove+0x64/0x120
[c00000001cdc39f0] [c0000000007fb818] device_release_driver_internal+0x168/0x2a0
[c00000001cdc3a30] [c00000000070e304] pci_stop_bus_device+0xb4/0x100
[c00000001cdc3a70] [c00000000070e4f0] pci_stop_and_remove_bus_device+0x20/0x40
[c00000001cdc3aa0] [c000000000073940] pci_hp_remove_devices+0x90/0x130
[c00000001cdc3b30] [c0080000070704d0] disable_slot+0x38/0x90 [rpaphp] [
c00000001cdc3b60] [c00000000073eb4c] power_write_file+0xcc/0x180
[c00000001cdc3be0] [c0000000007354bc] pci_slot_attr_store+0x3c/0x60
[c00000001cdc3c00] [c00000000055f820] sysfs_kf_write+0x60/0x80 [c00000001cdc3c20]
[c00000000055df10] kernfs_fop_write_iter+0x1a0/0x290
[c00000001cdc3c70] [c000000000447c4c] new_sync_write+0x14c/0x1d0
[c00000001cdc3d10] [c00000000044b134] vfs_write+0x224/0x330
[c00000001cdc3d60] [c00000000044b3f4] ksys_write+0x74/0x130
[c00000001cdc3db0] [c00000000002df70] system_call_exception+0x150/0x2d0
[c00000001cdc3e10] [c00000000000d45c] system_call_common+0xec/0x278
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a3457777c4f700c64836e78dc71e6ce459f62b8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b13baf97ddbc1a7e7536168383bc0d84c2204b03",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d8fb8da69e194e0249b3cdb746ef09ce823ae26b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "64f24af75b79cba3b86b0760e27e0fa904db570f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix warning message due to adisc being flushed\n\nFix warning message due to adisc being flushed. Linux kernel triggered a\nwarning message where a different error code type is not matching up with\nthe expected type. Add additional translation of one error code type to\nanother.\n\nWARNING: CPU: 2 PID: 1131623 at drivers/scsi/qla2xxx/qla_init.c:498\nqla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]\nCPU: 2 PID: 1131623 Comm: drmgr Not tainted 5.13.0-rc1-autotest #1\n..\nGPR28: c000000aaa9c8890 c0080000079ab678 c00000140a104800 c00000002bd19000\nNIP [c00800000790857c] qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]\nLR [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx]\nCall Trace:\n[c00000001cdc3620] [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] (unreliable)\n[c00000001cdc3710] [c0080000078f3080] __qla2x00_abort_all_cmds+0x1b8/0x580 [qla2xxx]\n[c00000001cdc3840] [c0080000078f589c] qla2x00_abort_all_cmds+0x34/0xd0 [qla2xxx]\n[c00000001cdc3880] [c0080000079153d8] qla2x00_abort_isp_cleanup+0x3f0/0x570 [qla2xxx]\n[c00000001cdc3920] [c0080000078fb7e8] qla2x00_remove_one+0x3d0/0x480 [qla2xxx]\n[c00000001cdc39b0] [c00000000071c274] pci_device_remove+0x64/0x120\n[c00000001cdc39f0] [c0000000007fb818] device_release_driver_internal+0x168/0x2a0\n[c00000001cdc3a30] [c00000000070e304] pci_stop_bus_device+0xb4/0x100\n[c00000001cdc3a70] [c00000000070e4f0] pci_stop_and_remove_bus_device+0x20/0x40\n[c00000001cdc3aa0] [c000000000073940] pci_hp_remove_devices+0x90/0x130\n[c00000001cdc3b30] [c0080000070704d0] disable_slot+0x38/0x90 [rpaphp] [\nc00000001cdc3b60] [c00000000073eb4c] power_write_file+0xcc/0x180\n[c00000001cdc3be0] [c0000000007354bc] pci_slot_attr_store+0x3c/0x60\n[c00000001cdc3c00] [c00000000055f820] sysfs_kf_write+0x60/0x80 [c00000001cdc3c20]\n[c00000000055df10] kernfs_fop_write_iter+0x1a0/0x290\n[c00000001cdc3c70] [c000000000447c4c] new_sync_write+0x14c/0x1d0\n[c00000001cdc3d10] [c00000000044b134] vfs_write+0x224/0x330\n[c00000001cdc3d60] [c00000000044b3f4] ksys_write+0x74/0x130\n[c00000001cdc3db0] [c00000000002df70] system_call_exception+0x150/0x2d0\n[c00000001cdc3e10] [c00000000000d45c] system_call_common+0xec/0x278"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:14.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a3457777c4f700c64836e78dc71e6ce459f62b8"
},
{
"url": "https://git.kernel.org/stable/c/b13baf97ddbc1a7e7536168383bc0d84c2204b03"
},
{
"url": "https://git.kernel.org/stable/c/d8fb8da69e194e0249b3cdb746ef09ce823ae26b"
},
{
"url": "https://git.kernel.org/stable/c/64f24af75b79cba3b86b0760e27e0fa904db570f"
}
],
"title": "scsi: qla2xxx: Fix warning message due to adisc being flushed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49158",
"datePublished": "2025-02-26T01:55:21.304Z",
"dateReserved": "2025-02-26T01:49:39.276Z",
"dateUpdated": "2025-05-04T08:31:14.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21838 (GCVE-0-2025-21838)
Vulnerability from cvelistv5
Published
2025-03-07 09:09
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: core: flush gadget workqueue after device removal
device_del() can lead to new work being scheduled in gadget->work
workqueue. This is observed, for example, with the dwc3 driver with the
following call stack:
device_del()
gadget_unbind_driver()
usb_gadget_disconnect_locked()
dwc3_gadget_pullup()
dwc3_gadget_soft_disconnect()
usb_gadget_set_state()
schedule_work(&gadget->work)
Move flush_work() after device_del() to ensure the workqueue is cleaned
up.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:56.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3bc1a9a67ce33a2e761e6e7b7c2afc6cb9b7266",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "859cb45aefa6de823b2fa7f229fe6d9562c9f3b7",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "f894448f3904d7ad66fecef8f01fe0172629e091",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "97695b5a1b5467a4f91194db12160f56da445dfe",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "399a45e5237ca14037120b1b895bd38a3b4492ea",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: core: flush gadget workqueue after device removal\n\ndevice_del() can lead to new work being scheduled in gadget-\u003ework\nworkqueue. This is observed, for example, with the dwc3 driver with the\nfollowing call stack:\n device_del()\n gadget_unbind_driver()\n usb_gadget_disconnect_locked()\n dwc3_gadget_pullup()\n\t dwc3_gadget_soft_disconnect()\n\t usb_gadget_set_state()\n\t schedule_work(\u0026gadget-\u003ework)\n\nMove flush_work() after device_del() to ensure the workqueue is cleaned\nup."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:17.406Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3bc1a9a67ce33a2e761e6e7b7c2afc6cb9b7266"
},
{
"url": "https://git.kernel.org/stable/c/859cb45aefa6de823b2fa7f229fe6d9562c9f3b7"
},
{
"url": "https://git.kernel.org/stable/c/f894448f3904d7ad66fecef8f01fe0172629e091"
},
{
"url": "https://git.kernel.org/stable/c/97695b5a1b5467a4f91194db12160f56da445dfe"
},
{
"url": "https://git.kernel.org/stable/c/399a45e5237ca14037120b1b895bd38a3b4492ea"
}
],
"title": "usb: gadget: core: flush gadget workqueue after device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21838",
"datePublished": "2025-03-07T09:09:57.515Z",
"dateReserved": "2024-12-29T08:45:45.777Z",
"dateUpdated": "2025-11-03T19:37:56.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21701 (GCVE-0-2025-21701)
Vulnerability from cvelistv5
Published
2025-02-13 15:05
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: avoid race between device unregistration and ethnl ops
The following trace can be seen if a device is being unregistered while
its number of channels are being modified.
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120
CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771
RIP: 0010:__mutex_lock+0xc8a/0x1120
Call Trace:
<TASK>
ethtool_check_max_channel+0x1ea/0x880
ethnl_set_channels+0x3c3/0xb10
ethnl_default_set_doit+0x306/0x650
genl_family_rcv_msg_doit+0x1e3/0x2c0
genl_rcv_msg+0x432/0x6f0
netlink_rcv_skb+0x13d/0x3b0
genl_rcv+0x28/0x40
netlink_unicast+0x42e/0x720
netlink_sendmsg+0x765/0xc20
__sys_sendto+0x3ac/0x420
__x64_sys_sendto+0xe0/0x1c0
do_syscall_64+0x95/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is because unregister_netdevice_many_notify might run before the
rtnl lock section of ethnl operations, eg. set_channels in the above
example. In this example the rss lock would be destroyed by the device
unregistration path before being used again, but in general running
ethnl operations while dismantle has started is not a good idea.
Fix this by denying any operation on devices being unregistered. A check
was already there in ethnl_ops_begin, but not wide enough.
Note that the same issue cannot be seen on the ioctl version
(__dev_ethtool) because the device reference is retrieved from within
the rtnl lock section there. Once dismantle started, the net device is
unlisted and no reference will be found.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cfd719f04267108f5f5bf802b9d7de69e99a99f9 Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: dde91ccfa25fd58f64c397d91b81a4b393100ffa Version: 7c26da3be1e9843a15b5318f90db8a564479d2ac |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:15:24.731894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:16:21.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:47.886Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "26bc6076798aa4dc83a07d0a386f9e57c94e8517",
"status": "affected",
"version": "cfd719f04267108f5f5bf802b9d7de69e99a99f9",
"versionType": "git"
},
{
"lessThan": "b1cb37a31a482df3dd35a6ac166282dac47664f4",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "2f29127e94ae9fdc7497331003d6860e9551cdf3",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "b382ab9b885cbb665e0e70a727f101c981b4edf3",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "4dc880245f9b529fa8f476b5553c799d2848b47b",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"lessThan": "12e070eb6964b341b41677fd260af5a305316a1f",
"status": "affected",
"version": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"versionType": "git"
},
{
"status": "affected",
"version": "7c26da3be1e9843a15b5318f90db8a564479d2ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid race between device unregistration and ethnl ops\n\nThe following trace can be seen if a device is being unregistered while\nits number of channels are being modified.\n\n DEBUG_LOCKS_WARN_ON(lock-\u003emagic != lock)\n WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120\n CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771\n RIP: 0010:__mutex_lock+0xc8a/0x1120\n Call Trace:\n \u003cTASK\u003e\n ethtool_check_max_channel+0x1ea/0x880\n ethnl_set_channels+0x3c3/0xb10\n ethnl_default_set_doit+0x306/0x650\n genl_family_rcv_msg_doit+0x1e3/0x2c0\n genl_rcv_msg+0x432/0x6f0\n netlink_rcv_skb+0x13d/0x3b0\n genl_rcv+0x28/0x40\n netlink_unicast+0x42e/0x720\n netlink_sendmsg+0x765/0xc20\n __sys_sendto+0x3ac/0x420\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x95/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because unregister_netdevice_many_notify might run before the\nrtnl lock section of ethnl operations, eg. set_channels in the above\nexample. In this example the rss lock would be destroyed by the device\nunregistration path before being used again, but in general running\nethnl operations while dismantle has started is not a good idea.\n\nFix this by denying any operation on devices being unregistered. A check\nwas already there in ethnl_ops_begin, but not wide enough.\n\nNote that the same issue cannot be seen on the ioctl version\n(__dev_ethtool) because the device reference is retrieved from within\nthe rtnl lock section there. Once dismantle started, the net device is\nunlisted and no reference will be found."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:18.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517"
},
{
"url": "https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4"
},
{
"url": "https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3"
},
{
"url": "https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3"
},
{
"url": "https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b"
},
{
"url": "https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f"
}
],
"title": "net: avoid race between device unregistration and ethnl ops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21701",
"datePublished": "2025-02-13T15:05:46.483Z",
"dateReserved": "2024-12-29T08:45:45.748Z",
"dateUpdated": "2025-11-03T19:35:47.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49523 (GCVE-0-2022-49523)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: disable spectral scan during spectral deinit
When ath11k modules are removed using rmmod with spectral scan enabled,
crash is observed. Different crash trace is observed for each crash.
Send spectral scan disable WMI command to firmware before cleaning
the spectral dbring in the spectral_deinit API to avoid this crash.
call trace from one of the crash observed:
[ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008
[ 1252.882722] pgd = 0f42e886
[ 1252.890955] [00000008] *pgd=00000000
[ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0
[ 1253.115261] Hardware name: Generic DT based system
[ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k]
[ 1253.125940] LR is at 0x88e31017
[ 1253.132448] pc : [<7f9387b8>] lr : [<88e31017>] psr: a0000193
[ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000
[ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080
[ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000
[ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001
[ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
[ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055
[ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141)
[ 1253.458055] [<7f9387b8>] (ath11k_spectral_process_data [ath11k]) from [<7f917fdc>] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k])
[ 1253.466139] [<7f917fdc>] (ath11k_dbring_buffer_release_event [ath11k]) from [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k])
[ 1253.478807] [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx [ath11k]) from [<7f8fe868>] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k])
[ 1253.490699] [<7f8fe868>] (ath11k_htc_rx_completion_handler [ath11k]) from [<7f91308c>] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k])
[ 1253.502386] [<7f91308c>] (ath11k_ce_per_engine_service [ath11k]) from [<7f9a4198>] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci])
[ 1253.514811] [<7f9a4198>] (ath11k_pci_ce_tasklet [ath11k_pci]) from [<8032227c>] (tasklet_action_common.constprop.2+0x64/0xe8)
[ 1253.526476] [<8032227c>] (tasklet_action_common.constprop.2) from [<803021e8>] (__do_softirq+0x130/0x2d0)
[ 1253.537756] [<803021e8>] (__do_softirq) from [<80322610>] (irq_exit+0xcc/0xe8)
[ 1253.547304] [<80322610>] (irq_exit) from [<8036a4a4>] (__handle_domain_irq+0x60/0xb4)
[ 1253.554428] [<8036a4a4>] (__handle_domain_irq) from [<805eb348>] (gic_handle_irq+0x4c/0x90)
[ 1253.562321] [<805eb348>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)
Tested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49523",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:09.164993Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:41.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/spectral.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60afa4f4e1350c876d8a061182a70c224de275dd",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "451b9076903a057b7b8d5b24dc84b3e436a1c743",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "4b9c54caef58d2b55074710952cda70540722c01",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "8f15e67af9bec5a69e815e0230a70cffddae371a",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "161c64de239c7018e0295e7e0520a19f00aa32dc",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/spectral.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: disable spectral scan during spectral deinit\n\nWhen ath11k modules are removed using rmmod with spectral scan enabled,\ncrash is observed. Different crash trace is observed for each crash.\n\nSend spectral scan disable WMI command to firmware before cleaning\nthe spectral dbring in the spectral_deinit API to avoid this crash.\n\ncall trace from one of the crash observed:\n[ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008\n[ 1252.882722] pgd = 0f42e886\n[ 1252.890955] [00000008] *pgd=00000000\n[ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM\n[ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0\n[ 1253.115261] Hardware name: Generic DT based system\n[ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k]\n[ 1253.125940] LR is at 0x88e31017\n[ 1253.132448] pc : [\u003c7f9387b8\u003e] lr : [\u003c88e31017\u003e] psr: a0000193\n[ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000\n[ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080\n[ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000\n[ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001\n[ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\n[ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055\n[ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141)\n[ 1253.458055] [\u003c7f9387b8\u003e] (ath11k_spectral_process_data [ath11k]) from [\u003c7f917fdc\u003e] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k])\n[ 1253.466139] [\u003c7f917fdc\u003e] (ath11k_dbring_buffer_release_event [ath11k]) from [\u003c7f8ea3c4\u003e] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k])\n[ 1253.478807] [\u003c7f8ea3c4\u003e] (ath11k_wmi_tlv_op_rx [ath11k]) from [\u003c7f8fe868\u003e] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k])\n[ 1253.490699] [\u003c7f8fe868\u003e] (ath11k_htc_rx_completion_handler [ath11k]) from [\u003c7f91308c\u003e] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k])\n[ 1253.502386] [\u003c7f91308c\u003e] (ath11k_ce_per_engine_service [ath11k]) from [\u003c7f9a4198\u003e] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci])\n[ 1253.514811] [\u003c7f9a4198\u003e] (ath11k_pci_ce_tasklet [ath11k_pci]) from [\u003c8032227c\u003e] (tasklet_action_common.constprop.2+0x64/0xe8)\n[ 1253.526476] [\u003c8032227c\u003e] (tasklet_action_common.constprop.2) from [\u003c803021e8\u003e] (__do_softirq+0x130/0x2d0)\n[ 1253.537756] [\u003c803021e8\u003e] (__do_softirq) from [\u003c80322610\u003e] (irq_exit+0xcc/0xe8)\n[ 1253.547304] [\u003c80322610\u003e] (irq_exit) from [\u003c8036a4a4\u003e] (__handle_domain_irq+0x60/0xb4)\n[ 1253.554428] [\u003c8036a4a4\u003e] (__handle_domain_irq) from [\u003c805eb348\u003e] (gic_handle_irq+0x4c/0x90)\n[ 1253.562321] [\u003c805eb348\u003e] (gic_handle_irq) from [\u003c80301a78\u003e] (__irq_svc+0x58/0x8c)\n\nTested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:45.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60afa4f4e1350c876d8a061182a70c224de275dd"
},
{
"url": "https://git.kernel.org/stable/c/451b9076903a057b7b8d5b24dc84b3e436a1c743"
},
{
"url": "https://git.kernel.org/stable/c/4b9c54caef58d2b55074710952cda70540722c01"
},
{
"url": "https://git.kernel.org/stable/c/8f15e67af9bec5a69e815e0230a70cffddae371a"
},
{
"url": "https://git.kernel.org/stable/c/161c64de239c7018e0295e7e0520a19f00aa32dc"
}
],
"title": "ath11k: disable spectral scan during spectral deinit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49523",
"datePublished": "2025-02-26T02:13:47.757Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-10-01T19:46:41.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49073 (GCVE-0-2022-49073)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ata: sata_dwc_460ex: Fix crash due to OOB write
the driver uses libata's "tag" values from in various arrays.
Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32,
the value of the SATA_DWC_QCMD_MAX needs to account for that.
Otherwise ATA_TAG_INTERNAL usage cause similar crashes like
this as reported by Tice Rex on the OpenWrt Forum and
reproduced (with symbols) here:
| BUG: Kernel NULL pointer dereference at 0x00000000
| Faulting instruction address: 0xc03ed4b8
| Oops: Kernel access of bad area, sig: 11 [#1]
| BE PAGE_SIZE=4K PowerPC 44x Platform
| CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0
| NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c
| REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163)
| MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000
| DEAR: 00000000 ESR: 00000000
| GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]
| [..]
| NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254
| LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc
| Call Trace:
| [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)
| [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc
| [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524
| [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0
| [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204
| [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130
| [...]
This is because sata_dwc_dma_xfer_complete() NULLs the
dma_pending's next neighbour "chan" (a *dma_chan struct) in
this '32' case right here (line ~735):
> hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;
Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes
the NULL'd hsdevp->chan to the dmaengine_slave_config() which then
causes the crash.
With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1.
This avoids the OOB. But please note, there was a worthwhile discussion
on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not
be a "fake" 33 command-long queue size.
Ideally, the dw driver should account for the ATA_TAG_INTERNAL.
In Damien Le Moal's words: "... having looked at the driver, it
is a bigger change than just faking a 33rd "tag" that is in fact
not a command tag at all."
BugLink: https://github.com/openwrt/openwrt/issues/9505
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 28361c403683c2b00d4f5e76045f3ccd299bf99d Version: 28361c403683c2b00d4f5e76045f3ccd299bf99d Version: 28361c403683c2b00d4f5e76045f3ccd299bf99d Version: 28361c403683c2b00d4f5e76045f3ccd299bf99d Version: 28361c403683c2b00d4f5e76045f3ccd299bf99d Version: 28361c403683c2b00d4f5e76045f3ccd299bf99d Version: 28361c403683c2b00d4f5e76045f3ccd299bf99d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ata/sata_dwc_460ex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "596c7efd69aae94f4b0e91172b075eb197958b99",
"status": "affected",
"version": "28361c403683c2b00d4f5e76045f3ccd299bf99d",
"versionType": "git"
},
{
"lessThan": "55e1465ba79562a191708a40eeae3f8082a209e3",
"status": "affected",
"version": "28361c403683c2b00d4f5e76045f3ccd299bf99d",
"versionType": "git"
},
{
"lessThan": "fc629224aa62f23849cae83717932985ac51232d",
"status": "affected",
"version": "28361c403683c2b00d4f5e76045f3ccd299bf99d",
"versionType": "git"
},
{
"lessThan": "8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8",
"status": "affected",
"version": "28361c403683c2b00d4f5e76045f3ccd299bf99d",
"versionType": "git"
},
{
"lessThan": "234c0132f76f0676d175757f61b0025191a3d935",
"status": "affected",
"version": "28361c403683c2b00d4f5e76045f3ccd299bf99d",
"versionType": "git"
},
{
"lessThan": "3a8751c0d4e24129e72dcec0139e99833b13904a",
"status": "affected",
"version": "28361c403683c2b00d4f5e76045f3ccd299bf99d",
"versionType": "git"
},
{
"lessThan": "7aa8104a554713b685db729e66511b93d989dd6a",
"status": "affected",
"version": "28361c403683c2b00d4f5e76045f3ccd299bf99d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ata/sata_dwc_460ex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: sata_dwc_460ex: Fix crash due to OOB write\n\nthe driver uses libata\u0027s \"tag\" values from in various arrays.\nSince the mentioned patch bumped the ATA_TAG_INTERNAL to 32,\nthe value of the SATA_DWC_QCMD_MAX needs to account for that.\n\nOtherwise ATA_TAG_INTERNAL usage cause similar crashes like\nthis as reported by Tice Rex on the OpenWrt Forum and\nreproduced (with symbols) here:\n\n| BUG: Kernel NULL pointer dereference at 0x00000000\n| Faulting instruction address: 0xc03ed4b8\n| Oops: Kernel access of bad area, sig: 11 [#1]\n| BE PAGE_SIZE=4K PowerPC 44x Platform\n| CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0\n| NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c\n| REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163)\n| MSR: 00021000 \u003cCE,ME\u003e CR: 42000222 XER: 00000000\n| DEAR: 00000000 ESR: 00000000\n| GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]\n| [..]\n| NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254\n| LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| Call Trace:\n| [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)\n| [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524\n| [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0\n| [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204\n| [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130\n| [...]\n\nThis is because sata_dwc_dma_xfer_complete() NULLs the\ndma_pending\u0027s next neighbour \"chan\" (a *dma_chan struct) in\nthis \u002732\u0027 case right here (line ~735):\n\u003e hsdevp-\u003edma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;\n\nThen the next time, a dma gets issued; dma_dwc_xfer_setup() passes\nthe NULL\u0027d hsdevp-\u003echan to the dmaengine_slave_config() which then\ncauses the crash.\n\nWith this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1.\nThis avoids the OOB. But please note, there was a worthwhile discussion\non what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not\nbe a \"fake\" 33 command-long queue size.\n\nIdeally, the dw driver should account for the ATA_TAG_INTERNAL.\nIn Damien Le Moal\u0027s words: \"... having looked at the driver, it\nis a bigger change than just faking a 33rd \"tag\" that is in fact\nnot a command tag at all.\"\n\nBugLink: https://github.com/openwrt/openwrt/issues/9505"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:08.797Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/596c7efd69aae94f4b0e91172b075eb197958b99"
},
{
"url": "https://git.kernel.org/stable/c/55e1465ba79562a191708a40eeae3f8082a209e3"
},
{
"url": "https://git.kernel.org/stable/c/fc629224aa62f23849cae83717932985ac51232d"
},
{
"url": "https://git.kernel.org/stable/c/8a05a6952ecd59aaa62cbdcdaf523ae2c8f436e8"
},
{
"url": "https://git.kernel.org/stable/c/234c0132f76f0676d175757f61b0025191a3d935"
},
{
"url": "https://git.kernel.org/stable/c/3a8751c0d4e24129e72dcec0139e99833b13904a"
},
{
"url": "https://git.kernel.org/stable/c/7aa8104a554713b685db729e66511b93d989dd6a"
}
],
"title": "ata: sata_dwc_460ex: Fix crash due to OOB write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49073",
"datePublished": "2025-02-26T01:54:37.804Z",
"dateReserved": "2025-02-26T01:49:39.245Z",
"dateUpdated": "2025-05-04T08:29:08.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49082 (GCVE-0-2022-49082)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
The function mpt3sas_transport_port_remove() called in
_scsih_expander_node_remove() frees the port field of the sas_expander
structure, leading to the following use-after-free splat from KASAN when
the ioc_info() call following that function is executed (e.g. when doing
rmmod of the driver module):
[ 3479.371167] ==================================================================
[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531
[ 3479.393524]
[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436
[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021
[ 3479.409263] Call Trace:
[ 3479.411743] <TASK>
[ 3479.413875] dump_stack_lvl+0x45/0x59
[ 3479.417582] print_address_description.constprop.0+0x1f/0x120
[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.429469] kasan_report.cold+0x83/0xdf
[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40
[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]
[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]
[ 3479.465529] ? down_write+0xde/0x150
[ 3479.470746] ? up_write+0x14d/0x460
[ 3479.475840] ? kernfs_find_ns+0x137/0x310
[ 3479.481438] pci_device_remove+0x65/0x110
[ 3479.487013] __device_release_driver+0x316/0x680
[ 3479.493180] driver_detach+0x1ec/0x2d0
[ 3479.498499] bus_remove_driver+0xe7/0x2d0
[ 3479.504081] pci_unregister_driver+0x26/0x250
[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]
[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510
[ 3479.522315] ? free_module+0xaa0/0xaa0
[ 3479.527593] ? __cond_resched+0x1c/0x90
[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70
[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110
[ 3479.551828] do_syscall_64+0x35/0x80
[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 3479.563402] RIP: 0033:0x7f1fc482483b
...
[ 3479.943087] ==================================================================
Fix this by introducing the local variable port_id to store the port ID
value before executing mpt3sas_transport_port_remove(). This local variable
is then used in the call to ioc_info() instead of dereferencing the freed
port structure.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:34.716925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:35.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_scsih.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25c1353dca74ad7cf3fd7ce258fe7c957a147d5e",
"status": "affected",
"version": "7d310f241001e090cf1ec0f3ae836b38d8c6ebec",
"versionType": "git"
},
{
"lessThan": "17d66b1c92bcb41e72271ec60069d3684aaa1c9c",
"status": "affected",
"version": "7d310f241001e090cf1ec0f3ae836b38d8c6ebec",
"versionType": "git"
},
{
"lessThan": "1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c",
"status": "affected",
"version": "7d310f241001e090cf1ec0f3ae836b38d8c6ebec",
"versionType": "git"
},
{
"lessThan": "87d663d40801dffc99a5ad3b0188ad3e2b4d1557",
"status": "affected",
"version": "7d310f241001e090cf1ec0f3ae836b38d8c6ebec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpt3sas/mpt3sas_scsih.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\n\nThe function mpt3sas_transport_port_remove() called in\n_scsih_expander_node_remove() frees the port field of the sas_expander\nstructure, leading to the following use-after-free splat from KASAN when\nthe ioc_info() call following that function is executed (e.g. when doing\nrmmod of the driver module):\n\n[ 3479.371167] ==================================================================\n[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531\n[ 3479.393524]\n[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436\n[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021\n[ 3479.409263] Call Trace:\n[ 3479.411743] \u003cTASK\u003e\n[ 3479.413875] dump_stack_lvl+0x45/0x59\n[ 3479.417582] print_address_description.constprop.0+0x1f/0x120\n[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.429469] kasan_report.cold+0x83/0xdf\n[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40\n[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]\n[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]\n[ 3479.465529] ? down_write+0xde/0x150\n[ 3479.470746] ? up_write+0x14d/0x460\n[ 3479.475840] ? kernfs_find_ns+0x137/0x310\n[ 3479.481438] pci_device_remove+0x65/0x110\n[ 3479.487013] __device_release_driver+0x316/0x680\n[ 3479.493180] driver_detach+0x1ec/0x2d0\n[ 3479.498499] bus_remove_driver+0xe7/0x2d0\n[ 3479.504081] pci_unregister_driver+0x26/0x250\n[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]\n[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510\n[ 3479.522315] ? free_module+0xaa0/0xaa0\n[ 3479.527593] ? __cond_resched+0x1c/0x90\n[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70\n[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110\n[ 3479.551828] do_syscall_64+0x35/0x80\n[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 3479.563402] RIP: 0033:0x7f1fc482483b\n...\n[ 3479.943087] ==================================================================\n\nFix this by introducing the local variable port_id to store the port ID\nvalue before executing mpt3sas_transport_port_remove(). This local variable\nis then used in the call to ioc_info() instead of dereferencing the freed\nport structure."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:20.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e"
},
{
"url": "https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c"
},
{
"url": "https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c"
},
{
"url": "https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557"
}
],
"title": "scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49082",
"datePublished": "2025-02-26T01:54:42.101Z",
"dateReserved": "2025-02-26T01:49:39.247Z",
"dateUpdated": "2025-05-04T08:29:20.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21782 (GCVE-0-2025-21782)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
orangefs: fix a oob in orangefs_debug_write
I got a syzbot report: slab-out-of-bounds Read in
orangefs_debug_write... several people suggested fixes,
I tested Al Viro's suggestion and made this patch.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f Version: f7ab093f74bf638ed98fd1115f3efa17e308bb7f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:29.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/orangefs/orangefs-debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18b7f841109f697840fe8633cf7ed7d32bd3f91b",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "09d472a18c0ee1d5b83612cb919e33a1610fea16",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "8725882b0f691f8113b230aea9df0256030a63a6",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "1da2697307dad281dd690a19441b5ca4af92d786",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "2b84a231910cef2e0a16d29294afabfb69112087",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "897f496b946fdcfab5983c983e4b513ab6682364",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "1c5244299241cf49d8ae7b5054e299cc8faa4e09",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "f7c848431632598ff9bce57a659db6af60d75b39",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/orangefs/orangefs-debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix a oob in orangefs_debug_write\n\nI got a syzbot report: slab-out-of-bounds Read in\norangefs_debug_write... several people suggested fixes,\nI tested Al Viro\u0027s suggestion and made this patch."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:08.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18b7f841109f697840fe8633cf7ed7d32bd3f91b"
},
{
"url": "https://git.kernel.org/stable/c/09d472a18c0ee1d5b83612cb919e33a1610fea16"
},
{
"url": "https://git.kernel.org/stable/c/8725882b0f691f8113b230aea9df0256030a63a6"
},
{
"url": "https://git.kernel.org/stable/c/1da2697307dad281dd690a19441b5ca4af92d786"
},
{
"url": "https://git.kernel.org/stable/c/2b84a231910cef2e0a16d29294afabfb69112087"
},
{
"url": "https://git.kernel.org/stable/c/897f496b946fdcfab5983c983e4b513ab6682364"
},
{
"url": "https://git.kernel.org/stable/c/1c5244299241cf49d8ae7b5054e299cc8faa4e09"
},
{
"url": "https://git.kernel.org/stable/c/f7c848431632598ff9bce57a659db6af60d75b39"
}
],
"title": "orangefs: fix a oob in orangefs_debug_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21782",
"datePublished": "2025-02-27T02:18:24.506Z",
"dateReserved": "2024-12-29T08:45:45.764Z",
"dateUpdated": "2025-11-03T20:59:29.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49649 (GCVE-0-2022-49649)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue
xenvif_rx_next_skb() is expecting the rx queue not being empty, but
in case the loop in xenvif_rx_action() is doing multiple iterations,
the availability of another skb in the rx queue is not being checked.
This can lead to crashes:
[40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
[40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback]
[40072.537534] PGD 0 P4D 0
[40072.537644] Oops: 0000 [#1] SMP NOPTI
[40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5
[40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021
[40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000
[40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback]
[40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246
[40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7
[40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8
[40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008
[40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708
[40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0
[40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000
[40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660
[40072.539211] Call Trace:
[40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback]
[40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback]
Fix that by stopping the loop in case the rx queue becomes empty.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 98f6d57ced73b723551568262019f1d6c8771f20 Version: 98f6d57ced73b723551568262019f1d6c8771f20 Version: 98f6d57ced73b723551568262019f1d6c8771f20 Version: 98f6d57ced73b723551568262019f1d6c8771f20 Version: 98f6d57ced73b723551568262019f1d6c8771f20 Version: 98f6d57ced73b723551568262019f1d6c8771f20 Version: 98f6d57ced73b723551568262019f1d6c8771f20 Version: 98f6d57ced73b723551568262019f1d6c8771f20 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:44.927179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/xen-netback/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0fcceb5f3f1ec197c014fe218c2f28108cacd27",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
},
{
"lessThan": "d5320c6a27aa975aff740f9cb481dcbde48f4348",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
},
{
"lessThan": "5a071aefd6414af5a20321ab58a0557b81993687",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
},
{
"lessThan": "7425479d20f9e96f7c3ec8e8a93fe0d7478724cb",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
},
{
"lessThan": "b9c32a6886af79d6e0ad87a7b01800ed079cdd02",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
},
{
"lessThan": "b99174ac57fe5d8867448c03b23828e63f24cb1c",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
},
{
"lessThan": "f0b5c819b062df8bf5f2acf4697e3871cb3722da",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
},
{
"lessThan": "94e8100678889ab428e68acadf042de723f094b9",
"status": "affected",
"version": "98f6d57ced73b723551568262019f1d6c8771f20",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/xen-netback/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.324",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.289",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue\n\nxenvif_rx_next_skb() is expecting the rx queue not being empty, but\nin case the loop in xenvif_rx_action() is doing multiple iterations,\nthe availability of another skb in the rx queue is not being checked.\n\nThis can lead to crashes:\n\n[40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080\n[40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback]\n[40072.537534] PGD 0 P4D 0\n[40072.537644] Oops: 0000 [#1] SMP NOPTI\n[40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5\n[40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021\n[40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000\n[40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback]\n[40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246\n[40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7\n[40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8\n[40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008\n[40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708\n[40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0\n[40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000\n[40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033\n[40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660\n[40072.539211] Call Trace:\n[40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback]\n[40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback]\n\nFix that by stopping the loop in case the rx queue becomes empty."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:33.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0fcceb5f3f1ec197c014fe218c2f28108cacd27"
},
{
"url": "https://git.kernel.org/stable/c/d5320c6a27aa975aff740f9cb481dcbde48f4348"
},
{
"url": "https://git.kernel.org/stable/c/5a071aefd6414af5a20321ab58a0557b81993687"
},
{
"url": "https://git.kernel.org/stable/c/7425479d20f9e96f7c3ec8e8a93fe0d7478724cb"
},
{
"url": "https://git.kernel.org/stable/c/b9c32a6886af79d6e0ad87a7b01800ed079cdd02"
},
{
"url": "https://git.kernel.org/stable/c/b99174ac57fe5d8867448c03b23828e63f24cb1c"
},
{
"url": "https://git.kernel.org/stable/c/f0b5c819b062df8bf5f2acf4697e3871cb3722da"
},
{
"url": "https://git.kernel.org/stable/c/94e8100678889ab428e68acadf042de723f094b9"
}
],
"title": "xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49649",
"datePublished": "2025-02-26T02:23:52.531Z",
"dateReserved": "2025-02-26T02:21:30.433Z",
"dateUpdated": "2025-10-01T19:36:48.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49215 (GCVE-0-2022-49215)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xsk: Fix race at socket teardown
Fix a race in the xsk socket teardown code that can lead to a NULL pointer
dereference splat. The current xsk unbind code in xsk_unbind_dev() starts by
setting xs->state to XSK_UNBOUND, sets xs->dev to NULL and then waits for any
NAPI processing to terminate using synchronize_net(). After that, the release
code starts to tear down the socket state and free allocated memory.
BUG: kernel NULL pointer dereference, address: 00000000000000c0
PGD 8000000932469067 P4D 8000000932469067 PUD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 25 PID: 69132 Comm: grpcpp_sync_ser Tainted: G I 5.16.0+ #2
Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.2.10 03/09/2015
RIP: 0010:__xsk_sendmsg+0x2c/0x690
[...]
RSP: 0018:ffffa2348bd13d50 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000040 RCX: ffff8d5fc632d258
RDX: 0000000000400000 RSI: ffffa2348bd13e10 RDI: ffff8d5fc5489800
RBP: ffffa2348bd13db0 R08: 0000000000000000 R09: 00007ffffffff000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d5fc5489800
R13: ffff8d5fcb0f5140 R14: ffff8d5fcb0f5140 R15: 0000000000000000
FS: 00007f991cff9400(0000) GS:ffff8d6f1f700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000c0 CR3: 0000000114888005 CR4: 00000000001706e0
Call Trace:
<TASK>
? aa_sk_perm+0x43/0x1b0
xsk_sendmsg+0xf0/0x110
sock_sendmsg+0x65/0x70
__sys_sendto+0x113/0x190
? debug_smp_processor_id+0x17/0x20
? fpregs_assert_state_consistent+0x23/0x50
? exit_to_user_mode_prepare+0xa5/0x1d0
__x64_sys_sendto+0x29/0x30
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
There are two problems with the current code. First, setting xs->dev to NULL
before waiting for all users to stop using the socket is not correct. The
entry to the data plane functions xsk_poll(), xsk_sendmsg(), and xsk_recvmsg()
are all guarded by a test that xs->state is in the state XSK_BOUND and if not,
it returns right away. But one process might have passed this test but still
have not gotten to the point in which it uses xs->dev in the code. In this
interim, a second process executing xsk_unbind_dev() might have set xs->dev to
NULL which will lead to a crash for the first process. The solution here is
just to get rid of this NULL assignment since it is not used anymore. Before
commit 42fddcc7c64b ("xsk: use state member for socket synchronization"),
xs->dev was the gatekeeper to admit processes into the data plane functions,
but it was replaced with the state variable xs->state in the aforementioned
commit.
The second problem is that synchronize_net() does not wait for any process in
xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() to complete, which means that the
state they rely on might be cleaned up prematurely. This can happen when the
notifier gets called (at driver unload for example) as it uses xsk_unbind_dev().
Solve this by extending the RCU critical region from just the ndo_xsk_wakeup
to the whole functions mentioned above, so that both the test of xs->state ==
XSK_BOUND and the last use of any member of xs is covered by the RCU critical
section. This will guarantee that when synchronize_net() completes, there will
be no processes left executing xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() and
state can be cleaned up safely. Note that we need to drop the RCU lock for the
skb xmit path as it uses functions that might sleep. Due to this, we have to
retest the xs->state after we grab the mutex that protects the skb xmit code
from, among a number of things, an xsk_unbind_dev() being executed from the
notifier at the same time.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:39.445986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:05.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad7219cd8751bd258b9d1e69ae0654ec00f71875",
"status": "affected",
"version": "42fddcc7c64b723a867c7b2f5f7505e244212f13",
"versionType": "git"
},
{
"lessThan": "d1579253ffce39986e7a6ab757ac93b2680a665f",
"status": "affected",
"version": "42fddcc7c64b723a867c7b2f5f7505e244212f13",
"versionType": "git"
},
{
"lessThan": "8a2dea162b92c322f3e42eae0c4a74b8d20aa7a9",
"status": "affected",
"version": "42fddcc7c64b723a867c7b2f5f7505e244212f13",
"versionType": "git"
},
{
"lessThan": "18b1ab7aa76bde181bdb1ab19a87fa9523c32f21",
"status": "affected",
"version": "42fddcc7c64b723a867c7b2f5f7505e244212f13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xdp/xsk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix race at socket teardown\n\nFix a race in the xsk socket teardown code that can lead to a NULL pointer\ndereference splat. The current xsk unbind code in xsk_unbind_dev() starts by\nsetting xs-\u003estate to XSK_UNBOUND, sets xs-\u003edev to NULL and then waits for any\nNAPI processing to terminate using synchronize_net(). After that, the release\ncode starts to tear down the socket state and free allocated memory.\n\n BUG: kernel NULL pointer dereference, address: 00000000000000c0\n PGD 8000000932469067 P4D 8000000932469067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 25 PID: 69132 Comm: grpcpp_sync_ser Tainted: G I 5.16.0+ #2\n Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.2.10 03/09/2015\n RIP: 0010:__xsk_sendmsg+0x2c/0x690\n [...]\n RSP: 0018:ffffa2348bd13d50 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000040 RCX: ffff8d5fc632d258\n RDX: 0000000000400000 RSI: ffffa2348bd13e10 RDI: ffff8d5fc5489800\n RBP: ffffa2348bd13db0 R08: 0000000000000000 R09: 00007ffffffff000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d5fc5489800\n R13: ffff8d5fcb0f5140 R14: ffff8d5fcb0f5140 R15: 0000000000000000\n FS: 00007f991cff9400(0000) GS:ffff8d6f1f700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000c0 CR3: 0000000114888005 CR4: 00000000001706e0\n Call Trace:\n \u003cTASK\u003e\n ? aa_sk_perm+0x43/0x1b0\n xsk_sendmsg+0xf0/0x110\n sock_sendmsg+0x65/0x70\n __sys_sendto+0x113/0x190\n ? debug_smp_processor_id+0x17/0x20\n ? fpregs_assert_state_consistent+0x23/0x50\n ? exit_to_user_mode_prepare+0xa5/0x1d0\n __x64_sys_sendto+0x29/0x30\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThere are two problems with the current code. First, setting xs-\u003edev to NULL\nbefore waiting for all users to stop using the socket is not correct. The\nentry to the data plane functions xsk_poll(), xsk_sendmsg(), and xsk_recvmsg()\nare all guarded by a test that xs-\u003estate is in the state XSK_BOUND and if not,\nit returns right away. But one process might have passed this test but still\nhave not gotten to the point in which it uses xs-\u003edev in the code. In this\ninterim, a second process executing xsk_unbind_dev() might have set xs-\u003edev to\nNULL which will lead to a crash for the first process. The solution here is\njust to get rid of this NULL assignment since it is not used anymore. Before\ncommit 42fddcc7c64b (\"xsk: use state member for socket synchronization\"),\nxs-\u003edev was the gatekeeper to admit processes into the data plane functions,\nbut it was replaced with the state variable xs-\u003estate in the aforementioned\ncommit.\n\nThe second problem is that synchronize_net() does not wait for any process in\nxsk_poll(), xsk_sendmsg(), or xsk_recvmsg() to complete, which means that the\nstate they rely on might be cleaned up prematurely. This can happen when the\nnotifier gets called (at driver unload for example) as it uses xsk_unbind_dev().\nSolve this by extending the RCU critical region from just the ndo_xsk_wakeup\nto the whole functions mentioned above, so that both the test of xs-\u003estate ==\nXSK_BOUND and the last use of any member of xs is covered by the RCU critical\nsection. This will guarantee that when synchronize_net() completes, there will\nbe no processes left executing xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() and\nstate can be cleaned up safely. Note that we need to drop the RCU lock for the\nskb xmit path as it uses functions that might sleep. Due to this, we have to\nretest the xs-\u003estate after we grab the mutex that protects the skb xmit code\nfrom, among a number of things, an xsk_unbind_dev() being executed from the\nnotifier at the same time."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:32.353Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad7219cd8751bd258b9d1e69ae0654ec00f71875"
},
{
"url": "https://git.kernel.org/stable/c/d1579253ffce39986e7a6ab757ac93b2680a665f"
},
{
"url": "https://git.kernel.org/stable/c/8a2dea162b92c322f3e42eae0c4a74b8d20aa7a9"
},
{
"url": "https://git.kernel.org/stable/c/18b1ab7aa76bde181bdb1ab19a87fa9523c32f21"
}
],
"title": "xsk: Fix race at socket teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49215",
"datePublished": "2025-02-26T01:55:50.154Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-10-01T19:47:05.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49628 (GCVE-0-2022-49628)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix leaks in probe
These two error paths should clean up before returning.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac-ingenic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4bd3202a2b4194ab6c0ce61628095d54f994db4",
"status": "affected",
"version": "2bb4b98b60d7dc89fc0a5bb64534be348ab654df",
"versionType": "git"
},
{
"lessThan": "dd91bc60f305610401b2196bedb573693d6c8e46",
"status": "affected",
"version": "2bb4b98b60d7dc89fc0a5bb64534be348ab654df",
"versionType": "git"
},
{
"lessThan": "23aa6d5088e3bd65de77c5c307237b9937f8b48a",
"status": "affected",
"version": "2bb4b98b60d7dc89fc0a5bb64534be348ab654df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac-ingenic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix leaks in probe\n\nThese two error paths should clean up before returning."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:07.742Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4bd3202a2b4194ab6c0ce61628095d54f994db4"
},
{
"url": "https://git.kernel.org/stable/c/dd91bc60f305610401b2196bedb573693d6c8e46"
},
{
"url": "https://git.kernel.org/stable/c/23aa6d5088e3bd65de77c5c307237b9937f8b48a"
}
],
"title": "net: stmmac: fix leaks in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49628",
"datePublished": "2025-02-26T02:23:42.241Z",
"dateReserved": "2025-02-26T02:21:30.422Z",
"dateUpdated": "2025-05-04T08:42:07.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49611 (GCVE-0-2022-49611)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/speculation: Fill RSB on vmexit for IBRS
Prevent RSB underflow/poisoning attacks with RSB. While at it, add a
bunch of comments to attempt to document the current state of tribal
knowledge about RSB attacks and what exactly is being mitigated.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/cpufeatures.h",
"arch/x86/kernel/cpu/bugs.c",
"arch/x86/kvm/vmx/vmenter.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d323b99ff5c8c57005184056d65f6af5b0479d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f744b88dfc201bf8092833ec70b23c720188b527",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17a9fc4a7b91f8599223631bb6ae6416bc0de1c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4d7f72b6e1bc630bec7e4cd51814bc2b092bf153",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d5cff499a6d740c91ff37963907e0e983c37f0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c38306e2e9257af4af2819aa287a4711ff36329",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9756bba28470722dacb79ffce554336dd1f6a6cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/cpufeatures.h",
"arch/x86/kernel/cpu/bugs.c",
"arch/x86/kvm/vmx/vmenter.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.266",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.217",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.266",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.217",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/speculation: Fill RSB on vmexit for IBRS\n\nPrevent RSB underflow/poisoning attacks with RSB. While at it, add a\nbunch of comments to attempt to document the current state of tribal\nknowledge about RSB attacks and what exactly is being mitigated."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:45.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d323b99ff5c8c57005184056d65f6af5b0479d8"
},
{
"url": "https://git.kernel.org/stable/c/f744b88dfc201bf8092833ec70b23c720188b527"
},
{
"url": "https://git.kernel.org/stable/c/17a9fc4a7b91f8599223631bb6ae6416bc0de1c0"
},
{
"url": "https://git.kernel.org/stable/c/4d7f72b6e1bc630bec7e4cd51814bc2b092bf153"
},
{
"url": "https://git.kernel.org/stable/c/8d5cff499a6d740c91ff37963907e0e983c37f0f"
},
{
"url": "https://git.kernel.org/stable/c/8c38306e2e9257af4af2819aa287a4711ff36329"
},
{
"url": "https://git.kernel.org/stable/c/9756bba28470722dacb79ffce554336dd1f6a6cd"
}
],
"title": "x86/speculation: Fill RSB on vmexit for IBRS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49611",
"datePublished": "2025-02-26T02:23:33.779Z",
"dateReserved": "2025-02-26T02:21:30.418Z",
"dateUpdated": "2025-05-04T08:41:45.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49739 (GCVE-0-2022-49739)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Always check inode size of inline inodes
Check if the inode size of stuffed (inline) inodes is within the allowed
range when reading inodes from disk (gfs2_dinode_in()). This prevents
us from on-disk corruption.
The two checks in stuffed_readpage() and gfs2_unstuffer_page() that just
truncate inline data to the maximum allowed size don't actually make
sense, and they can be removed now as well.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/aops.c",
"fs/gfs2/bmap.c",
"fs/gfs2/glops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45df749f827c286adbc951f2a4865b67f0442ba9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4d4cb76636134bf9a0c9c3432dae936f99954586",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c414f6f06e9a3934901b6edc3177ae5a1e07094",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46c9088cabd4d0469fdb61ac2a9c5003057fe94d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d458a0984429c2d47e60254f5bc4119cbafe83a2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70376c7ff31221f1d21db5611d8209e677781d3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/aops.c",
"fs/gfs2/bmap.c",
"fs/gfs2/glops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Always check inode size of inline inodes\n\nCheck if the inode size of stuffed (inline) inodes is within the allowed\nrange when reading inodes from disk (gfs2_dinode_in()). This prevents\nus from on-disk corruption.\n\nThe two checks in stuffed_readpage() and gfs2_unstuffer_page() that just\ntruncate inline data to the maximum allowed size don\u0027t actually make\nsense, and they can be removed now as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:21.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45df749f827c286adbc951f2a4865b67f0442ba9"
},
{
"url": "https://git.kernel.org/stable/c/4d4cb76636134bf9a0c9c3432dae936f99954586"
},
{
"url": "https://git.kernel.org/stable/c/7c414f6f06e9a3934901b6edc3177ae5a1e07094"
},
{
"url": "https://git.kernel.org/stable/c/46c9088cabd4d0469fdb61ac2a9c5003057fe94d"
},
{
"url": "https://git.kernel.org/stable/c/d458a0984429c2d47e60254f5bc4119cbafe83a2"
},
{
"url": "https://git.kernel.org/stable/c/70376c7ff31221f1d21db5611d8209e677781d3a"
}
],
"title": "gfs2: Always check inode size of inline inodes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49739",
"datePublished": "2025-03-27T16:42:51.609Z",
"dateReserved": "2025-03-27T16:39:17.986Z",
"dateUpdated": "2025-05-04T08:44:21.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47408 (GCVE-0-2024-47408)
Vulnerability from cvelistv5
Published
2025-01-11 12:35
Modified
2025-11-03 20:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: check smcd_v2_ext_offset when receiving proposal msg
When receiving proposal msg in server, the field smcd_v2_ext_offset in
proposal msg is from the remote client and can not be fully trusted.
Once the value of smcd_v2_ext_offset exceed the max value, there has
the chance to access wrong address, and crash may happen.
This patch checks the value of smcd_v2_ext_offset before using it.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:39:33.276Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c",
"net/smc/smc_clc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a36364d8d4fabb105001f992fb8ff2d3546203d6",
"status": "affected",
"version": "5c21c4ccafe85906db809de3af391fd434df8a27",
"versionType": "git"
},
{
"lessThan": "e1cc8be2a785a8f1ce1f597f3e608602c5fccd46",
"status": "affected",
"version": "5c21c4ccafe85906db809de3af391fd434df8a27",
"versionType": "git"
},
{
"lessThan": "935caf324b445fe73d7708fae6f7176fb243f357",
"status": "affected",
"version": "5c21c4ccafe85906db809de3af391fd434df8a27",
"versionType": "git"
},
{
"lessThan": "48d5a8a304a643613dab376a278f29d3e22f7c34",
"status": "affected",
"version": "5c21c4ccafe85906db809de3af391fd434df8a27",
"versionType": "git"
},
{
"lessThan": "9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad",
"status": "affected",
"version": "5c21c4ccafe85906db809de3af391fd434df8a27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c",
"net/smc/smc_clc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.122",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check smcd_v2_ext_offset when receiving proposal msg\n\nWhen receiving proposal msg in server, the field smcd_v2_ext_offset in\nproposal msg is from the remote client and can not be fully trusted.\nOnce the value of smcd_v2_ext_offset exceed the max value, there has\nthe chance to access wrong address, and crash may happen.\n\nThis patch checks the value of smcd_v2_ext_offset before using it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:36:30.974Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a36364d8d4fabb105001f992fb8ff2d3546203d6"
},
{
"url": "https://git.kernel.org/stable/c/e1cc8be2a785a8f1ce1f597f3e608602c5fccd46"
},
{
"url": "https://git.kernel.org/stable/c/935caf324b445fe73d7708fae6f7176fb243f357"
},
{
"url": "https://git.kernel.org/stable/c/48d5a8a304a643613dab376a278f29d3e22f7c34"
},
{
"url": "https://git.kernel.org/stable/c/9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad"
}
],
"title": "net/smc: check smcd_v2_ext_offset when receiving proposal msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47408",
"datePublished": "2025-01-11T12:35:35.284Z",
"dateReserved": "2025-01-11T12:34:02.588Z",
"dateUpdated": "2025-11-03T20:39:33.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53029 (GCVE-0-2023-53029)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt
The commit 4af1b64f80fb ("octeontx2-pf: Fix lmtst ID used in aura
free") uses the get/put_cpu() to protect the usage of percpu pointer
in ->aura_freeptr() callback, but it also unnecessarily disable the
preemption for the blockable memory allocation. The commit 87b93b678e95
("octeontx2-pf: Avoid use of GFP_KERNEL in atomic context") tried to
fix these sleep inside atomic warnings. But it only fix the one for
the non-rt kernel. For the rt kernel, we still get the similar warnings
like below.
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by swapper/0/1:
#0: ffff800009fc5fe8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x24/0x30
#1: ffff000100c276c0 (&mbox->lock){+.+.}-{3:3}, at: otx2_init_hw_resources+0x8c/0x3a4
#2: ffffffbfef6537e0 (&cpu_rcache->lock){+.+.}-{2:2}, at: alloc_iova_fast+0x1ac/0x2ac
Preemption disabled at:
[<ffff800008b1908c>] otx2_rq_aura_pool_init+0x14c/0x284
CPU: 20 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc3-rt1-yocto-preempt-rt #1
Hardware name: Marvell OcteonTX CN96XX board (DT)
Call trace:
dump_backtrace.part.0+0xe8/0xf4
show_stack+0x20/0x30
dump_stack_lvl+0x9c/0xd8
dump_stack+0x18/0x34
__might_resched+0x188/0x224
rt_spin_lock+0x64/0x110
alloc_iova_fast+0x1ac/0x2ac
iommu_dma_alloc_iova+0xd4/0x110
__iommu_dma_map+0x80/0x144
iommu_dma_map_page+0xe8/0x260
dma_map_page_attrs+0xb4/0xc0
__otx2_alloc_rbuf+0x90/0x150
otx2_rq_aura_pool_init+0x1c8/0x284
otx2_init_hw_resources+0xe4/0x3a4
otx2_open+0xf0/0x610
__dev_open+0x104/0x224
__dev_change_flags+0x1e4/0x274
dev_change_flags+0x2c/0x7c
ic_open_devs+0x124/0x2f8
ip_auto_config+0x180/0x42c
do_one_initcall+0x90/0x4dc
do_basic_setup+0x10c/0x14c
kernel_init_freeable+0x10c/0x13c
kernel_init+0x2c/0x140
ret_from_fork+0x10/0x20
Of course, we can shuffle the get/put_cpu() to only wrap the invocation
of ->aura_freeptr() as what commit 87b93b678e95 does. But there are only
two ->aura_freeptr() callbacks, otx2_aura_freeptr() and
cn10k_aura_freeptr(). There is no usage of perpcu variable in the
otx2_aura_freeptr() at all, so the get/put_cpu() seems redundant to it.
We can move the get/put_cpu() into the corresponding callback which
really has the percpu variable usage and avoid the sprinkling of
get/put_cpu() in several places.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c",
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29e9c67bf3271067735c188e95cf3631ecd64d58",
"status": "affected",
"version": "6ea5273c71dd2d07c0a2459594eb34bc087939f7",
"versionType": "git"
},
{
"lessThan": "659518e013d6bd562bb0f1d2d9f99d0ac54720e2",
"status": "affected",
"version": "667ce030bdfb62a86266444b2c3fd6ab98b9df9b",
"versionType": "git"
},
{
"lessThan": "55ba18dc62deff5910c0fa64486dea1ff20832ff",
"status": "affected",
"version": "4af1b64f80fbe1275fb02c5f1c0cef099a4a231f",
"versionType": "git"
},
{
"status": "affected",
"version": "b754dc7c933dd9464223f64b10d33d68ab086cc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c",
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.91",
"status": "affected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThan": "6.1.8",
"status": "affected",
"version": "6.1.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "6.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt\n\nThe commit 4af1b64f80fb (\"octeontx2-pf: Fix lmtst ID used in aura\nfree\") uses the get/put_cpu() to protect the usage of percpu pointer\nin -\u003eaura_freeptr() callback, but it also unnecessarily disable the\npreemption for the blockable memory allocation. The commit 87b93b678e95\n(\"octeontx2-pf: Avoid use of GFP_KERNEL in atomic context\") tried to\nfix these sleep inside atomic warnings. But it only fix the one for\nthe non-rt kernel. For the rt kernel, we still get the similar warnings\nlike below.\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n 3 locks held by swapper/0/1:\n #0: ffff800009fc5fe8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x24/0x30\n #1: ffff000100c276c0 (\u0026mbox-\u003elock){+.+.}-{3:3}, at: otx2_init_hw_resources+0x8c/0x3a4\n #2: ffffffbfef6537e0 (\u0026cpu_rcache-\u003elock){+.+.}-{2:2}, at: alloc_iova_fast+0x1ac/0x2ac\n Preemption disabled at:\n [\u003cffff800008b1908c\u003e] otx2_rq_aura_pool_init+0x14c/0x284\n CPU: 20 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc3-rt1-yocto-preempt-rt #1\n Hardware name: Marvell OcteonTX CN96XX board (DT)\n Call trace:\n dump_backtrace.part.0+0xe8/0xf4\n show_stack+0x20/0x30\n dump_stack_lvl+0x9c/0xd8\n dump_stack+0x18/0x34\n __might_resched+0x188/0x224\n rt_spin_lock+0x64/0x110\n alloc_iova_fast+0x1ac/0x2ac\n iommu_dma_alloc_iova+0xd4/0x110\n __iommu_dma_map+0x80/0x144\n iommu_dma_map_page+0xe8/0x260\n dma_map_page_attrs+0xb4/0xc0\n __otx2_alloc_rbuf+0x90/0x150\n otx2_rq_aura_pool_init+0x1c8/0x284\n otx2_init_hw_resources+0xe4/0x3a4\n otx2_open+0xf0/0x610\n __dev_open+0x104/0x224\n __dev_change_flags+0x1e4/0x274\n dev_change_flags+0x2c/0x7c\n ic_open_devs+0x124/0x2f8\n ip_auto_config+0x180/0x42c\n do_one_initcall+0x90/0x4dc\n do_basic_setup+0x10c/0x14c\n kernel_init_freeable+0x10c/0x13c\n kernel_init+0x2c/0x140\n ret_from_fork+0x10/0x20\n\nOf course, we can shuffle the get/put_cpu() to only wrap the invocation\nof -\u003eaura_freeptr() as what commit 87b93b678e95 does. But there are only\ntwo -\u003eaura_freeptr() callbacks, otx2_aura_freeptr() and\ncn10k_aura_freeptr(). There is no usage of perpcu variable in the\notx2_aura_freeptr() at all, so the get/put_cpu() seems redundant to it.\nWe can move the get/put_cpu() into the corresponding callback which\nreally has the percpu variable usage and avoid the sprinkling of\nget/put_cpu() in several places."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:09.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29e9c67bf3271067735c188e95cf3631ecd64d58"
},
{
"url": "https://git.kernel.org/stable/c/659518e013d6bd562bb0f1d2d9f99d0ac54720e2"
},
{
"url": "https://git.kernel.org/stable/c/55ba18dc62deff5910c0fa64486dea1ff20832ff"
}
],
"title": "octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53029",
"datePublished": "2025-03-27T16:43:58.234Z",
"dateReserved": "2025-03-27T16:40:15.757Z",
"dateUpdated": "2025-05-04T12:50:09.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49314 (GCVE-0-2022-49314)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: Fix a possible resource leak in icom_probe
When pci_read_config_dword failed, call pci_release_regions() and
pci_disable_device() to recycle the resource previously allocated.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:06.570220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:57.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/icom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4c836d90da1ece88905d62ce2ce39a962f25d1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d703d912a985c1c5b50dd38c3181fc3540fa77cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a2df0b4d080cc770b4da7bff487048c803dfd07e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c014373f178a4f13a08e045ef63bdb23f62e892",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cb7147afd328c07edeeee287710d8d96ac0459f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f9b2e4ca88cab1a96b86ecd45544e488ca43faf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "23e155b51d403c0ccedc60c0d6c3c452afed07fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9a8305f357a8d03698fc7bc855ff9c6865d5486b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee157a79e7c82b01ae4c25de0ac75899801f322c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/icom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Fix a possible resource leak in icom_probe\n\nWhen pci_read_config_dword failed, call pci_release_regions() and\npci_disable_device() to recycle the resource previously allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:00.853Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4c836d90da1ece88905d62ce2ce39a962f25d1a"
},
{
"url": "https://git.kernel.org/stable/c/d703d912a985c1c5b50dd38c3181fc3540fa77cb"
},
{
"url": "https://git.kernel.org/stable/c/a2df0b4d080cc770b4da7bff487048c803dfd07e"
},
{
"url": "https://git.kernel.org/stable/c/8c014373f178a4f13a08e045ef63bdb23f62e892"
},
{
"url": "https://git.kernel.org/stable/c/cb7147afd328c07edeeee287710d8d96ac0459f5"
},
{
"url": "https://git.kernel.org/stable/c/5f9b2e4ca88cab1a96b86ecd45544e488ca43faf"
},
{
"url": "https://git.kernel.org/stable/c/23e155b51d403c0ccedc60c0d6c3c452afed07fe"
},
{
"url": "https://git.kernel.org/stable/c/9a8305f357a8d03698fc7bc855ff9c6865d5486b"
},
{
"url": "https://git.kernel.org/stable/c/ee157a79e7c82b01ae4c25de0ac75899801f322c"
}
],
"title": "tty: Fix a possible resource leak in icom_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49314",
"datePublished": "2025-02-26T02:10:42.594Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-10-01T19:46:57.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49438 (GCVE-0-2022-49438)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: sparcspkr - fix refcount leak in bbc_beep_probe
of_find_node_by_path() calls of_find_node_opts_by_path(),
which returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 Version: 9c1a5077fdca99356c891af37931e537dea874f5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:02.614022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:49.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/sparcspkr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f51db16cb740ff90086189a1ef2581eab665591",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "f13064b0f2c651a3fbb0749932795c6fd21556a8",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "353bc58ac6c782d4dcde9136a91d1f90867938fe",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "bbc2b0ce6042dd3117827f10ea8cb67e0ab786da",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "6e07ccc7d56130f760d23f67a70c45366c07debc",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "418b6a3e12f75638abc5673eb76cb32127d0ab13",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "73d6f42d8d86648bec2e73d34fe1648cb6d23e08",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "1124e39fea0e2fdb4202f95b716cb97cc7de7cc7",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
},
{
"lessThan": "c8994b30d71d64d5dcc9bc0edbfdf367171aa96f",
"status": "affected",
"version": "9c1a5077fdca99356c891af37931e537dea874f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/sparcspkr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: sparcspkr - fix refcount leak in bbc_beep_probe\n\nof_find_node_by_path() calls of_find_node_opts_by_path(),\nwhich returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:39.980Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f51db16cb740ff90086189a1ef2581eab665591"
},
{
"url": "https://git.kernel.org/stable/c/f13064b0f2c651a3fbb0749932795c6fd21556a8"
},
{
"url": "https://git.kernel.org/stable/c/353bc58ac6c782d4dcde9136a91d1f90867938fe"
},
{
"url": "https://git.kernel.org/stable/c/bbc2b0ce6042dd3117827f10ea8cb67e0ab786da"
},
{
"url": "https://git.kernel.org/stable/c/6e07ccc7d56130f760d23f67a70c45366c07debc"
},
{
"url": "https://git.kernel.org/stable/c/418b6a3e12f75638abc5673eb76cb32127d0ab13"
},
{
"url": "https://git.kernel.org/stable/c/73d6f42d8d86648bec2e73d34fe1648cb6d23e08"
},
{
"url": "https://git.kernel.org/stable/c/1124e39fea0e2fdb4202f95b716cb97cc7de7cc7"
},
{
"url": "https://git.kernel.org/stable/c/c8994b30d71d64d5dcc9bc0edbfdf367171aa96f"
}
],
"title": "Input: sparcspkr - fix refcount leak in bbc_beep_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49438",
"datePublished": "2025-02-26T02:12:53.007Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-10-01T19:46:49.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21744 (GCVE-0-2025-21744)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
On removal of the device or unloading of the kernel module a potential NULL
pointer dereference occurs.
The following sequence deletes the interface:
brcmf_detach()
brcmf_remove_interface()
brcmf_del_if()
Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to
BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.
After brcmf_remove_interface() call the brcmf_proto_detach() function is
called providing the following sequence:
brcmf_detach()
brcmf_proto_detach()
brcmf_proto_msgbuf_detach()
brcmf_flowring_detach()
brcmf_msgbuf_delete_flowring()
brcmf_msgbuf_remove_flowring()
brcmf_flowring_delete()
brcmf_get_ifp()
brcmf_txfinalize()
Since brcmf_get_ip() can and actually will return NULL in this case the
call to brcmf_txfinalize() will result in a NULL pointer dereference inside
brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors.
This will only happen if a flowring still has an skb.
Although the NULL pointer dereference has only been seen when trying to
update the tx statistic, all other uses of the ifp pointer have been
guarded as well with an early return if ifp is NULL.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:47.312Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2326e19190e176fd72bb542b837a9d2b7fcb8693",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59ff4fa653ff6db07c61152516ffba79c2a74bda",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "61541d9b5a23df33934fcc620a3a81f246b1b240",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e51d6d093e763348916e69d06d87e0a5593661b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3877fc67bd3d5566cc12763bce39710ceb74a97d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fbbfef2a5b858eab55741a58b2ac9a0cc8d53c58",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a2beefc4fa49ebc22e664dc6b39dbd054f8488f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "68abd0c4ebf24cd499841a488b97a6873d5efabb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()\n\nOn removal of the device or unloading of the kernel module a potential NULL\npointer dereference occurs.\n\nThe following sequence deletes the interface:\n\n brcmf_detach()\n brcmf_remove_interface()\n brcmf_del_if()\n\nInside the brcmf_del_if() function the drvr-\u003eif2bss[ifidx] is updated to\nBRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.\n\nAfter brcmf_remove_interface() call the brcmf_proto_detach() function is\ncalled providing the following sequence:\n\n brcmf_detach()\n brcmf_proto_detach()\n brcmf_proto_msgbuf_detach()\n brcmf_flowring_detach()\n brcmf_msgbuf_delete_flowring()\n brcmf_msgbuf_remove_flowring()\n brcmf_flowring_delete()\n brcmf_get_ifp()\n brcmf_txfinalize()\n\nSince brcmf_get_ip() can and actually will return NULL in this case the\ncall to brcmf_txfinalize() will result in a NULL pointer dereference inside\nbrcmf_txfinalize() when trying to update ifp-\u003endev-\u003estats.tx_errors.\n\nThis will only happen if a flowring still has an skb.\n\nAlthough the NULL pointer dereference has only been seen when trying to\nupdate the tx statistic, all other uses of the ifp pointer have been\nguarded as well with an early return if ifp is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:11.828Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2326e19190e176fd72bb542b837a9d2b7fcb8693"
},
{
"url": "https://git.kernel.org/stable/c/59ff4fa653ff6db07c61152516ffba79c2a74bda"
},
{
"url": "https://git.kernel.org/stable/c/61541d9b5a23df33934fcc620a3a81f246b1b240"
},
{
"url": "https://git.kernel.org/stable/c/4e51d6d093e763348916e69d06d87e0a5593661b"
},
{
"url": "https://git.kernel.org/stable/c/3877fc67bd3d5566cc12763bce39710ceb74a97d"
},
{
"url": "https://git.kernel.org/stable/c/fbbfef2a5b858eab55741a58b2ac9a0cc8d53c58"
},
{
"url": "https://git.kernel.org/stable/c/a2beefc4fa49ebc22e664dc6b39dbd054f8488f9"
},
{
"url": "https://git.kernel.org/stable/c/68abd0c4ebf24cd499841a488b97a6873d5efabb"
}
],
"title": "wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21744",
"datePublished": "2025-02-27T02:12:17.259Z",
"dateReserved": "2024-12-29T08:45:45.757Z",
"dateUpdated": "2025-11-03T19:36:47.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49165 (GCVE-0-2022-49165)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers
If the application queues an NV12M jpeg as output buffer, but then
queues a single planar capture buffer, the kernel will crash with
"Unable to handle kernel NULL pointer dereference" in mxc_jpeg_addrs,
prevent this by finishing the job with error.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/imx-jpeg/mxc-jpeg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eff76b180751e5e55c872d17755680c3b83ba9ab",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
},
{
"lessThan": "8d075ede7d24f19dc817c5bd517a53f0524f9031",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
},
{
"lessThan": "4eb591c47c82a6a6ad293ed108c3cb77115fbc25",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
},
{
"lessThan": "417591a766b3c040c346044541ff949c0b2bb7b2",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/imx-jpeg/mxc-jpeg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers\n\nIf the application queues an NV12M jpeg as output buffer, but then\nqueues a single planar capture buffer, the kernel will crash with\n\"Unable to handle kernel NULL pointer dereference\" in mxc_jpeg_addrs,\nprevent this by finishing the job with error."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:23.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eff76b180751e5e55c872d17755680c3b83ba9ab"
},
{
"url": "https://git.kernel.org/stable/c/8d075ede7d24f19dc817c5bd517a53f0524f9031"
},
{
"url": "https://git.kernel.org/stable/c/4eb591c47c82a6a6ad293ed108c3cb77115fbc25"
},
{
"url": "https://git.kernel.org/stable/c/417591a766b3c040c346044541ff949c0b2bb7b2"
}
],
"title": "media: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49165",
"datePublished": "2025-02-26T01:55:25.028Z",
"dateReserved": "2025-02-26T01:49:39.278Z",
"dateUpdated": "2025-05-04T08:31:23.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49511 (GCVE-0-2022-49511)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: defio: fix the pagelist corruption
Easily hit the below list corruption:
==
list_add corruption. prev->next should be next (ffffffffc0ceb090), but
was ffffec604507edc8. (prev=ffffec604507edc8).
WARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26
__list_add_valid+0x53/0x80
CPU: 65 PID: 3959 Comm: fbdev Tainted: G U
RIP: 0010:__list_add_valid+0x53/0x80
Call Trace:
<TASK>
fb_deferred_io_mkwrite+0xea/0x150
do_page_mkwrite+0x57/0xc0
do_wp_page+0x278/0x2f0
__handle_mm_fault+0xdc2/0x1590
handle_mm_fault+0xdd/0x2c0
do_user_addr_fault+0x1d3/0x650
exc_page_fault+0x77/0x180
? asm_exc_page_fault+0x8/0x30
asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x7fd98fc8fad1
==
Figure out the race happens when one process is adding &page->lru into
the pagelist tail in fb_deferred_io_mkwrite(), another process is
re-initializing the same &page->lru in fb_deferred_io_fault(), which is
not protected by the lock.
This fix is to init all the page lists one time during initialization,
it not only fixes the list corruption, but also avoids INIT_LIST_HEAD()
redundantly.
V2: change "int i" to "unsigned int i" (Geert Uytterhoeven)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fb_defio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e79b2b2aadeffe1db54a6b569b9b621575c3eb07",
"status": "affected",
"version": "5d3aff76a3165087b0f897c0d677dfa987d9875d",
"versionType": "git"
},
{
"lessThan": "6a9ae2fe887042f76fd3d334349e64e8ab3c55a2",
"status": "affected",
"version": "105a940416fc622406653b6fe54732897642dfbc",
"versionType": "git"
},
{
"lessThan": "856082f021a28221db2c32bd0531614a8382be67",
"status": "affected",
"version": "105a940416fc622406653b6fe54732897642dfbc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fb_defio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: defio: fix the pagelist corruption\n\nEasily hit the below list corruption:\n==\nlist_add corruption. prev-\u003enext should be next (ffffffffc0ceb090), but\nwas ffffec604507edc8. (prev=ffffec604507edc8).\nWARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26\n__list_add_valid+0x53/0x80\nCPU: 65 PID: 3959 Comm: fbdev Tainted: G U\nRIP: 0010:__list_add_valid+0x53/0x80\nCall Trace:\n \u003cTASK\u003e\n fb_deferred_io_mkwrite+0xea/0x150\n do_page_mkwrite+0x57/0xc0\n do_wp_page+0x278/0x2f0\n __handle_mm_fault+0xdc2/0x1590\n handle_mm_fault+0xdd/0x2c0\n do_user_addr_fault+0x1d3/0x650\n exc_page_fault+0x77/0x180\n ? asm_exc_page_fault+0x8/0x30\n asm_exc_page_fault+0x1e/0x30\nRIP: 0033:0x7fd98fc8fad1\n==\n\nFigure out the race happens when one process is adding \u0026page-\u003elru into\nthe pagelist tail in fb_deferred_io_mkwrite(), another process is\nre-initializing the same \u0026page-\u003elru in fb_deferred_io_fault(), which is\nnot protected by the lock.\n\nThis fix is to init all the page lists one time during initialization,\nit not only fixes the list corruption, but also avoids INIT_LIST_HEAD()\nredundantly.\n\nV2: change \"int i\" to \"unsigned int i\" (Geert Uytterhoeven)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:30.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e79b2b2aadeffe1db54a6b569b9b621575c3eb07"
},
{
"url": "https://git.kernel.org/stable/c/6a9ae2fe887042f76fd3d334349e64e8ab3c55a2"
},
{
"url": "https://git.kernel.org/stable/c/856082f021a28221db2c32bd0531614a8382be67"
}
],
"title": "fbdev: defio: fix the pagelist corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49511",
"datePublished": "2025-02-26T02:13:41.433Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-05-04T08:39:30.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49532 (GCVE-0-2022-49532)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes
drm_cvt_mode may return NULL and we should check it.
This bug is found by syzkaller:
FAULT_INJECTION stacktrace:
[ 168.567394] FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
[ 168.567403] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1
[ 168.567406] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[ 168.567408] Call trace:
[ 168.567414] dump_backtrace+0x0/0x310
[ 168.567418] show_stack+0x28/0x38
[ 168.567423] dump_stack+0xec/0x15c
[ 168.567427] should_fail+0x3ac/0x3d0
[ 168.567437] __should_failslab+0xb8/0x120
[ 168.567441] should_failslab+0x28/0xc0
[ 168.567445] kmem_cache_alloc_trace+0x50/0x640
[ 168.567454] drm_mode_create+0x40/0x90
[ 168.567458] drm_cvt_mode+0x48/0xc78
[ 168.567477] virtio_gpu_conn_get_modes+0xa8/0x140 [virtio_gpu]
[ 168.567485] drm_helper_probe_single_connector_modes+0x3a4/0xd80
[ 168.567492] drm_mode_getconnector+0x2e0/0xa70
[ 168.567496] drm_ioctl_kernel+0x11c/0x1d8
[ 168.567514] drm_ioctl+0x558/0x6d0
[ 168.567522] do_vfs_ioctl+0x160/0xf30
[ 168.567525] ksys_ioctl+0x98/0xd8
[ 168.567530] __arm64_sys_ioctl+0x50/0xc8
[ 168.567536] el0_svc_common+0xc8/0x320
[ 168.567540] el0_svc_handler+0xf8/0x160
[ 168.567544] el0_svc+0x10/0x218
KASAN stacktrace:
[ 168.567561] BUG: KASAN: null-ptr-deref in virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]
[ 168.567565] Read of size 4 at addr 0000000000000054 by task syz/6425
[ 168.567566]
[ 168.567571] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1
[ 168.567573] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[ 168.567575] Call trace:
[ 168.567578] dump_backtrace+0x0/0x310
[ 168.567582] show_stack+0x28/0x38
[ 168.567586] dump_stack+0xec/0x15c
[ 168.567591] kasan_report+0x244/0x2f0
[ 168.567594] __asan_load4+0x58/0xb0
[ 168.567607] virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]
[ 168.567612] drm_helper_probe_single_connector_modes+0x3a4/0xd80
[ 168.567617] drm_mode_getconnector+0x2e0/0xa70
[ 168.567621] drm_ioctl_kernel+0x11c/0x1d8
[ 168.567624] drm_ioctl+0x558/0x6d0
[ 168.567628] do_vfs_ioctl+0x160/0xf30
[ 168.567632] ksys_ioctl+0x98/0xd8
[ 168.567636] __arm64_sys_ioctl+0x50/0xc8
[ 168.567641] el0_svc_common+0xc8/0x320
[ 168.567645] el0_svc_handler+0xf8/0x160
[ 168.567649] el0_svc+0x10/0x218
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:52.324584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:41.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e0828456578cc8ba0a69147f7ae3428392eec287",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "848dd072744ea662ab3097e3c8282bee552df218",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edafcad84c4134ebec4bc24b29ca4497a1184eea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f85cb059fad03a3b33a50023be91e944bb065ae8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fadc626cae99aaa1325094edc6a9e2b883f3e562",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "32e10aabc287f09a148ff759bb9ce70b01b0012c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c51d00472fa54b9b05c17789ed665c17adf3a25d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f8bc147a963686b7351aa35d1701124ffacac08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "194d250cdc4a40ccbd179afd522a9e9846957402",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes\n\ndrm_cvt_mode may return NULL and we should check it.\n\nThis bug is found by syzkaller:\n\nFAULT_INJECTION stacktrace:\n[ 168.567394] FAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 1\n[ 168.567403] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1\n[ 168.567406] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 168.567408] Call trace:\n[ 168.567414] dump_backtrace+0x0/0x310\n[ 168.567418] show_stack+0x28/0x38\n[ 168.567423] dump_stack+0xec/0x15c\n[ 168.567427] should_fail+0x3ac/0x3d0\n[ 168.567437] __should_failslab+0xb8/0x120\n[ 168.567441] should_failslab+0x28/0xc0\n[ 168.567445] kmem_cache_alloc_trace+0x50/0x640\n[ 168.567454] drm_mode_create+0x40/0x90\n[ 168.567458] drm_cvt_mode+0x48/0xc78\n[ 168.567477] virtio_gpu_conn_get_modes+0xa8/0x140 [virtio_gpu]\n[ 168.567485] drm_helper_probe_single_connector_modes+0x3a4/0xd80\n[ 168.567492] drm_mode_getconnector+0x2e0/0xa70\n[ 168.567496] drm_ioctl_kernel+0x11c/0x1d8\n[ 168.567514] drm_ioctl+0x558/0x6d0\n[ 168.567522] do_vfs_ioctl+0x160/0xf30\n[ 168.567525] ksys_ioctl+0x98/0xd8\n[ 168.567530] __arm64_sys_ioctl+0x50/0xc8\n[ 168.567536] el0_svc_common+0xc8/0x320\n[ 168.567540] el0_svc_handler+0xf8/0x160\n[ 168.567544] el0_svc+0x10/0x218\n\nKASAN stacktrace:\n[ 168.567561] BUG: KASAN: null-ptr-deref in virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]\n[ 168.567565] Read of size 4 at addr 0000000000000054 by task syz/6425\n[ 168.567566]\n[ 168.567571] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1\n[ 168.567573] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 168.567575] Call trace:\n[ 168.567578] dump_backtrace+0x0/0x310\n[ 168.567582] show_stack+0x28/0x38\n[ 168.567586] dump_stack+0xec/0x15c\n[ 168.567591] kasan_report+0x244/0x2f0\n[ 168.567594] __asan_load4+0x58/0xb0\n[ 168.567607] virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]\n[ 168.567612] drm_helper_probe_single_connector_modes+0x3a4/0xd80\n[ 168.567617] drm_mode_getconnector+0x2e0/0xa70\n[ 168.567621] drm_ioctl_kernel+0x11c/0x1d8\n[ 168.567624] drm_ioctl+0x558/0x6d0\n[ 168.567628] do_vfs_ioctl+0x160/0xf30\n[ 168.567632] ksys_ioctl+0x98/0xd8\n[ 168.567636] __arm64_sys_ioctl+0x50/0xc8\n[ 168.567641] el0_svc_common+0xc8/0x320\n[ 168.567645] el0_svc_handler+0xf8/0x160\n[ 168.567649] el0_svc+0x10/0x218"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:57.117Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e0828456578cc8ba0a69147f7ae3428392eec287"
},
{
"url": "https://git.kernel.org/stable/c/848dd072744ea662ab3097e3c8282bee552df218"
},
{
"url": "https://git.kernel.org/stable/c/edafcad84c4134ebec4bc24b29ca4497a1184eea"
},
{
"url": "https://git.kernel.org/stable/c/f85cb059fad03a3b33a50023be91e944bb065ae8"
},
{
"url": "https://git.kernel.org/stable/c/fadc626cae99aaa1325094edc6a9e2b883f3e562"
},
{
"url": "https://git.kernel.org/stable/c/32e10aabc287f09a148ff759bb9ce70b01b0012c"
},
{
"url": "https://git.kernel.org/stable/c/c51d00472fa54b9b05c17789ed665c17adf3a25d"
},
{
"url": "https://git.kernel.org/stable/c/0f8bc147a963686b7351aa35d1701124ffacac08"
},
{
"url": "https://git.kernel.org/stable/c/194d250cdc4a40ccbd179afd522a9e9846957402"
}
],
"title": "drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49532",
"datePublished": "2025-02-26T02:13:52.013Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-10-01T19:46:41.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49050 (GCVE-0-2022-49050)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memory: renesas-rpc-if: fix platform-device leak in error path
Make sure to free the flash platform device in the event that
registration fails during probe.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/memory/renesas-rpc-if.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c089ffc846c85f200db34ad208338f4f81a6d82d",
"status": "affected",
"version": "ca7d8b980b67f133317525c4273e144116ee1ae5",
"versionType": "git"
},
{
"lessThan": "05d1824a7fb43ab9adb1eb82404954af81d8c984",
"status": "affected",
"version": "ca7d8b980b67f133317525c4273e144116ee1ae5",
"versionType": "git"
},
{
"lessThan": "66b9b707ea4dcafca92b6261c6924652914e3b73",
"status": "affected",
"version": "ca7d8b980b67f133317525c4273e144116ee1ae5",
"versionType": "git"
},
{
"lessThan": "b452dbf24d7d9a990d70118462925f6ee287d135",
"status": "affected",
"version": "ca7d8b980b67f133317525c4273e144116ee1ae5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/memory/renesas-rpc-if.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: renesas-rpc-if: fix platform-device leak in error path\n\nMake sure to free the flash platform device in the event that\nregistration fails during probe."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:40.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c089ffc846c85f200db34ad208338f4f81a6d82d"
},
{
"url": "https://git.kernel.org/stable/c/05d1824a7fb43ab9adb1eb82404954af81d8c984"
},
{
"url": "https://git.kernel.org/stable/c/66b9b707ea4dcafca92b6261c6924652914e3b73"
},
{
"url": "https://git.kernel.org/stable/c/b452dbf24d7d9a990d70118462925f6ee287d135"
}
],
"title": "memory: renesas-rpc-if: fix platform-device leak in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49050",
"datePublished": "2025-02-26T01:54:25.392Z",
"dateReserved": "2025-02-26T01:49:39.242Z",
"dateUpdated": "2025-05-04T08:28:40.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58085 (GCVE-0-2024-58085)
Vulnerability from cvelistv5
Published
2025-03-06 16:22
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tomoyo: don't emit warning in tomoyo_write_control()
syzbot is reporting too large allocation warning at tomoyo_write_control(),
for one can write a very very long line without new line character. To fix
this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE,
for practically a valid line should be always shorter than 32KB where the
"too small to fail" memory-allocation rule applies.
One might try to write a valid line that is longer than 32KB, but such
request will likely fail with -ENOMEM. Therefore, I feel that separately
returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant.
There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:20.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/tomoyo/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c67efabddc73171c7771d3ffe4ffa1e503ee533e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6b37b3e12de638753bce79a2858070b9c4a4ad3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2bd5857a0d6973ebbcb4d9831ddcaebbd257be1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a01c200fa7eb59da4d2dbbb48b61f4a0d196c09f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe1c021eb03dae0dc9dce55e81f77a60e419a27a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9382f380e8d09209b8e5c0def0545852168be25",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "414705c0303350d139b1dc18f329fe47dfb642dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3df7546fc03b8f004eee0b9e3256369f7d096685",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/tomoyo/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: don\u0027t emit warning in tomoyo_write_control()\n\nsyzbot is reporting too large allocation warning at tomoyo_write_control(),\nfor one can write a very very long line without new line character. To fix\nthis warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE,\nfor practically a valid line should be always shorter than 32KB where the\n\"too small to fail\" memory-allocation rule applies.\n\nOne might try to write a valid line that is longer than 32KB, but such\nrequest will likely fail with -ENOMEM. Therefore, I feel that separately\nreturning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant.\nThere is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:44.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c67efabddc73171c7771d3ffe4ffa1e503ee533e"
},
{
"url": "https://git.kernel.org/stable/c/f6b37b3e12de638753bce79a2858070b9c4a4ad3"
},
{
"url": "https://git.kernel.org/stable/c/b2bd5857a0d6973ebbcb4d9831ddcaebbd257be1"
},
{
"url": "https://git.kernel.org/stable/c/a01c200fa7eb59da4d2dbbb48b61f4a0d196c09f"
},
{
"url": "https://git.kernel.org/stable/c/fe1c021eb03dae0dc9dce55e81f77a60e419a27a"
},
{
"url": "https://git.kernel.org/stable/c/c9382f380e8d09209b8e5c0def0545852168be25"
},
{
"url": "https://git.kernel.org/stable/c/414705c0303350d139b1dc18f329fe47dfb642dd"
},
{
"url": "https://git.kernel.org/stable/c/3df7546fc03b8f004eee0b9e3256369f7d096685"
}
],
"title": "tomoyo: don\u0027t emit warning in tomoyo_write_control()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58085",
"datePublished": "2025-03-06T16:22:32.761Z",
"dateReserved": "2025-03-06T15:52:09.184Z",
"dateUpdated": "2025-11-03T19:34:20.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21829 (GCVE-0-2025-21829)
Vulnerability from cvelistv5
Published
2025-03-06 16:08
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]"
The Call Trace is as below:
"
<TASK>
? show_regs.cold+0x1a/0x1f
? __rxe_cleanup+0x12c/0x170 [rdma_rxe]
? __warn+0x84/0xd0
? __rxe_cleanup+0x12c/0x170 [rdma_rxe]
? report_bug+0x105/0x180
? handle_bug+0x46/0x80
? exc_invalid_op+0x19/0x70
? asm_exc_invalid_op+0x1b/0x20
? __rxe_cleanup+0x12c/0x170 [rdma_rxe]
? __rxe_cleanup+0x124/0x170 [rdma_rxe]
rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe]
ib_destroy_qp_user+0x118/0x190 [ib_core]
rdma_destroy_qp.cold+0x43/0x5e [rdma_cm]
rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core]
rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server]
process_one_work+0x21d/0x3f0
worker_thread+0x4a/0x3c0
? process_one_work+0x3f0/0x3f0
kthread+0xf0/0x120
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
"
When too many rdma resources are allocated, rxe needs more time to
handle these rdma resources. Sometimes with the current timeout, rxe
can not release the rdma resources correctly.
Compared with other rdma drivers, a bigger timeout is used.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:58.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "720653309dd31c8a927ef5d87964578ad544980f",
"status": "affected",
"version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
"versionType": "git"
},
{
"lessThan": "45e567800492088bc52c9abac35524b4d332a8f8",
"status": "affected",
"version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
"versionType": "git"
},
{
"lessThan": "7a2de8126ed3801f2396720e10a03cd546a3cea1",
"status": "affected",
"version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
"versionType": "git"
},
{
"lessThan": "a7d15eaecf0d6e13226db629ae2401c8c02683e5",
"status": "affected",
"version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
"versionType": "git"
},
{
"lessThan": "edc4ef0e0154096d6c0cf5e06af6fc330dbad9d1",
"status": "affected",
"version": "215d0a755e1bcd92cbe6a71a21194ce7c82ec106",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\"\n\nThe Call Trace is as below:\n\"\n \u003cTASK\u003e\n ? show_regs.cold+0x1a/0x1f\n ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n ? __warn+0x84/0xd0\n ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n ? report_bug+0x105/0x180\n ? handle_bug+0x46/0x80\n ? exc_invalid_op+0x19/0x70\n ? asm_exc_invalid_op+0x1b/0x20\n ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n ? __rxe_cleanup+0x124/0x170 [rdma_rxe]\n rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe]\n ib_destroy_qp_user+0x118/0x190 [ib_core]\n rdma_destroy_qp.cold+0x43/0x5e [rdma_cm]\n rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core]\n rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server]\n process_one_work+0x21d/0x3f0\n worker_thread+0x4a/0x3c0\n ? process_one_work+0x3f0/0x3f0\n kthread+0xf0/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e\n\"\nWhen too many rdma resources are allocated, rxe needs more time to\nhandle these rdma resources. Sometimes with the current timeout, rxe\ncan not release the rdma resources correctly.\n\nCompared with other rdma drivers, a bigger timeout is used."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:02.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/720653309dd31c8a927ef5d87964578ad544980f"
},
{
"url": "https://git.kernel.org/stable/c/45e567800492088bc52c9abac35524b4d332a8f8"
},
{
"url": "https://git.kernel.org/stable/c/7a2de8126ed3801f2396720e10a03cd546a3cea1"
},
{
"url": "https://git.kernel.org/stable/c/a7d15eaecf0d6e13226db629ae2401c8c02683e5"
},
{
"url": "https://git.kernel.org/stable/c/edc4ef0e0154096d6c0cf5e06af6fc330dbad9d1"
}
],
"title": "RDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21829",
"datePublished": "2025-03-06T16:08:09.054Z",
"dateReserved": "2024-12-29T08:45:45.776Z",
"dateUpdated": "2025-11-03T20:59:58.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49458 (GCVE-0-2022-49458)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: don't free the IRQ if it was not requested
As msm_drm_uninit() is called from the msm_drm_init() error path,
additional care should be necessary as not to call the free_irq() for
the IRQ that was not requested before (because an error occured earlier
than the request_irq() call).
This fixed the issue reported with the following backtrace:
[ 8.571329] Trying to free already-free IRQ 187
[ 8.571339] WARNING: CPU: 0 PID: 76 at kernel/irq/manage.c:1895 free_irq+0x1e0/0x35c
[ 8.588746] Modules linked in: pmic_glink pdr_interface fastrpc qrtr_smd snd_soc_hdmi_codec msm fsa4480 gpu_sched drm_dp_aux_bus qrtr i2c_qcom_geni crct10dif_ce qcom_stats qcom_q6v5_pas drm_display_helper gpi qcom_pil_info drm_kms_helper qcom_q6v5 qcom_sysmon qcom_common qcom_glink_smem qcom_rng mdt_loader qmi_helpers phy_qcom_qmp ufs_qcom typec qnoc_sm8350 socinfo rmtfs_mem fuse drm ipv6
[ 8.624154] CPU: 0 PID: 76 Comm: kworker/u16:2 Not tainted 5.18.0-rc5-next-20220506-00033-g6cee8cab6089-dirty #419
[ 8.624161] Hardware name: Qualcomm Technologies, Inc. SM8350 HDK (DT)
[ 8.641496] Workqueue: events_unbound deferred_probe_work_func
[ 8.647510] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 8.654681] pc : free_irq+0x1e0/0x35c
[ 8.658454] lr : free_irq+0x1e0/0x35c
[ 8.662228] sp : ffff800008ab3950
[ 8.665642] x29: ffff800008ab3950 x28: 0000000000000000 x27: ffff16350f56a700
[ 8.672994] x26: ffff1635025df080 x25: ffff16350251badc x24: ffff16350251bb90
[ 8.680343] x23: 0000000000000000 x22: 00000000000000bb x21: ffff16350e8f9800
[ 8.687690] x20: ffff16350251ba00 x19: ffff16350cbd5880 x18: ffffffffffffffff
[ 8.695039] x17: 0000000000000000 x16: ffffa2dd12179434 x15: ffffa2dd1431d02d
[ 8.702391] x14: 0000000000000000 x13: ffffa2dd1431d028 x12: 662d79646165726c
[ 8.709740] x11: ffffa2dd13fd2438 x10: 000000000000000a x9 : 00000000000000bb
[ 8.717111] x8 : ffffa2dd13fd23f0 x7 : ffff800008ab3750 x6 : 00000000fffff202
[ 8.724487] x5 : ffff16377e870a18 x4 : 00000000fffff202 x3 : ffff735a6ae1b000
[ 8.731851] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff1635015f8000
[ 8.739217] Call trace:
[ 8.741755] free_irq+0x1e0/0x35c
[ 8.745198] msm_drm_uninit.isra.0+0x14c/0x294 [msm]
[ 8.750548] msm_drm_bind+0x28c/0x5d0 [msm]
[ 8.755081] try_to_bring_up_aggregate_device+0x164/0x1d0
[ 8.760657] __component_add+0xa0/0x170
[ 8.764626] component_add+0x14/0x20
[ 8.768337] dp_display_probe+0x2a4/0x464 [msm]
[ 8.773242] platform_probe+0x68/0xe0
[ 8.777043] really_probe.part.0+0x9c/0x28c
[ 8.781368] __driver_probe_device+0x98/0x144
[ 8.785871] driver_probe_device+0x40/0x140
[ 8.790191] __device_attach_driver+0xb4/0x120
[ 8.794788] bus_for_each_drv+0x78/0xd0
[ 8.798751] __device_attach+0xdc/0x184
[ 8.802713] device_initial_probe+0x14/0x20
[ 8.807031] bus_probe_device+0x9c/0xa4
[ 8.810991] deferred_probe_work_func+0x88/0xc0
[ 8.815667] process_one_work+0x1d0/0x320
[ 8.819809] worker_thread+0x14c/0x444
[ 8.823688] kthread+0x10c/0x110
[ 8.827036] ret_from_fork+0x10/0x20
Patchwork: https://patchwork.freedesktop.org/patch/485422/
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c",
"drivers/gpu/drm/msm/msm_kms.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "beb81c13d020ceb7f8693e65464162e5f249218e",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
},
{
"lessThan": "b288ec4439c1dad304c1862bf6b0be78d9b1b2b2",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
},
{
"lessThan": "59023c4fb1ab3de0fa001681650f662c253c7fd7",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
},
{
"lessThan": "577e2a9dfc8fba7938aaf75db63fae7e328cc3cb",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c",
"drivers/gpu/drm/msm/msm_kms.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: don\u0027t free the IRQ if it was not requested\n\nAs msm_drm_uninit() is called from the msm_drm_init() error path,\nadditional care should be necessary as not to call the free_irq() for\nthe IRQ that was not requested before (because an error occured earlier\nthan the request_irq() call).\n\nThis fixed the issue reported with the following backtrace:\n\n[ 8.571329] Trying to free already-free IRQ 187\n[ 8.571339] WARNING: CPU: 0 PID: 76 at kernel/irq/manage.c:1895 free_irq+0x1e0/0x35c\n[ 8.588746] Modules linked in: pmic_glink pdr_interface fastrpc qrtr_smd snd_soc_hdmi_codec msm fsa4480 gpu_sched drm_dp_aux_bus qrtr i2c_qcom_geni crct10dif_ce qcom_stats qcom_q6v5_pas drm_display_helper gpi qcom_pil_info drm_kms_helper qcom_q6v5 qcom_sysmon qcom_common qcom_glink_smem qcom_rng mdt_loader qmi_helpers phy_qcom_qmp ufs_qcom typec qnoc_sm8350 socinfo rmtfs_mem fuse drm ipv6\n[ 8.624154] CPU: 0 PID: 76 Comm: kworker/u16:2 Not tainted 5.18.0-rc5-next-20220506-00033-g6cee8cab6089-dirty #419\n[ 8.624161] Hardware name: Qualcomm Technologies, Inc. SM8350 HDK (DT)\n[ 8.641496] Workqueue: events_unbound deferred_probe_work_func\n[ 8.647510] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 8.654681] pc : free_irq+0x1e0/0x35c\n[ 8.658454] lr : free_irq+0x1e0/0x35c\n[ 8.662228] sp : ffff800008ab3950\n[ 8.665642] x29: ffff800008ab3950 x28: 0000000000000000 x27: ffff16350f56a700\n[ 8.672994] x26: ffff1635025df080 x25: ffff16350251badc x24: ffff16350251bb90\n[ 8.680343] x23: 0000000000000000 x22: 00000000000000bb x21: ffff16350e8f9800\n[ 8.687690] x20: ffff16350251ba00 x19: ffff16350cbd5880 x18: ffffffffffffffff\n[ 8.695039] x17: 0000000000000000 x16: ffffa2dd12179434 x15: ffffa2dd1431d02d\n[ 8.702391] x14: 0000000000000000 x13: ffffa2dd1431d028 x12: 662d79646165726c\n[ 8.709740] x11: ffffa2dd13fd2438 x10: 000000000000000a x9 : 00000000000000bb\n[ 8.717111] x8 : ffffa2dd13fd23f0 x7 : ffff800008ab3750 x6 : 00000000fffff202\n[ 8.724487] x5 : ffff16377e870a18 x4 : 00000000fffff202 x3 : ffff735a6ae1b000\n[ 8.731851] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff1635015f8000\n[ 8.739217] Call trace:\n[ 8.741755] free_irq+0x1e0/0x35c\n[ 8.745198] msm_drm_uninit.isra.0+0x14c/0x294 [msm]\n[ 8.750548] msm_drm_bind+0x28c/0x5d0 [msm]\n[ 8.755081] try_to_bring_up_aggregate_device+0x164/0x1d0\n[ 8.760657] __component_add+0xa0/0x170\n[ 8.764626] component_add+0x14/0x20\n[ 8.768337] dp_display_probe+0x2a4/0x464 [msm]\n[ 8.773242] platform_probe+0x68/0xe0\n[ 8.777043] really_probe.part.0+0x9c/0x28c\n[ 8.781368] __driver_probe_device+0x98/0x144\n[ 8.785871] driver_probe_device+0x40/0x140\n[ 8.790191] __device_attach_driver+0xb4/0x120\n[ 8.794788] bus_for_each_drv+0x78/0xd0\n[ 8.798751] __device_attach+0xdc/0x184\n[ 8.802713] device_initial_probe+0x14/0x20\n[ 8.807031] bus_probe_device+0x9c/0xa4\n[ 8.810991] deferred_probe_work_func+0x88/0xc0\n[ 8.815667] process_one_work+0x1d0/0x320\n[ 8.819809] worker_thread+0x14c/0x444\n[ 8.823688] kthread+0x10c/0x110\n[ 8.827036] ret_from_fork+0x10/0x20\n\nPatchwork: https://patchwork.freedesktop.org/patch/485422/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:10.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/beb81c13d020ceb7f8693e65464162e5f249218e"
},
{
"url": "https://git.kernel.org/stable/c/b288ec4439c1dad304c1862bf6b0be78d9b1b2b2"
},
{
"url": "https://git.kernel.org/stable/c/59023c4fb1ab3de0fa001681650f662c253c7fd7"
},
{
"url": "https://git.kernel.org/stable/c/577e2a9dfc8fba7938aaf75db63fae7e328cc3cb"
}
],
"title": "drm/msm: don\u0027t free the IRQ if it was not requested",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49458",
"datePublished": "2025-02-26T02:13:06.202Z",
"dateReserved": "2025-02-26T02:08:31.574Z",
"dateUpdated": "2025-05-04T08:38:10.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49256 (GCVE-0-2022-49256)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Actually free the watch
free_watch() does everything barring actually freeing the watch object. Fix
this by adding the missing kfree.
kmemleak produces a report something like the following. Note that as an
address can be seen in the first word, the watch would appear to have gone
through call_rcu().
BUG: memory leak
unreferenced object 0xffff88810ce4a200 (size 96):
comm "syz-executor352", pid 3605, jiffies 4294947473 (age 13.720s)
hex dump (first 32 bytes):
e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............
80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8214e6cc>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff8214e6cc>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff8214e6cc>] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800
[<ffffffff8214ec84>] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016
[<ffffffff84493a25>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84493a25>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d92be1a09fbb3dd65600dbfe7eedb40e7228e4b",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "f69aecb49968e14196366bbe896eab0a904229f5",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "7e8c9b0df07a77f0d072603b8ced2677e30e1893",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "31824613a42aacdcbeb325bf07a1c8247a11ebe2",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "3d8dcf278b1ee1eff1e90be848fa2237db4c07a7",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Actually free the watch\n\nfree_watch() does everything barring actually freeing the watch object. Fix\nthis by adding the missing kfree.\n\nkmemleak produces a report something like the following. Note that as an\naddress can be seen in the first word, the watch would appear to have gone\nthrough call_rcu().\n\nBUG: memory leak\nunreferenced object 0xffff88810ce4a200 (size 96):\n comm \"syz-executor352\", pid 3605, jiffies 4294947473 (age 13.720s)\n hex dump (first 32 bytes):\n e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............\n 80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff8214e6cc\u003e] kmalloc include/linux/slab.h:581 [inline]\n [\u003cffffffff8214e6cc\u003e] kzalloc include/linux/slab.h:714 [inline]\n [\u003cffffffff8214e6cc\u003e] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800\n [\u003cffffffff8214ec84\u003e] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016\n [\u003cffffffff84493a25\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003cffffffff84493a25\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [\u003cffffffff84600068\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:29.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d92be1a09fbb3dd65600dbfe7eedb40e7228e4b"
},
{
"url": "https://git.kernel.org/stable/c/f69aecb49968e14196366bbe896eab0a904229f5"
},
{
"url": "https://git.kernel.org/stable/c/7e8c9b0df07a77f0d072603b8ced2677e30e1893"
},
{
"url": "https://git.kernel.org/stable/c/31824613a42aacdcbeb325bf07a1c8247a11ebe2"
},
{
"url": "https://git.kernel.org/stable/c/3d8dcf278b1ee1eff1e90be848fa2237db4c07a7"
}
],
"title": "watch_queue: Actually free the watch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49256",
"datePublished": "2025-02-26T01:56:10.599Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:29.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21821 (GCVE-0-2025-21821)
Vulnerability from cvelistv5
Published
2025-02-27 20:06
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: omap: use threaded IRQ for LCD DMA
When using touchscreen and framebuffer, Nokia 770 crashes easily with:
BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000
Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd
CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2
Hardware name: Nokia 770
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x54/0x5c
dump_stack_lvl from __schedule_bug+0x50/0x70
__schedule_bug from __schedule+0x4d4/0x5bc
__schedule from schedule+0x34/0xa0
schedule from schedule_preempt_disabled+0xc/0x10
schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4
__mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4
clk_prepare_lock from clk_set_rate+0x18/0x154
clk_set_rate from sossi_read_data+0x4c/0x168
sossi_read_data from hwa742_read_reg+0x5c/0x8c
hwa742_read_reg from send_frame_handler+0xfc/0x300
send_frame_handler from process_pending_requests+0x74/0xd0
process_pending_requests from lcd_dma_irq_handler+0x50/0x74
lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130
__handle_irq_event_percpu from handle_irq_event+0x28/0x68
handle_irq_event from handle_level_irq+0x9c/0x170
handle_level_irq from generic_handle_domain_irq+0x2c/0x3c
generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c
omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c
generic_handle_arch_irq from call_with_stack+0x1c/0x24
call_with_stack from __irq_svc+0x94/0xa8
Exception stack(0xc5255da0 to 0xc5255de8)
5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248
5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94
5de0: 60000013 ffffffff
__irq_svc from clk_prepare_lock+0x4c/0xe4
clk_prepare_lock from clk_get_rate+0x10/0x74
clk_get_rate from uwire_setup_transfer+0x40/0x180
uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c
spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664
spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498
__spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8
__spi_sync from spi_sync+0x24/0x40
spi_sync from ads7846_halfd_read_state+0x5c/0x1c0
ads7846_halfd_read_state from ads7846_irq+0x58/0x348
ads7846_irq from irq_thread_fn+0x1c/0x78
irq_thread_fn from irq_thread+0x120/0x228
irq_thread from kthread+0xc8/0xe8
kthread from ret_from_fork+0x14/0x28
As a quick fix, switch to a threaded IRQ which provides a stable system.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:54.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/omap/lcd_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bbbd311dd503653a2cc86d9226740883051dc92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb6a5edb60921887d7d10619fcdcbee9759552cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aa8e22cbedeb626f2a6bda0aea362353d627cd0a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8392ea100f0b86c234c739c6662f39f0ccc0cefd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e4b6b665df815b4841e71b72f06446884e8aad40",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/omap/lcd_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omap: use threaded IRQ for LCD DMA\n\nWhen using touchscreen and framebuffer, Nokia 770 crashes easily with:\n\n BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000\n Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd\n CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2\n Hardware name: Nokia 770\n Call trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x54/0x5c\n dump_stack_lvl from __schedule_bug+0x50/0x70\n __schedule_bug from __schedule+0x4d4/0x5bc\n __schedule from schedule+0x34/0xa0\n schedule from schedule_preempt_disabled+0xc/0x10\n schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4\n __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4\n clk_prepare_lock from clk_set_rate+0x18/0x154\n clk_set_rate from sossi_read_data+0x4c/0x168\n sossi_read_data from hwa742_read_reg+0x5c/0x8c\n hwa742_read_reg from send_frame_handler+0xfc/0x300\n send_frame_handler from process_pending_requests+0x74/0xd0\n process_pending_requests from lcd_dma_irq_handler+0x50/0x74\n lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130\n __handle_irq_event_percpu from handle_irq_event+0x28/0x68\n handle_irq_event from handle_level_irq+0x9c/0x170\n handle_level_irq from generic_handle_domain_irq+0x2c/0x3c\n generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c\n omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c\n generic_handle_arch_irq from call_with_stack+0x1c/0x24\n call_with_stack from __irq_svc+0x94/0xa8\n Exception stack(0xc5255da0 to 0xc5255de8)\n 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248\n 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94\n 5de0: 60000013 ffffffff\n __irq_svc from clk_prepare_lock+0x4c/0xe4\n clk_prepare_lock from clk_get_rate+0x10/0x74\n clk_get_rate from uwire_setup_transfer+0x40/0x180\n uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c\n spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664\n spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498\n __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8\n __spi_sync from spi_sync+0x24/0x40\n spi_sync from ads7846_halfd_read_state+0x5c/0x1c0\n ads7846_halfd_read_state from ads7846_irq+0x58/0x348\n ads7846_irq from irq_thread_fn+0x1c/0x78\n irq_thread_fn from irq_thread+0x120/0x228\n irq_thread from kthread+0xc8/0xe8\n kthread from ret_from_fork+0x14/0x28\n\nAs a quick fix, switch to a threaded IRQ which provides a stable system."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:52.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bbbd311dd503653a2cc86d9226740883051dc92"
},
{
"url": "https://git.kernel.org/stable/c/fb6a5edb60921887d7d10619fcdcbee9759552cb"
},
{
"url": "https://git.kernel.org/stable/c/aa8e22cbedeb626f2a6bda0aea362353d627cd0a"
},
{
"url": "https://git.kernel.org/stable/c/8392ea100f0b86c234c739c6662f39f0ccc0cefd"
},
{
"url": "https://git.kernel.org/stable/c/e4b6b665df815b4841e71b72f06446884e8aad40"
}
],
"title": "fbdev: omap: use threaded IRQ for LCD DMA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21821",
"datePublished": "2025-02-27T20:06:12.722Z",
"dateReserved": "2024-12-29T08:45:45.775Z",
"dateUpdated": "2025-11-03T20:59:54.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49288 (GCVE-0-2022-49288)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: Fix races among concurrent prealloc proc writes
We have no protection against concurrent PCM buffer preallocation
changes via proc files, and it may potentially lead to UAF or some
weird problem. This patch applies the PCM open_mutex to the proc
write operation for avoiding the racy proc writes and the PCM stream
open (and further operations).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:50.352103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7786c445bb67a9a6e64f66ebd6b7215b153ff7d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e14dca613e0a6ddc2bf6e360f16936a9f865205b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37b12c16beb6f6c1c3c678c1aacbc46525c250f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b560d670c87d7d40b3cf6949246fa4c7aa65a00a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51fce708ab8986a9879ee5da946a2cc120f1036d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a21d2f323b5a978dedf9ff1d50f101f85e39b3f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "69534c48ba8ce552ce383b3dfdb271ffe51820c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.193",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.193",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix races among concurrent prealloc proc writes\n\nWe have no protection against concurrent PCM buffer preallocation\nchanges via proc files, and it may potentially lead to UAF or some\nweird problem. This patch applies the PCM open_mutex to the proc\nwrite operation for avoiding the racy proc writes and the PCM stream\nopen (and further operations)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:18.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7786c445bb67a9a6e64f66ebd6b7215b153ff7d"
},
{
"url": "https://git.kernel.org/stable/c/e14dca613e0a6ddc2bf6e360f16936a9f865205b"
},
{
"url": "https://git.kernel.org/stable/c/37b12c16beb6f6c1c3c678c1aacbc46525c250f7"
},
{
"url": "https://git.kernel.org/stable/c/b560d670c87d7d40b3cf6949246fa4c7aa65a00a"
},
{
"url": "https://git.kernel.org/stable/c/51fce708ab8986a9879ee5da946a2cc120f1036d"
},
{
"url": "https://git.kernel.org/stable/c/a21d2f323b5a978dedf9ff1d50f101f85e39b3f2"
},
{
"url": "https://git.kernel.org/stable/c/5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6"
},
{
"url": "https://git.kernel.org/stable/c/69534c48ba8ce552ce383b3dfdb271ffe51820c3"
}
],
"title": "ALSA: pcm: Fix races among concurrent prealloc proc writes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49288",
"datePublished": "2025-02-26T01:56:26.550Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:18.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49193 (GCVE-0-2022-49193)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix 'scheduling while atomic' on aux critical err interrupt
There's a kernel BUG splat on processing aux critical error
interrupts in ice_misc_intr():
[ 2100.917085] BUG: scheduling while atomic: swapper/15/0/0x00010000
...
[ 2101.060770] Call Trace:
[ 2101.063229] <IRQ>
[ 2101.065252] dump_stack+0x41/0x60
[ 2101.068587] __schedule_bug.cold.100+0x4c/0x58
[ 2101.073060] __schedule+0x6a4/0x830
[ 2101.076570] schedule+0x35/0xa0
[ 2101.079727] schedule_preempt_disabled+0xa/0x10
[ 2101.084284] __mutex_lock.isra.7+0x310/0x420
[ 2101.088580] ? ice_misc_intr+0x201/0x2e0 [ice]
[ 2101.093078] ice_send_event_to_aux+0x25/0x70 [ice]
[ 2101.097921] ice_misc_intr+0x220/0x2e0 [ice]
[ 2101.102232] __handle_irq_event_percpu+0x40/0x180
[ 2101.106965] handle_irq_event_percpu+0x30/0x80
[ 2101.111434] handle_irq_event+0x36/0x53
[ 2101.115292] handle_edge_irq+0x82/0x190
[ 2101.119148] handle_irq+0x1c/0x30
[ 2101.122480] do_IRQ+0x49/0xd0
[ 2101.125465] common_interrupt+0xf/0xf
[ 2101.129146] </IRQ>
...
As Andrew correctly mentioned previously[0], the following call
ladder happens:
ice_misc_intr() <- hardirq
ice_send_event_to_aux()
device_lock()
mutex_lock()
might_sleep()
might_resched() <- oops
Add a new PF state bit which indicates that an aux critical error
occurred and serve it in ice_service_task() in process context.
The new ice_pf::oicr_err_reg is read-write in both hardirq and
process contexts, but only 3 bits of non-critical data probably
aren't worth explicit synchronizing (and they're even in the same
byte [31:24]).
[0] https://lore.kernel.org/all/YeSRUVmrdmlUXHDn@lunn.ch
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice.h",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b77c8cf69a41d1e3851370aeaa04a9ea83b865c",
"status": "affected",
"version": "348048e724a0e8f08b63948d728d27596f6d3769",
"versionType": "git"
},
{
"lessThan": "24d7ac8426306ae7ccea7f7dd612a7368fe7201d",
"status": "affected",
"version": "348048e724a0e8f08b63948d728d27596f6d3769",
"versionType": "git"
},
{
"lessThan": "59e88a50afad7469c55804e46bf2924b9130281f",
"status": "affected",
"version": "348048e724a0e8f08b63948d728d27596f6d3769",
"versionType": "git"
},
{
"lessThan": "32d53c0aa3a7b727243473949bad2a830b908edc",
"status": "affected",
"version": "348048e724a0e8f08b63948d728d27596f6d3769",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice.h",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix \u0027scheduling while atomic\u0027 on aux critical err interrupt\n\nThere\u0027s a kernel BUG splat on processing aux critical error\ninterrupts in ice_misc_intr():\n\n[ 2100.917085] BUG: scheduling while atomic: swapper/15/0/0x00010000\n...\n[ 2101.060770] Call Trace:\n[ 2101.063229] \u003cIRQ\u003e\n[ 2101.065252] dump_stack+0x41/0x60\n[ 2101.068587] __schedule_bug.cold.100+0x4c/0x58\n[ 2101.073060] __schedule+0x6a4/0x830\n[ 2101.076570] schedule+0x35/0xa0\n[ 2101.079727] schedule_preempt_disabled+0xa/0x10\n[ 2101.084284] __mutex_lock.isra.7+0x310/0x420\n[ 2101.088580] ? ice_misc_intr+0x201/0x2e0 [ice]\n[ 2101.093078] ice_send_event_to_aux+0x25/0x70 [ice]\n[ 2101.097921] ice_misc_intr+0x220/0x2e0 [ice]\n[ 2101.102232] __handle_irq_event_percpu+0x40/0x180\n[ 2101.106965] handle_irq_event_percpu+0x30/0x80\n[ 2101.111434] handle_irq_event+0x36/0x53\n[ 2101.115292] handle_edge_irq+0x82/0x190\n[ 2101.119148] handle_irq+0x1c/0x30\n[ 2101.122480] do_IRQ+0x49/0xd0\n[ 2101.125465] common_interrupt+0xf/0xf\n[ 2101.129146] \u003c/IRQ\u003e\n...\n\nAs Andrew correctly mentioned previously[0], the following call\nladder happens:\n\nice_misc_intr() \u003c- hardirq\n ice_send_event_to_aux()\n device_lock()\n mutex_lock()\n might_sleep()\n might_resched() \u003c- oops\n\nAdd a new PF state bit which indicates that an aux critical error\noccurred and serve it in ice_service_task() in process context.\nThe new ice_pf::oicr_err_reg is read-write in both hardirq and\nprocess contexts, but only 3 bits of non-critical data probably\naren\u0027t worth explicit synchronizing (and they\u0027re even in the same\nbyte [31:24]).\n\n[0] https://lore.kernel.org/all/YeSRUVmrdmlUXHDn@lunn.ch"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:05.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b77c8cf69a41d1e3851370aeaa04a9ea83b865c"
},
{
"url": "https://git.kernel.org/stable/c/24d7ac8426306ae7ccea7f7dd612a7368fe7201d"
},
{
"url": "https://git.kernel.org/stable/c/59e88a50afad7469c55804e46bf2924b9130281f"
},
{
"url": "https://git.kernel.org/stable/c/32d53c0aa3a7b727243473949bad2a830b908edc"
}
],
"title": "ice: fix \u0027scheduling while atomic\u0027 on aux critical err interrupt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49193",
"datePublished": "2025-02-26T01:55:39.088Z",
"dateReserved": "2025-02-26T01:49:39.287Z",
"dateUpdated": "2025-05-04T08:32:05.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1652 (GCVE-0-2023-1652)
Vulnerability from cvelistv5
Published
2023-03-29 00:00
Modified
2025-02-18 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Linux Kernel |
Version: Kernel 6.2 RC5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:24.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2023-1652"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230511-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T16:38:22.476505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T16:38:32.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Linux Kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Kernel 6.2 RC5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://access.redhat.com/security/cve/cve-2023-1652"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230511-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-1652",
"datePublished": "2023-03-29T00:00:00.000Z",
"dateReserved": "2023-03-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T16:38:32.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49479 (GCVE-0-2022-49479)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: fix tx status related use-after-free race on station removal
There is a small race window where ongoing tx activity can lead to a skb
getting added to the status tracking idr after that idr has already been
cleaned up, which will keep the wcid linked in the status poll list.
Fix this by only adding status skbs if the wcid pointer is still assigned
in dev->wcid, which gets cleared early by mt76_sta_pre_rcu_remove
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:50.287677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.261Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mac80211.c",
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef7f9f894cfd0b2e471206409a529af4a26ddd55",
"status": "affected",
"version": "bd1e3e7b693c17a04e7d2bd9119daa482b7c7720",
"versionType": "git"
},
{
"lessThan": "ddd426d72aca4054045a9bd3b80a4ce1d398f11f",
"status": "affected",
"version": "bd1e3e7b693c17a04e7d2bd9119daa482b7c7720",
"versionType": "git"
},
{
"lessThan": "fcfe1b5e162bf473c1d47760962cec8523c00466",
"status": "affected",
"version": "bd1e3e7b693c17a04e7d2bd9119daa482b7c7720",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mac80211.c",
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix tx status related use-after-free race on station removal\n\nThere is a small race window where ongoing tx activity can lead to a skb\ngetting added to the status tracking idr after that idr has already been\ncleaned up, which will keep the wcid linked in the status poll list.\nFix this by only adding status skbs if the wcid pointer is still assigned\nin dev-\u003ewcid, which gets cleared early by mt76_sta_pre_rcu_remove"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:37.058Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef7f9f894cfd0b2e471206409a529af4a26ddd55"
},
{
"url": "https://git.kernel.org/stable/c/ddd426d72aca4054045a9bd3b80a4ce1d398f11f"
},
{
"url": "https://git.kernel.org/stable/c/fcfe1b5e162bf473c1d47760962cec8523c00466"
}
],
"title": "mt76: fix tx status related use-after-free race on station removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49479",
"datePublished": "2025-02-26T02:13:20.011Z",
"dateReserved": "2025-02-26T02:08:31.581Z",
"dateUpdated": "2025-05-04T08:38:37.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49208 (GCVE-0-2022-49208)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Prevent some integer underflows
My static checker complains that:
drivers/infiniband/hw/irdma/ctrl.c:3605 irdma_sc_ceq_init()
warn: can subtract underflow 'info->dev->hmc_fpm_misc.max_ceqs'?
It appears that "info->dev->hmc_fpm_misc.max_ceqs" comes from the firmware
in irdma_sc_parse_fpm_query_buf() so, yes, there is a chance that it could
be zero. Even if we trust the firmware, it's easy enough to change the
condition just as a hardenning measure.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:59.199426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:06.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d52dab6e03550f9c97121b0c11c0a3ed78ee76a4",
"status": "affected",
"version": "3f49d684256963d3f27dfb9d9ff228e2255be78d",
"versionType": "git"
},
{
"lessThan": "f21056f15bbeacab7b4b87af232f5599d1f2bff1",
"status": "affected",
"version": "3f49d684256963d3f27dfb9d9ff228e2255be78d",
"versionType": "git"
},
{
"lessThan": "7340c3675d7ac946f4019b84cd7c64ed542dfe4c",
"status": "affected",
"version": "3f49d684256963d3f27dfb9d9ff228e2255be78d",
"versionType": "git"
},
{
"lessThan": "6f6dbb819dfc1a35bcb8b709b5c83a3ea8beff75",
"status": "affected",
"version": "3f49d684256963d3f27dfb9d9ff228e2255be78d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Prevent some integer underflows\n\nMy static checker complains that:\n\n drivers/infiniband/hw/irdma/ctrl.c:3605 irdma_sc_ceq_init()\n warn: can subtract underflow \u0027info-\u003edev-\u003ehmc_fpm_misc.max_ceqs\u0027?\n\nIt appears that \"info-\u003edev-\u003ehmc_fpm_misc.max_ceqs\" comes from the firmware\nin irdma_sc_parse_fpm_query_buf() so, yes, there is a chance that it could\nbe zero. Even if we trust the firmware, it\u0027s easy enough to change the\ncondition just as a hardenning measure."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:23.562Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d52dab6e03550f9c97121b0c11c0a3ed78ee76a4"
},
{
"url": "https://git.kernel.org/stable/c/f21056f15bbeacab7b4b87af232f5599d1f2bff1"
},
{
"url": "https://git.kernel.org/stable/c/7340c3675d7ac946f4019b84cd7c64ed542dfe4c"
},
{
"url": "https://git.kernel.org/stable/c/6f6dbb819dfc1a35bcb8b709b5c83a3ea8beff75"
}
],
"title": "RDMA/irdma: Prevent some integer underflows",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49208",
"datePublished": "2025-02-26T01:55:46.666Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-10-01T19:47:06.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49123 (GCVE-0-2022-49123)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: Fix frames flush failure caused by deadlock
We are seeing below warnings:
kernel: [25393.301506] ath11k_pci 0000:01:00.0: failed to flush mgmt transmit queue 0
kernel: [25398.421509] ath11k_pci 0000:01:00.0: failed to flush mgmt transmit queue 0
kernel: [25398.421831] ath11k_pci 0000:01:00.0: dropping mgmt frame for vdev 0, is_started 0
this means ath11k fails to flush mgmt. frames because wmi_mgmt_tx_work
has no chance to run in 5 seconds.
By setting /proc/sys/kernel/hung_task_timeout_secs to 20 and increasing
ATH11K_FLUSH_TIMEOUT to 50 we get below warnings:
kernel: [ 120.763160] INFO: task wpa_supplicant:924 blocked for more than 20 seconds.
kernel: [ 120.763169] Not tainted 5.10.90 #12
kernel: [ 120.763177] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kernel: [ 120.763186] task:wpa_supplicant state:D stack: 0 pid: 924 ppid: 1 flags:0x000043a0
kernel: [ 120.763201] Call Trace:
kernel: [ 120.763214] __schedule+0x785/0x12fa
kernel: [ 120.763224] ? lockdep_hardirqs_on_prepare+0xe2/0x1bb
kernel: [ 120.763242] schedule+0x7e/0xa1
kernel: [ 120.763253] schedule_timeout+0x98/0xfe
kernel: [ 120.763266] ? run_local_timers+0x4a/0x4a
kernel: [ 120.763291] ath11k_mac_flush_tx_complete+0x197/0x2b1 [ath11k 13c3a9bf37790f4ac8103b3decf7ab4008ac314a]
kernel: [ 120.763306] ? init_wait_entry+0x2e/0x2e
kernel: [ 120.763343] __ieee80211_flush_queues+0x167/0x21f [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763378] __ieee80211_recalc_idle+0x105/0x125 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763411] ieee80211_recalc_idle+0x14/0x27 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763441] ieee80211_free_chanctx+0x77/0xa2 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763473] __ieee80211_vif_release_channel+0x100/0x131 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763540] ieee80211_vif_release_channel+0x66/0x81 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763572] ieee80211_destroy_auth_data+0xa3/0xe6 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763612] ieee80211_mgd_deauth+0x178/0x29b [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]
kernel: [ 120.763654] cfg80211_mlme_deauth+0x1a8/0x22c [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]
kernel: [ 120.763697] nl80211_deauthenticate+0xfa/0x123 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]
kernel: [ 120.763715] genl_rcv_msg+0x392/0x3c2
kernel: [ 120.763750] ? nl80211_associate+0x432/0x432 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]
kernel: [ 120.763782] ? nl80211_associate+0x432/0x432 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]
kernel: [ 120.763802] ? genl_rcv+0x36/0x36
kernel: [ 120.763814] netlink_rcv_skb+0x89/0xf7
kernel: [ 120.763829] genl_rcv+0x28/0x36
kernel: [ 120.763840] netlink_unicast+0x179/0x24b
kernel: [ 120.763854] netlink_sendmsg+0x393/0x401
kernel: [ 120.763872] sock_sendmsg+0x72/0x76
kernel: [ 120.763886] ____sys_sendmsg+0x170/0x1e6
kernel: [ 120.763897] ? copy_msghdr_from_user+0x7a/0xa2
kernel: [ 120.763914] ___sys_sendmsg+0x95/0xd1
kernel: [ 120.763940] __sys_sendmsg+0x85/0xbf
kernel: [ 120.763956] do_syscall_64+0x43/0x55
kernel: [ 120.763966] entry_SYSCALL_64_after_hwframe+0x44/0xa9
kernel: [ 120.763977] RIP: 0033:0x79089f3fcc83
kernel: [ 120.763986] RSP: 002b:00007ffe604f0508 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
kernel: [ 120.763997] RAX: ffffffffffffffda RBX: 000059b40e987690 RCX: 000079089f3fcc83
kernel: [ 120.764006] RDX: 0000000000000000 RSI: 00007ffe604f0558 RDI: 0000000000000009
kernel: [ 120.764014] RBP: 00007ffe604f0540 R08: 0000000000000004 R09: 0000000000400000
kernel: [ 120.764023] R10: 00007ffe604f0638 R11: 0000000000000246 R12: 000059b40ea04980
kernel: [ 120.764032] R13: 00007ffe604
---truncated---
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:35.704983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:03.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33e723dc054edfc94da90eecca3b72cb424ce4a3",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "261b07519518bd14cb168b287b17e1d195f8d0c8",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: Fix frames flush failure caused by deadlock\n\nWe are seeing below warnings:\n\nkernel: [25393.301506] ath11k_pci 0000:01:00.0: failed to flush mgmt transmit queue 0\nkernel: [25398.421509] ath11k_pci 0000:01:00.0: failed to flush mgmt transmit queue 0\nkernel: [25398.421831] ath11k_pci 0000:01:00.0: dropping mgmt frame for vdev 0, is_started 0\n\nthis means ath11k fails to flush mgmt. frames because wmi_mgmt_tx_work\nhas no chance to run in 5 seconds.\n\nBy setting /proc/sys/kernel/hung_task_timeout_secs to 20 and increasing\nATH11K_FLUSH_TIMEOUT to 50 we get below warnings:\n\nkernel: [ 120.763160] INFO: task wpa_supplicant:924 blocked for more than 20 seconds.\nkernel: [ 120.763169] Not tainted 5.10.90 #12\nkernel: [ 120.763177] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nkernel: [ 120.763186] task:wpa_supplicant state:D stack: 0 pid: 924 ppid: 1 flags:0x000043a0\nkernel: [ 120.763201] Call Trace:\nkernel: [ 120.763214] __schedule+0x785/0x12fa\nkernel: [ 120.763224] ? lockdep_hardirqs_on_prepare+0xe2/0x1bb\nkernel: [ 120.763242] schedule+0x7e/0xa1\nkernel: [ 120.763253] schedule_timeout+0x98/0xfe\nkernel: [ 120.763266] ? run_local_timers+0x4a/0x4a\nkernel: [ 120.763291] ath11k_mac_flush_tx_complete+0x197/0x2b1 [ath11k 13c3a9bf37790f4ac8103b3decf7ab4008ac314a]\nkernel: [ 120.763306] ? init_wait_entry+0x2e/0x2e\nkernel: [ 120.763343] __ieee80211_flush_queues+0x167/0x21f [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763378] __ieee80211_recalc_idle+0x105/0x125 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763411] ieee80211_recalc_idle+0x14/0x27 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763441] ieee80211_free_chanctx+0x77/0xa2 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763473] __ieee80211_vif_release_channel+0x100/0x131 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763540] ieee80211_vif_release_channel+0x66/0x81 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763572] ieee80211_destroy_auth_data+0xa3/0xe6 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763612] ieee80211_mgd_deauth+0x178/0x29b [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763654] cfg80211_mlme_deauth+0x1a8/0x22c [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763697] nl80211_deauthenticate+0xfa/0x123 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763715] genl_rcv_msg+0x392/0x3c2\nkernel: [ 120.763750] ? nl80211_associate+0x432/0x432 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763782] ? nl80211_associate+0x432/0x432 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763802] ? genl_rcv+0x36/0x36\nkernel: [ 120.763814] netlink_rcv_skb+0x89/0xf7\nkernel: [ 120.763829] genl_rcv+0x28/0x36\nkernel: [ 120.763840] netlink_unicast+0x179/0x24b\nkernel: [ 120.763854] netlink_sendmsg+0x393/0x401\nkernel: [ 120.763872] sock_sendmsg+0x72/0x76\nkernel: [ 120.763886] ____sys_sendmsg+0x170/0x1e6\nkernel: [ 120.763897] ? copy_msghdr_from_user+0x7a/0xa2\nkernel: [ 120.763914] ___sys_sendmsg+0x95/0xd1\nkernel: [ 120.763940] __sys_sendmsg+0x85/0xbf\nkernel: [ 120.763956] do_syscall_64+0x43/0x55\nkernel: [ 120.763966] entry_SYSCALL_64_after_hwframe+0x44/0xa9\nkernel: [ 120.763977] RIP: 0033:0x79089f3fcc83\nkernel: [ 120.763986] RSP: 002b:00007ffe604f0508 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nkernel: [ 120.763997] RAX: ffffffffffffffda RBX: 000059b40e987690 RCX: 000079089f3fcc83\nkernel: [ 120.764006] RDX: 0000000000000000 RSI: 00007ffe604f0558 RDI: 0000000000000009\nkernel: [ 120.764014] RBP: 00007ffe604f0540 R08: 0000000000000004 R09: 0000000000400000\nkernel: [ 120.764023] R10: 00007ffe604f0638 R11: 0000000000000246 R12: 000059b40ea04980\nkernel: [ 120.764032] R13: 00007ffe604\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:23.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33e723dc054edfc94da90eecca3b72cb424ce4a3"
},
{
"url": "https://git.kernel.org/stable/c/261b07519518bd14cb168b287b17e1d195f8d0c8"
}
],
"title": "ath11k: Fix frames flush failure caused by deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49123",
"datePublished": "2025-02-26T01:55:02.697Z",
"dateReserved": "2025-02-26T01:49:39.265Z",
"dateUpdated": "2025-10-01T19:57:03.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41005 (GCVE-0-2024-41005)
Vulnerability from cvelistv5
Published
2024-07-12 12:44
Modified
2025-11-03 21:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netpoll: Fix race condition in netpoll_owner_active
KCSAN detected a race condition in netpoll:
BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb
write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:
net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)
<snip>
read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:
netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)
netpoll_send_udp (net/core/netpoll.c:?)
<snip>
value changed: 0x0000000a -> 0xffffffff
This happens because netpoll_owner_active() needs to check if the
current CPU is the owner of the lock, touching napi->poll_owner
non atomically. The ->poll_owner field contains the current CPU holding
the lock.
Use an atomic read to check if the poll owner is the current CPU.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:59:08.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:01:02.203539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:18.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43c0ca793a18578a0f5b305dd77fcf7ed99f1265",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "96826b16ef9c6568d31a1f6ceaa266411a46e46c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3f1a155950a1685ffd0fd7175b3f671da8771f3d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a130e7da73ae93afdb4659842267eec734ffbd57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c2e6a872bde9912f1a7579639c5ca3adf1003916",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\u003csnip\u003e\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\u003csnip\u003e\n\tvalue changed: 0x0000000a -\u003e 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi-\u003epoll_owner\nnon atomically. The -\u003epoll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:19:54.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265"
},
{
"url": "https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e"
},
{
"url": "https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c"
},
{
"url": "https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d"
},
{
"url": "https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57"
},
{
"url": "https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916"
}
],
"title": "netpoll: Fix race condition in netpoll_owner_active",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41005",
"datePublished": "2024-07-12T12:44:40.467Z",
"dateReserved": "2024-07-12T12:17:45.610Z",
"dateUpdated": "2025-11-03T21:59:08.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57997 (GCVE-0-2024-57997)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wcn36xx: fix channel survey memory allocation size
KASAN reported a memory allocation issue in wcn->chan_survey
due to incorrect size calculation.
This commit uses kcalloc to allocate memory for wcn->chan_survey,
ensuring proper initialization and preventing the use of uninitialized
values when there are no frames on the channel.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57997",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:31:20.546897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:42.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:08.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/wcn36xx/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae68efdff7a7a42ab251cac79d8713de6f0dbaa0",
"status": "affected",
"version": "29696e0aa413b9d56558731aae3806d7cff48d36",
"versionType": "git"
},
{
"lessThan": "e95f9c408ff8311f75eeabc8acf34a66670d8815",
"status": "affected",
"version": "29696e0aa413b9d56558731aae3806d7cff48d36",
"versionType": "git"
},
{
"lessThan": "64c4dcaeac1dc1030e47883b04a617ca9a4f164e",
"status": "affected",
"version": "29696e0aa413b9d56558731aae3806d7cff48d36",
"versionType": "git"
},
{
"lessThan": "34cd2817708aec51ef1a6c007e0d6d5342a025d7",
"status": "affected",
"version": "29696e0aa413b9d56558731aae3806d7cff48d36",
"versionType": "git"
},
{
"lessThan": "6200d947f050efdba4090dfefd8a01981363d954",
"status": "affected",
"version": "29696e0aa413b9d56558731aae3806d7cff48d36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/wcn36xx/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wcn36xx: fix channel survey memory allocation size\n\nKASAN reported a memory allocation issue in wcn-\u003echan_survey\ndue to incorrect size calculation.\nThis commit uses kcalloc to allocate memory for wcn-\u003echan_survey,\nensuring proper initialization and preventing the use of uninitialized\nvalues when there are no frames on the channel."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:02.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae68efdff7a7a42ab251cac79d8713de6f0dbaa0"
},
{
"url": "https://git.kernel.org/stable/c/e95f9c408ff8311f75eeabc8acf34a66670d8815"
},
{
"url": "https://git.kernel.org/stable/c/64c4dcaeac1dc1030e47883b04a617ca9a4f164e"
},
{
"url": "https://git.kernel.org/stable/c/34cd2817708aec51ef1a6c007e0d6d5342a025d7"
},
{
"url": "https://git.kernel.org/stable/c/6200d947f050efdba4090dfefd8a01981363d954"
}
],
"title": "wifi: wcn36xx: fix channel survey memory allocation size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57997",
"datePublished": "2025-02-27T02:07:17.371Z",
"dateReserved": "2025-02-27T02:04:28.915Z",
"dateUpdated": "2025-11-03T19:33:08.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49313 (GCVE-0-2022-49313)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: usb: host: Fix deadlock in oxu_bus_suspend()
There is a deadlock in oxu_bus_suspend(), which is shown below:
(Thread 1) | (Thread 2)
| timer_action()
oxu_bus_suspend() | mod_timer()
spin_lock_irq() //(1) | (wait a time)
... | oxu_watchdog()
del_timer_sync() | spin_lock_irq() //(2)
(wait timer to stop) | ...
We hold oxu->lock in position (1) of thread 1, and use
del_timer_sync() to wait timer to stop, but timer handler
also need oxu->lock in position (2) of thread 2. As a result,
oxu_bus_suspend() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_irq(), which could let timer handler to obtain
the needed lock.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:10.208294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:57.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/oxu210hp-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b58d255f27b0ed6a2e43208960864d67579db58",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a3d380188bde8900c3f604e82b56572896499124",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f8242044c91cafbba9e320b0fb31abf2429a3221",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2dcec0bc142be2096af71a5703d63237127db204",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffe9440d698274c6462d2e304562c6ddfc8c84df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d888753872190abd18f68a7d77b9c7c367f0a7ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4187b291a76664a3c03d3f0d9bfadc8322881868",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b97aae8b43b718314012e8170b7e03dbfd2e7677",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4d378f2ae58138d4c55684e1d274e7dd94aa6524",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/oxu210hp-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: usb: host: Fix deadlock in oxu_bus_suspend()\n\nThere is a deadlock in oxu_bus_suspend(), which is shown below:\n\n (Thread 1) | (Thread 2)\n | timer_action()\noxu_bus_suspend() | mod_timer()\n spin_lock_irq() //(1) | (wait a time)\n ... | oxu_watchdog()\n del_timer_sync() | spin_lock_irq() //(2)\n (wait timer to stop) | ...\n\nWe hold oxu-\u003elock in position (1) of thread 1, and use\ndel_timer_sync() to wait timer to stop, but timer handler\nalso need oxu-\u003elock in position (2) of thread 2. As a result,\noxu_bus_suspend() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_irq(), which could let timer handler to obtain\nthe needed lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:59.093Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b58d255f27b0ed6a2e43208960864d67579db58"
},
{
"url": "https://git.kernel.org/stable/c/a3d380188bde8900c3f604e82b56572896499124"
},
{
"url": "https://git.kernel.org/stable/c/f8242044c91cafbba9e320b0fb31abf2429a3221"
},
{
"url": "https://git.kernel.org/stable/c/2dcec0bc142be2096af71a5703d63237127db204"
},
{
"url": "https://git.kernel.org/stable/c/ffe9440d698274c6462d2e304562c6ddfc8c84df"
},
{
"url": "https://git.kernel.org/stable/c/d888753872190abd18f68a7d77b9c7c367f0a7ab"
},
{
"url": "https://git.kernel.org/stable/c/4187b291a76664a3c03d3f0d9bfadc8322881868"
},
{
"url": "https://git.kernel.org/stable/c/b97aae8b43b718314012e8170b7e03dbfd2e7677"
},
{
"url": "https://git.kernel.org/stable/c/4d378f2ae58138d4c55684e1d274e7dd94aa6524"
}
],
"title": "drivers: usb: host: Fix deadlock in oxu_bus_suspend()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49313",
"datePublished": "2025-02-26T02:10:42.109Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-10-01T19:46:57.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49218 (GCVE-0-2022-49218)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/dp: Fix OOB read when handling Post Cursor2 register
The link_status array was not large enough to read the Adjust Request
Post Cursor2 register, so remove the common helper function to avoid
an OOB read, found with a -Warray-bounds build:
drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
59 | return link_status[r - DP_LANE0_1_STATUS];
| ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
| ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace the only user of the helper with an open-coded fetch and decode,
similar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:31.327734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:04.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/dp/drm_dp.c",
"drivers/gpu/drm/tegra/dp.c",
"include/drm/dp/drm_dp_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aeaed9a9fe694f8b1462fb81e2d33298c929180b",
"status": "affected",
"version": "79465e0ffeb9e4866939ea562bc55367be91e595",
"versionType": "git"
},
{
"lessThan": "a2151490cc6c57b368d7974ffd447a8b36ade639",
"status": "affected",
"version": "79465e0ffeb9e4866939ea562bc55367be91e595",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/dp/drm_dp.c",
"drivers/gpu/drm/tegra/dp.c",
"include/drm/dp/drm_dp_helper.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp: Fix OOB read when handling Post Cursor2 register\n\nThe link_status array was not large enough to read the Adjust Request\nPost Cursor2 register, so remove the common helper function to avoid\nan OOB read, found with a -Warray-bounds build:\n\ndrivers/gpu/drm/drm_dp_helper.c: In function \u0027drm_dp_get_adjust_request_post_cursor\u0027:\ndrivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of \u0027const u8[6]\u0027 {aka \u0027const unsigned char[6]\u0027} [-Werror=array-bounds]\n 59 | return link_status[r - DP_LANE0_1_STATUS];\n | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~\ndrivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing \u0027link_status\u0027\n 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],\n | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nReplace the only user of the helper with an open-coded fetch and decode,\nsimilar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:35.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aeaed9a9fe694f8b1462fb81e2d33298c929180b"
},
{
"url": "https://git.kernel.org/stable/c/a2151490cc6c57b368d7974ffd447a8b36ade639"
}
],
"title": "drm/dp: Fix OOB read when handling Post Cursor2 register",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49218",
"datePublished": "2025-02-26T01:55:51.646Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-10-01T19:47:04.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49309 (GCVE-0-2022-49309)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-11-03 19:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()
There is a deadlock in rtw_surveydone_event_callback(),
which is shown below:
(Thread 1) | (Thread 2)
| _set_timer()
rtw_surveydone_event_callback()| mod_timer()
spin_lock_bh() //(1) | (wait a time)
... | rtw_scan_timeout_handler()
del_timer_sync() | spin_lock_bh() //(2)
(wait timer to stop) | ...
We hold pmlmepriv->lock in position (1) of thread 1 and use
del_timer_sync() to wait timer to stop, but timer handler
also need pmlmepriv->lock in position (2) of thread 2.
As a result, rtw_surveydone_event_callback() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_bh(), which could let timer handler to obtain
the needed lock. What`s more, we change spin_lock_bh() in
rtw_scan_timeout_handler() to spin_lock_irq(). Otherwise,
spin_lock_bh() will also cause deadlock() in timer handler.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:27:51.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c84e5c819600ee0628f61b33d145258ae0f3d7a7",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "f89f6c3ebf69623b8ea48200bd690e9e210335a1",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "ce129d3efd181da5fd56f4360cc8827122afa67e",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "2c41f5c341853f84b7bc2f32605d4e2782e8c279",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "cc7ad0d77b51c872d629bcd98aea463a3c4109e7",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()\n\nThere is a deadlock in rtw_surveydone_event_callback(),\nwhich is shown below:\n\n (Thread 1) | (Thread 2)\n | _set_timer()\nrtw_surveydone_event_callback()| mod_timer()\n spin_lock_bh() //(1) | (wait a time)\n ... | rtw_scan_timeout_handler()\n del_timer_sync() | spin_lock_bh() //(2)\n (wait timer to stop) | ...\n\nWe hold pmlmepriv-\u003elock in position (1) of thread 1 and use\ndel_timer_sync() to wait timer to stop, but timer handler\nalso need pmlmepriv-\u003elock in position (2) of thread 2.\nAs a result, rtw_surveydone_event_callback() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_bh(), which could let timer handler to obtain\nthe needed lock. What`s more, we change spin_lock_bh() in\nrtw_scan_timeout_handler() to spin_lock_irq(). Otherwise,\nspin_lock_bh() will also cause deadlock() in timer handler."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:54.201Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c84e5c819600ee0628f61b33d145258ae0f3d7a7"
},
{
"url": "https://git.kernel.org/stable/c/f89f6c3ebf69623b8ea48200bd690e9e210335a1"
},
{
"url": "https://git.kernel.org/stable/c/ce129d3efd181da5fd56f4360cc8827122afa67e"
},
{
"url": "https://git.kernel.org/stable/c/2c41f5c341853f84b7bc2f32605d4e2782e8c279"
},
{
"url": "https://git.kernel.org/stable/c/cc7ad0d77b51c872d629bcd98aea463a3c4109e7"
}
],
"title": "drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49309",
"datePublished": "2025-02-26T02:10:40.167Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-11-03T19:27:51.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21781 (GCVE-0-2025-21781)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix panic during interface removal
Reference counting is used to ensure that
batadv_hardif_neigh_node and batadv_hard_iface
are not freed before/during
batadv_v_elp_throughput_metric_update work is
finished.
But there isn't a guarantee that the hard if will
remain associated with a soft interface up until
the work is finished.
This fixes a crash triggered by reboot that looks
like this:
Call trace:
batadv_v_mesh_free+0xd0/0x4dc [batman_adv]
batadv_v_elp_throughput_metric_update+0x1c/0xa4
process_one_work+0x178/0x398
worker_thread+0x2e8/0x4d0
kthread+0xd8/0xdc
ret_from_fork+0x10/0x20
(the batadv_v_mesh_free call is misleading,
and does not actually happen)
I was able to make the issue happen more reliably
by changing hardif_neigh->bat_v.metric_work work
to be delayed work. This allowed me to track down
and confirm the fix.
[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without
soft_iface]
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:27.625Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_v_elp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "167422a07096a6006599067c8b55884064fa0b72",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "ce3f1545bf8fa28bd05ec113679e8e6cd23af577",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "f0a16c6c79768180333f3e41ce63f32730e3c3af",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "7eb5dd201695645af071592a50026eb780081a72",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "072b2787321903287a126c148e8db87dd7ef96fe",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "522b1596ea19e327853804da2de60aeb9c5d6f42",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "ccb7276a6d26d6f8416e315b43b45e15ee7f29e2",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_v_elp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix panic during interface removal\n\nReference counting is used to ensure that\nbatadv_hardif_neigh_node and batadv_hard_iface\nare not freed before/during\nbatadv_v_elp_throughput_metric_update work is\nfinished.\n\nBut there isn\u0027t a guarantee that the hard if will\nremain associated with a soft interface up until\nthe work is finished.\n\nThis fixes a crash triggered by reboot that looks\nlike this:\n\nCall trace:\n batadv_v_mesh_free+0xd0/0x4dc [batman_adv]\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x178/0x398\n worker_thread+0x2e8/0x4d0\n kthread+0xd8/0xdc\n ret_from_fork+0x10/0x20\n\n(the batadv_v_mesh_free call is misleading,\nand does not actually happen)\n\nI was able to make the issue happen more reliably\nby changing hardif_neigh-\u003ebat_v.metric_work work\nto be delayed work. This allowed me to track down\nand confirm the fix.\n\n[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without\n soft_iface]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:07.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/167422a07096a6006599067c8b55884064fa0b72"
},
{
"url": "https://git.kernel.org/stable/c/ce3f1545bf8fa28bd05ec113679e8e6cd23af577"
},
{
"url": "https://git.kernel.org/stable/c/f0a16c6c79768180333f3e41ce63f32730e3c3af"
},
{
"url": "https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72"
},
{
"url": "https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe"
},
{
"url": "https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7"
},
{
"url": "https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42"
},
{
"url": "https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2"
}
],
"title": "batman-adv: fix panic during interface removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21781",
"datePublished": "2025-02-27T02:18:24.013Z",
"dateReserved": "2024-12-29T08:45:45.764Z",
"dateUpdated": "2025-11-03T20:59:27.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47659 (GCVE-0-2021-47659)
Vulnerability from cvelistv5
Published
2025-02-26 02:05
Modified
2025-05-16 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/plane: Move range check for format_count earlier
While the check for format_count > 64 in __drm_universal_plane_init()
shouldn't be hit (it's a WARN_ON), in its current position it will then
leak the plane->format_types array and fail to call
drm_mode_object_unregister() leaking the modeset identifier. Move it to
the start of the function to avoid allocating those resources in the
first place.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e6fc3b68558e4c6d8d160b5daf2511b99afa8814 Version: e6fc3b68558e4c6d8d160b5daf2511b99afa8814 Version: e6fc3b68558e4c6d8d160b5daf2511b99afa8814 Version: e6fc3b68558e4c6d8d160b5daf2511b99afa8814 Version: e6fc3b68558e4c6d8d160b5daf2511b99afa8814 Version: e6fc3b68558e4c6d8d160b5daf2511b99afa8814 Version: e6fc3b68558e4c6d8d160b5daf2511b99afa8814 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ab7e453a3ee88c274cf97bee9487ab92a66d313",
"status": "affected",
"version": "e6fc3b68558e4c6d8d160b5daf2511b99afa8814",
"versionType": "git"
},
{
"lessThan": "1e29d829ad51d1472dd035487953a6724b56fc33",
"status": "affected",
"version": "e6fc3b68558e4c6d8d160b5daf2511b99afa8814",
"versionType": "git"
},
{
"lessThan": "b5cd108143513e4498027b96ec4710702d186f11",
"status": "affected",
"version": "e6fc3b68558e4c6d8d160b5daf2511b99afa8814",
"versionType": "git"
},
{
"lessThan": "978e3d023256bfaf34a0033d40c94e8a8e70cf3c",
"status": "affected",
"version": "e6fc3b68558e4c6d8d160b5daf2511b99afa8814",
"versionType": "git"
},
{
"lessThan": "787163d19bc3cdc6ca4b96223f62208534d1cf6b",
"status": "affected",
"version": "e6fc3b68558e4c6d8d160b5daf2511b99afa8814",
"versionType": "git"
},
{
"lessThan": "ad6dd7a2bac86118985c7b3426e175b9d3c1ec4f",
"status": "affected",
"version": "e6fc3b68558e4c6d8d160b5daf2511b99afa8814",
"versionType": "git"
},
{
"lessThan": "4b674dd69701c2e22e8e7770c1706a69f3b17269",
"status": "affected",
"version": "e6fc3b68558e4c6d8d160b5daf2511b99afa8814",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/plane: Move range check for format_count earlier\n\nWhile the check for format_count \u003e 64 in __drm_universal_plane_init()\nshouldn\u0027t be hit (it\u0027s a WARN_ON), in its current position it will then\nleak the plane-\u003eformat_types array and fail to call\ndrm_mode_object_unregister() leaking the modeset identifier. Move it to\nthe start of the function to avoid allocating those resources in the\nfirst place."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T07:23:06.514Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ab7e453a3ee88c274cf97bee9487ab92a66d313"
},
{
"url": "https://git.kernel.org/stable/c/1e29d829ad51d1472dd035487953a6724b56fc33"
},
{
"url": "https://git.kernel.org/stable/c/b5cd108143513e4498027b96ec4710702d186f11"
},
{
"url": "https://git.kernel.org/stable/c/978e3d023256bfaf34a0033d40c94e8a8e70cf3c"
},
{
"url": "https://git.kernel.org/stable/c/787163d19bc3cdc6ca4b96223f62208534d1cf6b"
},
{
"url": "https://git.kernel.org/stable/c/ad6dd7a2bac86118985c7b3426e175b9d3c1ec4f"
},
{
"url": "https://git.kernel.org/stable/c/4b674dd69701c2e22e8e7770c1706a69f3b17269"
}
],
"title": "drm/plane: Move range check for format_count earlier",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47659",
"datePublished": "2025-02-26T02:05:56.954Z",
"dateReserved": "2025-02-26T02:04:38.057Z",
"dateUpdated": "2025-05-16T07:23:06.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21734 (GCVE-0-2025-21734)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix copy buffer page size
For non-registered buffer, fastrpc driver copies the buffer and
pass it to the remote subsystem. There is a problem with current
implementation of page size calculation which is not considering
the offset in the calculation. This might lead to passing of
improper and out-of-bounds page size which could result in
memory issue. Calculate page start and page end using the offset
adjusted address instead of absolute address.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:37.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c56ba3ea8e3c9a69a992aad18f7a65e43e51d623",
"status": "affected",
"version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
"versionType": "git"
},
{
"lessThan": "c0464bad0e85fcd5d47e4297d1e410097c979e55",
"status": "affected",
"version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
"versionType": "git"
},
{
"lessThan": "24a79c6bc8de763f7c50f4f84f8b0c183bc25a51",
"status": "affected",
"version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
"versionType": "git"
},
{
"lessThan": "c3f7161123fcbdc64e90119ccce292d8b66281c4",
"status": "affected",
"version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
"versionType": "git"
},
{
"lessThan": "e966eae72762ecfdbdb82627e2cda48845b9dd66",
"status": "affected",
"version": "02b45b47fbe84e23699bb6bdc74d4c2780e282b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix copy buffer page size\n\nFor non-registered buffer, fastrpc driver copies the buffer and\npass it to the remote subsystem. There is a problem with current\nimplementation of page size calculation which is not considering\nthe offset in the calculation. This might lead to passing of\nimproper and out-of-bounds page size which could result in\nmemory issue. Calculate page start and page end using the offset\nadjusted address instead of absolute address."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:00.916Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c56ba3ea8e3c9a69a992aad18f7a65e43e51d623"
},
{
"url": "https://git.kernel.org/stable/c/c0464bad0e85fcd5d47e4297d1e410097c979e55"
},
{
"url": "https://git.kernel.org/stable/c/24a79c6bc8de763f7c50f4f84f8b0c183bc25a51"
},
{
"url": "https://git.kernel.org/stable/c/c3f7161123fcbdc64e90119ccce292d8b66281c4"
},
{
"url": "https://git.kernel.org/stable/c/e966eae72762ecfdbdb82627e2cda48845b9dd66"
}
],
"title": "misc: fastrpc: Fix copy buffer page size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21734",
"datePublished": "2025-02-27T02:12:11.663Z",
"dateReserved": "2024-12-29T08:45:45.756Z",
"dateUpdated": "2025-11-03T19:36:37.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49212 (GCVE-0-2022-49212)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
The reference counting issue happens in several error handling paths
on a refcounted object "nc->dmac". In these paths, the function simply
returns the error code, forgetting to balance the reference count of
"nc->dmac", increased earlier by dma_request_channel(), which may
cause refcount leaks.
Fix it by decrementing the refcount of specific object in those error
paths.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f88fc122cc34c2545dec9562eaab121494e401ef Version: f88fc122cc34c2545dec9562eaab121494e401ef Version: f88fc122cc34c2545dec9562eaab121494e401ef Version: f88fc122cc34c2545dec9562eaab121494e401ef Version: f88fc122cc34c2545dec9562eaab121494e401ef Version: f88fc122cc34c2545dec9562eaab121494e401ef Version: f88fc122cc34c2545dec9562eaab121494e401ef Version: f88fc122cc34c2545dec9562eaab121494e401ef |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:47.729080Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:05.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/atmel/nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0856bf27057561f42b37df111603cf5a0d040294",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
},
{
"lessThan": "9843c9c98f26c6ad843260b19bfdaa2598f2ae1e",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
},
{
"lessThan": "9b08d211db4c447eb1a07df65e45e0aa772e0fa6",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
},
{
"lessThan": "a3587259ae553e41d1ce8c7435351a5d6b299a11",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
},
{
"lessThan": "fe0e2ce5c87e9c0b9485ff566362030aa55972cf",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
},
{
"lessThan": "8baea2b96fa90af8d0f937caf4cf2105ee094d93",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
},
{
"lessThan": "f1694169f3674cdf7553aed06864254635679878",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
},
{
"lessThan": "fecbd4a317c95d73c849648c406bcf1b6a0ec1cf",
"status": "affected",
"version": "f88fc122cc34c2545dec9562eaab121494e401ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/atmel/nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init\n\nThe reference counting issue happens in several error handling paths\non a refcounted object \"nc-\u003edmac\". In these paths, the function simply\nreturns the error code, forgetting to balance the reference count of\n\"nc-\u003edmac\", increased earlier by dma_request_channel(), which may\ncause refcount leaks.\n\nFix it by decrementing the refcount of specific object in those error\npaths."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:29.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0856bf27057561f42b37df111603cf5a0d040294"
},
{
"url": "https://git.kernel.org/stable/c/9843c9c98f26c6ad843260b19bfdaa2598f2ae1e"
},
{
"url": "https://git.kernel.org/stable/c/9b08d211db4c447eb1a07df65e45e0aa772e0fa6"
},
{
"url": "https://git.kernel.org/stable/c/a3587259ae553e41d1ce8c7435351a5d6b299a11"
},
{
"url": "https://git.kernel.org/stable/c/fe0e2ce5c87e9c0b9485ff566362030aa55972cf"
},
{
"url": "https://git.kernel.org/stable/c/8baea2b96fa90af8d0f937caf4cf2105ee094d93"
},
{
"url": "https://git.kernel.org/stable/c/f1694169f3674cdf7553aed06864254635679878"
},
{
"url": "https://git.kernel.org/stable/c/fecbd4a317c95d73c849648c406bcf1b6a0ec1cf"
}
],
"title": "mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49212",
"datePublished": "2025-02-26T01:55:48.690Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-10-01T19:47:05.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49271 (GCVE-0-2022-49271)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-29 10:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: prevent bad output lengths in smb2_ioctl_query_info()
When calling smb2_ioctl_query_info() with
smb_query_info::flags=PASSTHRU_FSCTL and
smb_query_info::output_buffer_length=0, the following would return
0x10
buffer = memdup_user(arg + sizeof(struct smb_query_info),
qi.output_buffer_length);
if (IS_ERR(buffer)) {
kfree(vars);
return PTR_ERR(buffer);
}
rather than a valid pointer thus making IS_ERR() check fail. This
would then cause a NULL ptr deference in @buffer when accessing it
later in smb2_ioctl_query_ioctl(). While at it, prevent having a
@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
FileEndOfFileInformation requests when
smb_query_info::flags=PASSTHRU_SET_INFO.
Here is a small C reproducer which triggers a NULL ptr in @buffer when
passing an invalid smb_query_info::flags
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#define die(s) perror(s), exit(1)
#define QUERY_INFO 0xc018cf07
int main(int argc, char *argv[])
{
int fd;
if (argc < 2)
exit(1);
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open");
if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
die("ioctl");
close(fd);
return 0;
}
mount.cifs //srv/share /mnt -o ...
gcc repro.c && ./a.out /mnt/f0
[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
[ 114.146131] Call Trace:
[ 114.146291] <TASK>
[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]
[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
[ 114.147775] ? dentry_path_raw+0xa6/0xf0
[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]
[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]
[ 114.149371] ? lock_downgrade+0x6f0/0x6f0
[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]
[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0
[ 114.150562] ? __up_read+0x192/0x710
[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0
[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0
[ 114.151296] __x64_sys_ioctl+0x127/0x190
[ 114.151549] do_syscall_64+0x3b/0x90
[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 114.152079] RIP: 0033:0x7f7aead043df
[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9963ccea6087268e1275b992dca5d0dd4b938765",
"status": "affected",
"version": "cfaa1181097f6a1a6f4f6670ebc97848efda0883",
"versionType": "git"
},
{
"lessThan": "f143f8334fb9eb2f6c7c15b9da1472d9c965fd84",
"status": "affected",
"version": "cfaa1181097f6a1a6f4f6670ebc97848efda0883",
"versionType": "git"
},
{
"lessThan": "fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53",
"status": "affected",
"version": "cfaa1181097f6a1a6f4f6670ebc97848efda0883",
"versionType": "git"
},
{
"lessThan": "7529fbee10d82493c5cb109e51788bf74816d1c0",
"status": "affected",
"version": "cfaa1181097f6a1a6f4f6670ebc97848efda0883",
"versionType": "git"
},
{
"lessThan": "b92e358757b91c2827af112cae9af513f26a3f34",
"status": "affected",
"version": "cfaa1181097f6a1a6f4f6670ebc97848efda0883",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent bad output lengths in smb2_ioctl_query_info()\n\nWhen calling smb2_ioctl_query_info() with\nsmb_query_info::flags=PASSTHRU_FSCTL and\nsmb_query_info::output_buffer_length=0, the following would return\n0x10\n\n\tbuffer = memdup_user(arg + sizeof(struct smb_query_info),\n\t\t\t qi.output_buffer_length);\n\tif (IS_ERR(buffer)) {\n\t\tkfree(vars);\n\t\treturn PTR_ERR(buffer);\n\t}\n\nrather than a valid pointer thus making IS_ERR() check fail. This\nwould then cause a NULL ptr deference in @buffer when accessing it\nlater in smb2_ioctl_query_ioctl(). While at it, prevent having a\n@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO\nFileEndOfFileInformation requests when\nsmb_query_info::flags=PASSTHRU_SET_INFO.\n\nHere is a small C reproducer which triggers a NULL ptr in @buffer when\npassing an invalid smb_query_info::flags\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003cstdint.h\u003e\n\t#include \u003cunistd.h\u003e\n\t#include \u003cfcntl.h\u003e\n\t#include \u003csys/ioctl.h\u003e\n\n\t#define die(s) perror(s), exit(1)\n\t#define QUERY_INFO 0xc018cf07\n\n\tint main(int argc, char *argv[])\n\t{\n\t\tint fd;\n\n\t\tif (argc \u003c 2)\n\t\t\texit(1);\n\t\tfd = open(argv[1], O_RDONLY);\n\t\tif (fd == -1)\n\t\t\tdie(\"open\");\n\t\tif (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)\n\t\t\tdie(\"ioctl\");\n\t\tclose(fd);\n\t\treturn 0;\n\t}\n\n\tmount.cifs //srv/share /mnt -o ...\n\tgcc repro.c \u0026\u0026 ./a.out /mnt/f0\n\n\t[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\n\t[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\t[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1\n\t[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n\t[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]\n\t[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24\n\t[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256\n\t[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d\n\t[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380\n\t[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003\n\t[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288\n\t[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000\n\t[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000\n\t[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\t[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0\n\t[ 114.146131] Call Trace:\n\t[ 114.146291] \u003cTASK\u003e\n\t[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]\n\t[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]\n\t[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]\n\t[ 114.147775] ? dentry_path_raw+0xa6/0xf0\n\t[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]\n\t[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]\n\t[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]\n\t[ 114.149371] ? lock_downgrade+0x6f0/0x6f0\n\t[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]\n\t[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0\n\t[ 114.150562] ? __up_read+0x192/0x710\n\t[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0\n\t[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0\n\t[ 114.151296] __x64_sys_ioctl+0x127/0x190\n\t[ 114.151549] do_syscall_64+0x3b/0x90\n\t[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\t[ 114.152079] RIP: 0033:0x7f7aead043df\n\t[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:49:55.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9963ccea6087268e1275b992dca5d0dd4b938765"
},
{
"url": "https://git.kernel.org/stable/c/f143f8334fb9eb2f6c7c15b9da1472d9c965fd84"
},
{
"url": "https://git.kernel.org/stable/c/fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53"
},
{
"url": "https://git.kernel.org/stable/c/7529fbee10d82493c5cb109e51788bf74816d1c0"
},
{
"url": "https://git.kernel.org/stable/c/b92e358757b91c2827af112cae9af513f26a3f34"
}
],
"title": "cifs: prevent bad output lengths in smb2_ioctl_query_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49271",
"datePublished": "2025-02-26T01:56:18.148Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-10-29T10:49:55.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49478 (GCVE-0-2022-49478)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init
Syzbot reported that -1 is used as array index. The problem was in
missing validation check.
hdw->unit_number is initialized with -1 and then if init table walk fails
this value remains unchanged. Since code blindly uses this member for
array indexing adding sanity check is the easiest fix for that.
hdw->workpoll initialization moved upper to prevent warning in
__flush_work.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba Version: d855497edbfbf9e19a17f4a1154bca69cb4bd9ba |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:29.496371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:45.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/pvrusb2/pvrusb2-hdw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4351bfe36aba9fa7dc9d68d498d25d41a0f45e67",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "2e004fe914b243db41fa96f9e583385f360ea58e",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "a3660e06675bccec4bf149c7229ea1d491ba10d7",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "1310fc3538dcc375a2f46ef0a438512c2ca32827",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "a3304766d9384886e6d3092c776273526947a2e9",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "3309c2c574e13b21b44729f5bdbf21f60189b79a",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "f99a8b1ec0eddc2931aeaa4f490277a15b39f511",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "24e807541e4a9263ed928e6ae3498de3ad43bd1e",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
},
{
"lessThan": "471bec68457aaf981add77b4f590d65dd7da1059",
"status": "affected",
"version": "d855497edbfbf9e19a17f4a1154bca69cb4bd9ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/pvrusb2/pvrusb2-hdw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init\n\nSyzbot reported that -1 is used as array index. The problem was in\nmissing validation check.\n\nhdw-\u003eunit_number is initialized with -1 and then if init table walk fails\nthis value remains unchanged. Since code blindly uses this member for\narray indexing adding sanity check is the easiest fix for that.\n\nhdw-\u003eworkpoll initialization moved upper to prevent warning in\n__flush_work."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:35.676Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4351bfe36aba9fa7dc9d68d498d25d41a0f45e67"
},
{
"url": "https://git.kernel.org/stable/c/2e004fe914b243db41fa96f9e583385f360ea58e"
},
{
"url": "https://git.kernel.org/stable/c/a3660e06675bccec4bf149c7229ea1d491ba10d7"
},
{
"url": "https://git.kernel.org/stable/c/1310fc3538dcc375a2f46ef0a438512c2ca32827"
},
{
"url": "https://git.kernel.org/stable/c/a3304766d9384886e6d3092c776273526947a2e9"
},
{
"url": "https://git.kernel.org/stable/c/3309c2c574e13b21b44729f5bdbf21f60189b79a"
},
{
"url": "https://git.kernel.org/stable/c/f99a8b1ec0eddc2931aeaa4f490277a15b39f511"
},
{
"url": "https://git.kernel.org/stable/c/24e807541e4a9263ed928e6ae3498de3ad43bd1e"
},
{
"url": "https://git.kernel.org/stable/c/471bec68457aaf981add77b4f590d65dd7da1059"
}
],
"title": "media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49478",
"datePublished": "2025-02-26T02:13:19.330Z",
"dateReserved": "2025-02-26T02:08:31.581Z",
"dateUpdated": "2025-10-01T19:46:45.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49179 (GCVE-0-2022-49179)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: don't move oom_bfqq
Our test report a UAF:
[ 2073.019181] ==================================================================
[ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168
[ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584
[ 2073.019192]
[ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5
[ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[ 2073.019200] Call trace:
[ 2073.019203] dump_backtrace+0x0/0x310
[ 2073.019206] show_stack+0x28/0x38
[ 2073.019210] dump_stack+0xec/0x15c
[ 2073.019216] print_address_description+0x68/0x2d0
[ 2073.019220] kasan_report+0x238/0x2f0
[ 2073.019224] __asan_store8+0x88/0xb0
[ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168
[ 2073.019233] bfq_put_async_queues+0xbc/0x208
[ 2073.019236] bfq_pd_offline+0x178/0x238
[ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420
[ 2073.019244] bfq_exit_queue+0x128/0x178
[ 2073.019249] blk_mq_exit_sched+0x12c/0x160
[ 2073.019252] elevator_exit+0xc8/0xd0
[ 2073.019256] blk_exit_queue+0x50/0x88
[ 2073.019259] blk_cleanup_queue+0x228/0x3d8
[ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk]
[ 2073.019274] null_exit+0x90/0x114 [null_blk]
[ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0
[ 2073.019282] el0_svc_common+0xc8/0x320
[ 2073.019287] el0_svc_handler+0xf8/0x160
[ 2073.019290] el0_svc+0x10/0x218
[ 2073.019291]
[ 2073.019294] Allocated by task 14163:
[ 2073.019301] kasan_kmalloc+0xe0/0x190
[ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418
[ 2073.019308] bfq_pd_alloc+0x54/0x118
[ 2073.019313] blkcg_activate_policy+0x250/0x460
[ 2073.019317] bfq_create_group_hierarchy+0x38/0x110
[ 2073.019321] bfq_init_queue+0x6d0/0x948
[ 2073.019325] blk_mq_init_sched+0x1d8/0x390
[ 2073.019330] elevator_switch_mq+0x88/0x170
[ 2073.019334] elevator_switch+0x140/0x270
[ 2073.019338] elv_iosched_store+0x1a4/0x2a0
[ 2073.019342] queue_attr_store+0x90/0xe0
[ 2073.019348] sysfs_kf_write+0xa8/0xe8
[ 2073.019351] kernfs_fop_write+0x1f8/0x378
[ 2073.019359] __vfs_write+0xe0/0x360
[ 2073.019363] vfs_write+0xf0/0x270
[ 2073.019367] ksys_write+0xdc/0x1b8
[ 2073.019371] __arm64_sys_write+0x50/0x60
[ 2073.019375] el0_svc_common+0xc8/0x320
[ 2073.019380] el0_svc_handler+0xf8/0x160
[ 2073.019383] el0_svc+0x10/0x218
[ 2073.019385]
[ 2073.019387] Freed by task 72584:
[ 2073.019391] __kasan_slab_free+0x120/0x228
[ 2073.019394] kasan_slab_free+0x10/0x18
[ 2073.019397] kfree+0x94/0x368
[ 2073.019400] bfqg_put+0x64/0xb0
[ 2073.019404] bfqg_and_blkg_put+0x90/0xb0
[ 2073.019408] bfq_put_queue+0x220/0x228
[ 2073.019413] __bfq_put_async_bfqq+0x98/0x168
[ 2073.019416] bfq_put_async_queues+0xbc/0x208
[ 2073.019420] bfq_pd_offline+0x178/0x238
[ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420
[ 2073.019429] bfq_exit_queue+0x128/0x178
[ 2073.019433] blk_mq_exit_sched+0x12c/0x160
[ 2073.019437] elevator_exit+0xc8/0xd0
[ 2073.019440] blk_exit_queue+0x50/0x88
[ 2073.019443] blk_cleanup_queue+0x228/0x3d8
[ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk]
[ 2073.019459] null_exit+0x90/0x114 [null_blk]
[ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0
[ 2073.019467] el0_svc_common+0xc8/0x320
[ 2073.019471] el0_svc_handler+0xf8/0x160
[ 2073.019474] el0_svc+0x10/0x218
[ 2073.019475]
[ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00
which belongs to the cache kmalloc-1024 of size 1024
[ 2073.019484] The buggy address is located 552 bytes inside of
1024-byte region [ffff8000ccf63f00, ffff8000ccf64300)
[ 2073.019486] The buggy address belongs to the page:
[ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0
[ 2073.020123] flags: 0x7ffff0000008100(slab|head)
[ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00
[ 2073.020409] ra
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:03.662860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4f5a678add58a8a0e7ee5e038496b376ea6d205",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "7507ead1e9d42957c2340f2c4a0e9d00034e3366",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "8f34dea99cd7761156a146a5258a67d045d862f7",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "87fdfe8589d43e471dffb4c60f75eeb6f37afc4c",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "c01fced8d38fbccc82787065229578006f28e020",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "8410f70977734f21b8ed45c37e925d311dfda2e7",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: don\u0027t move oom_bfqq\n\nOur test report a UAF:\n\n[ 2073.019181] ==================================================================\n[ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584\n[ 2073.019192]\n[ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5\n[ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 2073.019200] Call trace:\n[ 2073.019203] dump_backtrace+0x0/0x310\n[ 2073.019206] show_stack+0x28/0x38\n[ 2073.019210] dump_stack+0xec/0x15c\n[ 2073.019216] print_address_description+0x68/0x2d0\n[ 2073.019220] kasan_report+0x238/0x2f0\n[ 2073.019224] __asan_store8+0x88/0xb0\n[ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019233] bfq_put_async_queues+0xbc/0x208\n[ 2073.019236] bfq_pd_offline+0x178/0x238\n[ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019244] bfq_exit_queue+0x128/0x178\n[ 2073.019249] blk_mq_exit_sched+0x12c/0x160\n[ 2073.019252] elevator_exit+0xc8/0xd0\n[ 2073.019256] blk_exit_queue+0x50/0x88\n[ 2073.019259] blk_cleanup_queue+0x228/0x3d8\n[ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019274] null_exit+0x90/0x114 [null_blk]\n[ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019282] el0_svc_common+0xc8/0x320\n[ 2073.019287] el0_svc_handler+0xf8/0x160\n[ 2073.019290] el0_svc+0x10/0x218\n[ 2073.019291]\n[ 2073.019294] Allocated by task 14163:\n[ 2073.019301] kasan_kmalloc+0xe0/0x190\n[ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418\n[ 2073.019308] bfq_pd_alloc+0x54/0x118\n[ 2073.019313] blkcg_activate_policy+0x250/0x460\n[ 2073.019317] bfq_create_group_hierarchy+0x38/0x110\n[ 2073.019321] bfq_init_queue+0x6d0/0x948\n[ 2073.019325] blk_mq_init_sched+0x1d8/0x390\n[ 2073.019330] elevator_switch_mq+0x88/0x170\n[ 2073.019334] elevator_switch+0x140/0x270\n[ 2073.019338] elv_iosched_store+0x1a4/0x2a0\n[ 2073.019342] queue_attr_store+0x90/0xe0\n[ 2073.019348] sysfs_kf_write+0xa8/0xe8\n[ 2073.019351] kernfs_fop_write+0x1f8/0x378\n[ 2073.019359] __vfs_write+0xe0/0x360\n[ 2073.019363] vfs_write+0xf0/0x270\n[ 2073.019367] ksys_write+0xdc/0x1b8\n[ 2073.019371] __arm64_sys_write+0x50/0x60\n[ 2073.019375] el0_svc_common+0xc8/0x320\n[ 2073.019380] el0_svc_handler+0xf8/0x160\n[ 2073.019383] el0_svc+0x10/0x218\n[ 2073.019385]\n[ 2073.019387] Freed by task 72584:\n[ 2073.019391] __kasan_slab_free+0x120/0x228\n[ 2073.019394] kasan_slab_free+0x10/0x18\n[ 2073.019397] kfree+0x94/0x368\n[ 2073.019400] bfqg_put+0x64/0xb0\n[ 2073.019404] bfqg_and_blkg_put+0x90/0xb0\n[ 2073.019408] bfq_put_queue+0x220/0x228\n[ 2073.019413] __bfq_put_async_bfqq+0x98/0x168\n[ 2073.019416] bfq_put_async_queues+0xbc/0x208\n[ 2073.019420] bfq_pd_offline+0x178/0x238\n[ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019429] bfq_exit_queue+0x128/0x178\n[ 2073.019433] blk_mq_exit_sched+0x12c/0x160\n[ 2073.019437] elevator_exit+0xc8/0xd0\n[ 2073.019440] blk_exit_queue+0x50/0x88\n[ 2073.019443] blk_cleanup_queue+0x228/0x3d8\n[ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019459] null_exit+0x90/0x114 [null_blk]\n[ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019467] el0_svc_common+0xc8/0x320\n[ 2073.019471] el0_svc_handler+0xf8/0x160\n[ 2073.019474] el0_svc+0x10/0x218\n[ 2073.019475]\n[ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00\n which belongs to the cache kmalloc-1024 of size 1024\n[ 2073.019484] The buggy address is located 552 bytes inside of\n 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300)\n[ 2073.019486] The buggy address belongs to the page:\n[ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0\n[ 2073.020123] flags: 0x7ffff0000008100(slab|head)\n[ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00\n[ 2073.020409] ra\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:42.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4f5a678add58a8a0e7ee5e038496b376ea6d205"
},
{
"url": "https://git.kernel.org/stable/c/7507ead1e9d42957c2340f2c4a0e9d00034e3366"
},
{
"url": "https://git.kernel.org/stable/c/8f34dea99cd7761156a146a5258a67d045d862f7"
},
{
"url": "https://git.kernel.org/stable/c/87fdfe8589d43e471dffb4c60f75eeb6f37afc4c"
},
{
"url": "https://git.kernel.org/stable/c/c01fced8d38fbccc82787065229578006f28e020"
},
{
"url": "https://git.kernel.org/stable/c/8410f70977734f21b8ed45c37e925d311dfda2e7"
}
],
"title": "block, bfq: don\u0027t move oom_bfqq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49179",
"datePublished": "2025-02-26T01:55:32.100Z",
"dateReserved": "2025-02-26T01:49:39.281Z",
"dateUpdated": "2025-05-04T08:31:42.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49285 (GCVE-0-2022-49285)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: mma8452: use the correct logic to get mma8452_data
The original logic to get mma8452_data is wrong, the *dev point to
the device belong to iio_dev. we can't use this dev to find the
correct i2c_client. The original logic happen to work because it
finally use dev->driver_data to get iio_dev. Here use the API
to_i2c_client() is wrong and make reader confuse. To correct the
logic, it should be like this
struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));
But after commit 8b7651f25962 ("iio: iio_device_alloc(): Remove
unnecessary self drvdata"), the upper logic also can't work.
When try to show the avialable scale in userspace, will meet kernel
dump, kernel handle NULL pointer dereference.
So use dev_to_iio_dev() to correct the logic.
Dual fixes tags as the second reflects when the bug was exposed, whilst
the first reflects when the original bug was introduced.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/mma8452.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c0bb583a4444cce224e8661090cbffc98e2fe07",
"status": "affected",
"version": "c3cdd6e48e35b7a02f28e301ef30a87ff3cd6527",
"versionType": "git"
},
{
"lessThan": "d2d9ebdbff79d87d27652578e6d1638ad3b5f3bf",
"status": "affected",
"version": "c3cdd6e48e35b7a02f28e301ef30a87ff3cd6527",
"versionType": "git"
},
{
"lessThan": "c87b7b12f48db86ac9909894f4dc0107d7df6375",
"status": "affected",
"version": "c3cdd6e48e35b7a02f28e301ef30a87ff3cd6527",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/mma8452.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: mma8452: use the correct logic to get mma8452_data\n\nThe original logic to get mma8452_data is wrong, the *dev point to\nthe device belong to iio_dev. we can\u0027t use this dev to find the\ncorrect i2c_client. The original logic happen to work because it\nfinally use dev-\u003edriver_data to get iio_dev. Here use the API\nto_i2c_client() is wrong and make reader confuse. To correct the\nlogic, it should be like this\n\n struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));\n\nBut after commit 8b7651f25962 (\"iio: iio_device_alloc(): Remove\nunnecessary self drvdata\"), the upper logic also can\u0027t work.\nWhen try to show the avialable scale in userspace, will meet kernel\ndump, kernel handle NULL pointer dereference.\n\nSo use dev_to_iio_dev() to correct the logic.\n\nDual fixes tags as the second reflects when the bug was exposed, whilst\nthe first reflects when the original bug was introduced."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:15.589Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c0bb583a4444cce224e8661090cbffc98e2fe07"
},
{
"url": "https://git.kernel.org/stable/c/d2d9ebdbff79d87d27652578e6d1638ad3b5f3bf"
},
{
"url": "https://git.kernel.org/stable/c/c87b7b12f48db86ac9909894f4dc0107d7df6375"
}
],
"title": "iio: accel: mma8452: use the correct logic to get mma8452_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49285",
"datePublished": "2025-02-26T01:56:25.096Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:34:15.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53024 (GCVE-0-2023-53024)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation
To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to
insufficient speculative store bypass mitigation") inserts lfence
instructions after 1) initializing a stack slot and 2) spilling a
pointer to the stack.
However, this does not cover cases where a stack slot is first
initialized with a pointer (subject to sanitization) but then
overwritten with a scalar (not subject to sanitization because
the slot was already initialized). In this case, the second write
may be subject to speculative store bypass (SSB) creating a
speculative pointer-as-scalar type confusion. This allows the
program to subsequently leak the numerical pointer value using,
for example, a branch-based cache side channel.
To fix this, also sanitize scalars if they write a stack slot
that previously contained a pointer. Assuming that pointer-spills
are only generated by LLVM on register-pressure, the performance
impact on most real-world BPF programs should be small.
The following unprivileged BPF bytecode drafts a minimal exploit
and the mitigation:
[...]
// r6 = 0 or 1 (skalar, unknown user input)
// r7 = accessible ptr for side channel
// r10 = frame pointer (fp), to be leaked
//
r9 = r10 # fp alias to encourage ssb
*(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
// lfence added here because of pointer spill to stack.
//
// Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
// for no r9-r10 dependency.
//
*(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
// 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
// store may be subject to SSB
//
// fix: also add an lfence when the slot contained a ptr
//
r8 = *(u64 *)(r9 - 8)
// r8 = architecturally a scalar, speculatively a ptr
//
// leak ptr using branch-based cache side channel:
r8 &= 1 // choose bit to leak
if r8 == 0 goto SLOW // no mispredict
// architecturally dead code if input r6 is 0,
// only executes speculatively iff ptr bit is 1
r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
SLOW:
[...]
After running this, the program can time the access to *(r7 + 0) to
determine whether the chosen pointer bit was 0 or 1. Repeat this 64
times to recover the whole address on amd64.
In summary, sanitization can only be skipped if one scalar is
overwritten with another scalar. Scalar-confusion due to speculative
store bypass can not lead to invalid accesses because the pointer
bounds deducted during verification are enforced using branchless
logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on
pointer arithmetic") for details.
Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}
because speculative leaks are likely unexpected if these were enabled.
For example, leaking the address to a protected log file may be acceptable
while disabling the mitigation might unintentionally leak the address
into the cached-state of a map that is accessible to unprivileged
processes.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 872968502114d68c21419cf7eb5ab97717e7b803 Version: f5893af2704eb763eb982f01d573f5b19f06b623 Version: 0e9280654aa482088ee6ef3deadef331f5ac5fb0 Version: 2039f26f3aca5b0e419b98f65dd36481337b86ee Version: 2039f26f3aca5b0e419b98f65dd36481337b86ee Version: 2039f26f3aca5b0e419b98f65dd36481337b86ee Version: 0b27bdf02c400684225ee5ee99970bcbf5082282 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aae109414a57ab4164218f36e2e4a17f027fcaaa",
"status": "affected",
"version": "872968502114d68c21419cf7eb5ab97717e7b803",
"versionType": "git"
},
{
"lessThan": "81b3374944d201872cfcf82730a7860f8e7c31dd",
"status": "affected",
"version": "f5893af2704eb763eb982f01d573f5b19f06b623",
"versionType": "git"
},
{
"lessThan": "da75dec7c6617bddad418159ffebcb133f008262",
"status": "affected",
"version": "0e9280654aa482088ee6ef3deadef331f5ac5fb0",
"versionType": "git"
},
{
"lessThan": "01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528",
"status": "affected",
"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee",
"versionType": "git"
},
{
"lessThan": "b0c89ef025562161242a7c19b213bd6b272e93df",
"status": "affected",
"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee",
"versionType": "git"
},
{
"lessThan": "e4f4db47794c9f474b184ee1418f42e6a07412b6",
"status": "affected",
"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee",
"versionType": "git"
},
{
"status": "affected",
"version": "0b27bdf02c400684225ee5ee99970bcbf5082282",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.10.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix pointer-leak due to insufficient speculative store bypass mitigation\n\nTo mitigate Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to\ninsufficient speculative store bypass mitigation\") inserts lfence\ninstructions after 1) initializing a stack slot and 2) spilling a\npointer to the stack.\n\nHowever, this does not cover cases where a stack slot is first\ninitialized with a pointer (subject to sanitization) but then\noverwritten with a scalar (not subject to sanitization because\nthe slot was already initialized). In this case, the second write\nmay be subject to speculative store bypass (SSB) creating a\nspeculative pointer-as-scalar type confusion. This allows the\nprogram to subsequently leak the numerical pointer value using,\nfor example, a branch-based cache side channel.\n\nTo fix this, also sanitize scalars if they write a stack slot\nthat previously contained a pointer. Assuming that pointer-spills\nare only generated by LLVM on register-pressure, the performance\nimpact on most real-world BPF programs should be small.\n\nThe following unprivileged BPF bytecode drafts a minimal exploit\nand the mitigation:\n\n [...]\n // r6 = 0 or 1 (skalar, unknown user input)\n // r7 = accessible ptr for side channel\n // r10 = frame pointer (fp), to be leaked\n //\n r9 = r10 # fp alias to encourage ssb\n *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked\n // lfence added here because of pointer spill to stack.\n //\n // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor\n // for no r9-r10 dependency.\n //\n *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr\n // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,\n // store may be subject to SSB\n //\n // fix: also add an lfence when the slot contained a ptr\n //\n r8 = *(u64 *)(r9 - 8)\n // r8 = architecturally a scalar, speculatively a ptr\n //\n // leak ptr using branch-based cache side channel:\n r8 \u0026= 1 // choose bit to leak\n if r8 == 0 goto SLOW // no mispredict\n // architecturally dead code if input r6 is 0,\n // only executes speculatively iff ptr bit is 1\n r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)\nSLOW:\n [...]\n\nAfter running this, the program can time the access to *(r7 + 0) to\ndetermine whether the chosen pointer bit was 0 or 1. Repeat this 64\ntimes to recover the whole address on amd64.\n\nIn summary, sanitization can only be skipped if one scalar is\noverwritten with another scalar. Scalar-confusion due to speculative\nstore bypass can not lead to invalid accesses because the pointer\nbounds deducted during verification are enforced using branchless\nlogic. See 979d63d50c0c (\"bpf: prevent out of bounds speculation on\npointer arithmetic\") for details.\n\nDo not make the mitigation depend on !env-\u003eallow_{uninit_stack,ptr_leaks}\nbecause speculative leaks are likely unexpected if these were enabled.\nFor example, leaking the address to a protected log file may be acceptable\nwhile disabling the mitigation might unintentionally leak the address\ninto the cached-state of a map that is accessible to unprivileged\nprocesses."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:06.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aae109414a57ab4164218f36e2e4a17f027fcaaa"
},
{
"url": "https://git.kernel.org/stable/c/81b3374944d201872cfcf82730a7860f8e7c31dd"
},
{
"url": "https://git.kernel.org/stable/c/da75dec7c6617bddad418159ffebcb133f008262"
},
{
"url": "https://git.kernel.org/stable/c/01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528"
},
{
"url": "https://git.kernel.org/stable/c/b0c89ef025562161242a7c19b213bd6b272e93df"
},
{
"url": "https://git.kernel.org/stable/c/e4f4db47794c9f474b184ee1418f42e6a07412b6"
}
],
"title": "bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53024",
"datePublished": "2025-03-27T16:43:49.824Z",
"dateReserved": "2025-03-27T16:40:15.753Z",
"dateUpdated": "2025-05-04T12:50:06.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21703 (GCVE-0-2025-21703)
Vulnerability from cvelistv5
Published
2025-02-18 14:37
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
qdisc_tree_reduce_backlog() notifies parent qdisc only if child
qdisc becomes empty, therefore we need to reduce the backlog of the
child qdisc before calling it. Otherwise it would miss the opportunity
to call cops->qlen_notify(), in the case of DRR, it resulted in UAF
since DRR uses ->qlen_notify() to maintain its active list.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31 Version: 216509dda290f6db92c816dd54b83c1df9da9e76 Version: c2047b0e216c8edce227d7c42f99ac2877dad0e4 Version: 10df49cfca73dfbbdb6c4150d859f7e8926ae427 Version: 3824c5fad18eeb7abe0c4fc966f29959552dca3e Version: 356078a5c55ec8d2061fcc009fb8599f5b0527f9 Version: f8d4bc455047cf3903cd6f85f49978987dbb3027 Version: f8d4bc455047cf3903cd6f85f49978987dbb3027 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:38:37.163490Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:46:03.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:52.049Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c",
"status": "affected",
"version": "83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31",
"versionType": "git"
},
{
"lessThan": "7f31d74fcc556a9166b1bb20515542de7bb939d1",
"status": "affected",
"version": "216509dda290f6db92c816dd54b83c1df9da9e76",
"versionType": "git"
},
{
"lessThan": "98a2c685293aae122f688cde11d9334dddc5d207",
"status": "affected",
"version": "c2047b0e216c8edce227d7c42f99ac2877dad0e4",
"versionType": "git"
},
{
"lessThan": "7b79ca9a1de6a428d486ff52fb3d602321c08f55",
"status": "affected",
"version": "10df49cfca73dfbbdb6c4150d859f7e8926ae427",
"versionType": "git"
},
{
"lessThan": "1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5",
"status": "affected",
"version": "3824c5fad18eeb7abe0c4fc966f29959552dca3e",
"versionType": "git"
},
{
"lessThan": "6312555249082d6d8cc5321ff725df05482d8b83",
"status": "affected",
"version": "356078a5c55ec8d2061fcc009fb8599f5b0527f9",
"versionType": "git"
},
{
"lessThan": "839ecc583fa00fab785fde1c85a326743657fd32",
"status": "affected",
"version": "f8d4bc455047cf3903cd6f85f49978987dbb3027",
"versionType": "git"
},
{
"lessThan": "638ba5089324796c2ee49af10427459c2de35f71",
"status": "affected",
"version": "f8d4bc455047cf3903cd6f85f49978987dbb3027",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.4.288",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.1.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.6.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.12.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: Update sch-\u003eq.qlen before qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() notifies parent qdisc only if child\nqdisc becomes empty, therefore we need to reduce the backlog of the\nchild qdisc before calling it. Otherwise it would miss the opportunity\nto call cops-\u003eqlen_notify(), in the case of DRR, it resulted in UAF\nsince DRR uses -\u003eqlen_notify() to maintain its active list."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:20.127Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c"
},
{
"url": "https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1"
},
{
"url": "https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207"
},
{
"url": "https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55"
},
{
"url": "https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5"
},
{
"url": "https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83"
},
{
"url": "https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32"
},
{
"url": "https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71"
}
],
"title": "netem: Update sch-\u003eq.qlen before qdisc_tree_reduce_backlog()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21703",
"datePublished": "2025-02-18T14:37:44.261Z",
"dateReserved": "2024-12-29T08:45:45.751Z",
"dateUpdated": "2025-11-03T19:35:52.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49249 (GCVE-0-2022-49249)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wc938x: fix accessing array out of bounds for enum type
Accessing enums using integer would result in array out of bounds access
on platforms like aarch64 where sizeof(long) is 8 compared to enum size
which is 4 bytes.
Fix this by using enumerated items instead of integers.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "adafea71b49ec4dbc44e0b84ec6eb602004a7a08",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
},
{
"lessThan": "f03c0c94186d5876857132d97e28f20cdc100bdc",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
},
{
"lessThan": "d09aee1b1da196be11ed86dd4897f228f2487613",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
},
{
"lessThan": "cc587b7c8fbbe128f6bd0dad025a0caea5e6d164",
"status": "affected",
"version": "e8ba1e05bdc016700c85fad559a812c2e795442f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd938x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wc938x: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes.\n\nFix this by using enumerated items instead of integers."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:20.386Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/adafea71b49ec4dbc44e0b84ec6eb602004a7a08"
},
{
"url": "https://git.kernel.org/stable/c/f03c0c94186d5876857132d97e28f20cdc100bdc"
},
{
"url": "https://git.kernel.org/stable/c/d09aee1b1da196be11ed86dd4897f228f2487613"
},
{
"url": "https://git.kernel.org/stable/c/cc587b7c8fbbe128f6bd0dad025a0caea5e6d164"
}
],
"title": "ASoC: codecs: wc938x: fix accessing array out of bounds for enum type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49249",
"datePublished": "2025-02-26T01:56:07.215Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:20.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49655 (GCVE-0-2022-49655)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fscache: Fix invalidation/lookup race
If an NFS file is opened for writing and closed, fscache_invalidate() will
be asked to invalidate the file - however, if the cookie is in the
LOOKING_UP state (or the CREATING state), then request to invalidate
doesn't get recorded for fscache_cookie_state_machine() to do something
with.
Fix this by making __fscache_invalidate() set a flag if it sees the cookie
is in the LOOKING_UP state to indicate that we need to go to invalidation.
Note that this requires a count on the n_accesses counter for the state
machine, which that will release when it's done.
fscache_cookie_state_machine() then shifts to the INVALIDATING state if it
sees the flag.
Without this, an nfs file can get corrupted if it gets modified locally and
then read locally as the cache contents may not get updated.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fscache/cookie.c",
"include/linux/fscache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1ae9f617f8a5c848d9205b8e228c6f0d1af754b",
"status": "affected",
"version": "d24af13e2e2358a602740c7817ea90da43d3e740",
"versionType": "git"
},
{
"lessThan": "85e4ea1049c70fb99de5c6057e835d151fb647da",
"status": "affected",
"version": "d24af13e2e2358a602740c7817ea90da43d3e740",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fscache/cookie.c",
"include/linux/fscache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: Fix invalidation/lookup race\n\nIf an NFS file is opened for writing and closed, fscache_invalidate() will\nbe asked to invalidate the file - however, if the cookie is in the\nLOOKING_UP state (or the CREATING state), then request to invalidate\ndoesn\u0027t get recorded for fscache_cookie_state_machine() to do something\nwith.\n\nFix this by making __fscache_invalidate() set a flag if it sees the cookie\nis in the LOOKING_UP state to indicate that we need to go to invalidation.\nNote that this requires a count on the n_accesses counter for the state\nmachine, which that will release when it\u0027s done.\n\nfscache_cookie_state_machine() then shifts to the INVALIDATING state if it\nsees the flag.\n\nWithout this, an nfs file can get corrupted if it gets modified locally and\nthen read locally as the cache contents may not get updated."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:40.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1ae9f617f8a5c848d9205b8e228c6f0d1af754b"
},
{
"url": "https://git.kernel.org/stable/c/85e4ea1049c70fb99de5c6057e835d151fb647da"
}
],
"title": "fscache: Fix invalidation/lookup race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49655",
"datePublished": "2025-02-26T02:23:55.483Z",
"dateReserved": "2025-02-26T02:21:30.434Z",
"dateUpdated": "2025-05-04T08:42:40.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21726 (GCVE-0-2025-21726)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
padata: avoid UAF for reorder_work
Although the previous patch can avoid ps and ps UAF for _do_serial, it
can not avoid potential UAF issue for reorder_work. This issue can
happen just as below:
crypto_request crypto_request crypto_del_alg
padata_do_serial
...
padata_reorder
// processes all remaining
// requests then breaks
while (1) {
if (!padata)
break;
...
}
padata_do_serial
// new request added
list_add
// sees the new request
queue_work(reorder_work)
padata_reorder
queue_work_on(squeue->work)
...
<kworker context>
padata_serial_worker
// completes new request,
// no more outstanding
// requests
crypto_del_alg
// free pd
<kworker context>
invoke_padata_reorder
// UAF of pd
To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'
into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bbefa1dd6a6d53537c11624752219e39959d04fb Version: bbefa1dd6a6d53537c11624752219e39959d04fb Version: bbefa1dd6a6d53537c11624752219e39959d04fb Version: bbefa1dd6a6d53537c11624752219e39959d04fb Version: bbefa1dd6a6d53537c11624752219e39959d04fb Version: bbefa1dd6a6d53537c11624752219e39959d04fb Version: bbefa1dd6a6d53537c11624752219e39959d04fb Version: b4c8ed0bf977760a206997b6429a7ac91978f440 Version: e43d65719527043f1ef79ecba9d4ede58cbc7ffe |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:10.478288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:28.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:27.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0",
"status": "affected",
"version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
"versionType": "git"
},
{
"lessThan": "4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1",
"status": "affected",
"version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
"versionType": "git"
},
{
"lessThan": "7000507bb0d2ceb545c0a690e0c707c897d102c2",
"status": "affected",
"version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
"versionType": "git"
},
{
"lessThan": "6f45ef616775b0ce7889b0f6077fc8d681ab30bc",
"status": "affected",
"version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
"versionType": "git"
},
{
"lessThan": "8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac",
"status": "affected",
"version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
"versionType": "git"
},
{
"lessThan": "a54091c24220a4cd847d5b4f36d678edacddbaf0",
"status": "affected",
"version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
"versionType": "git"
},
{
"lessThan": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
"status": "affected",
"version": "bbefa1dd6a6d53537c11624752219e39959d04fb",
"versionType": "git"
},
{
"status": "affected",
"version": "b4c8ed0bf977760a206997b6429a7ac91978f440",
"versionType": "git"
},
{
"status": "affected",
"version": "e43d65719527043f1ef79ecba9d4ede58cbc7ffe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: avoid UAF for reorder_work\n\nAlthough the previous patch can avoid ps and ps UAF for _do_serial, it\ncan not avoid potential UAF issue for reorder_work. This issue can\nhappen just as below:\n\ncrypto_request\t\t\tcrypto_request\t\tcrypto_del_alg\npadata_do_serial\n ...\n padata_reorder\n // processes all remaining\n // requests then breaks\n while (1) {\n if (!padata)\n break;\n ...\n }\n\n\t\t\t\tpadata_do_serial\n\t\t\t\t // new request added\n\t\t\t\t list_add\n // sees the new request\n queue_work(reorder_work)\n\t\t\t\t padata_reorder\n\t\t\t\t queue_work_on(squeue-\u003ework)\n...\n\n\t\t\t\t\u003ckworker context\u003e\n\t\t\t\tpadata_serial_worker\n\t\t\t\t// completes new request,\n\t\t\t\t// no more outstanding\n\t\t\t\t// requests\n\n\t\t\t\t\t\t\tcrypto_del_alg\n\t\t\t\t\t\t\t // free pd\n\n\u003ckworker context\u003e\ninvoke_padata_reorder\n // UAF of pd\n\nTo avoid UAF for \u0027reorder_work\u0027, get \u0027pd\u0027 ref before put \u0027reorder_work\u0027\ninto the \u0027serial_wq\u0027 and put \u0027pd\u0027 ref until the \u0027serial_wq\u0027 finish."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:27.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0"
},
{
"url": "https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1"
},
{
"url": "https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2"
},
{
"url": "https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc"
},
{
"url": "https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac"
},
{
"url": "https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0"
},
{
"url": "https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600"
}
],
"title": "padata: avoid UAF for reorder_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21726",
"datePublished": "2025-02-27T02:07:32.861Z",
"dateReserved": "2024-12-29T08:45:45.754Z",
"dateUpdated": "2025-11-03T19:36:27.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49175 (GCVE-0-2022-49175)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM: core: keep irq flags in device_pm_check_callbacks()
The function device_pm_check_callbacks() can be called under the spin
lock (in the reported case it happens from genpd_add_device() ->
dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes.
However this function uncoditionally uses spin_lock_irq() /
spin_unlock_irq(), thus not preserving the CPU flags. Use the
irqsave/irqrestore instead.
The backtrace for the reference:
[ 2.752010] ------------[ cut here ]------------
[ 2.756769] raw_local_irq_restore() called with IRQs enabled
[ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50
[ 2.772338] Modules linked in:
[ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684
[ 2.781384] Freeing initrd memory: 46024K
[ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50
[ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50
[ 2.785846] sp : ffff80000805b7d0
[ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002
[ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800
[ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00
[ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff
[ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7
[ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8
[ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0
[ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0
[ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000
[ 2.889774] Call trace:
[ 2.892290] warn_bogus_irq_restore+0x34/0x50
[ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0
[ 2.901690] genpd_unlock_spin+0x20/0x30
[ 2.905724] genpd_add_device+0x100/0x2d0
[ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c
[ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190
[ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0
[ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30
[ 2.929102] psci_dt_attach_cpu+0x24/0x90
[ 2.933230] psci_cpuidle_probe+0x2d4/0x46c
[ 2.937534] platform_probe+0x68/0xe0
[ 2.941304] really_probe.part.0+0x9c/0x2fc
[ 2.945605] __driver_probe_device+0x98/0x144
[ 2.950085] driver_probe_device+0x44/0x15c
[ 2.954385] __device_attach_driver+0xb8/0x120
[ 2.958950] bus_for_each_drv+0x78/0xd0
[ 2.962896] __device_attach+0xd8/0x180
[ 2.966843] device_initial_probe+0x14/0x20
[ 2.971144] bus_probe_device+0x9c/0xa4
[ 2.975092] device_add+0x380/0x88c
[ 2.978679] platform_device_add+0x114/0x234
[ 2.983067] platform_device_register_full+0x100/0x190
[ 2.988344] psci_idle_init+0x6c/0xb0
[ 2.992113] do_one_initcall+0x74/0x3a0
[ 2.996060] kernel_init_freeable+0x2fc/0x384
[ 3.000543] kernel_init+0x28/0x130
[ 3.004132] ret_from_fork+0x10/0x20
[ 3.007817] irq event stamp: 319826
[ 3.011404] hardirqs last enabled at (319825): [<ffffd40e7eda0268>] __up_console_sem+0x78/0x84
[ 3.020332] hardirqs last disabled at (319826): [<ffffd40e7fd6d9d8>] el1_dbg+0x24/0x8c
[ 3.028458] softirqs last enabled at (318312): [<ffffd40e7ec90410>] _stext+0x410/0x588
[ 3.036678] softirqs last disabled at (318299): [<ffffd40e7ed1bf68>] __irq_exit_rcu+0x158/0x174
[ 3.045607] ---[ end trace 0000000000000000 ]---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/power/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ec80d52b9b74b9e691997632a543c73eddfeba0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "78c4d68b952f5f537788dbd454031ea9bf50f642",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "be8bc05f38d667eda1e820bc6f69234795be7809",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0cccf9d4fb45f1acbc0bbf6d7e4d8d0fb7a10416",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ede1ef1a7de973321699736ef96d01a4b9a6fe9e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c29642ba72f87c0a3d7449f7db5d6d76a7ed53c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2add538e57a2825c61d639260386f385c75e4166",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c7c0ec5a1dcc3eaa1e85c804c2ccf46e457788a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "524bb1da785a7ae43dd413cd392b5071c6c367f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/power/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: core: keep irq flags in device_pm_check_callbacks()\n\nThe function device_pm_check_callbacks() can be called under the spin\nlock (in the reported case it happens from genpd_add_device() -\u003e\ndev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes.\n\nHowever this function uncoditionally uses spin_lock_irq() /\nspin_unlock_irq(), thus not preserving the CPU flags. Use the\nirqsave/irqrestore instead.\n\nThe backtrace for the reference:\n[ 2.752010] ------------[ cut here ]------------\n[ 2.756769] raw_local_irq_restore() called with IRQs enabled\n[ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50\n[ 2.772338] Modules linked in:\n[ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684\n[ 2.781384] Freeing initrd memory: 46024K\n[ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50\n[ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50\n[ 2.785846] sp : ffff80000805b7d0\n[ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002\n[ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800\n[ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00\n[ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff\n[ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7\n[ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8\n[ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0\n[ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0\n[ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000\n[ 2.889774] Call trace:\n[ 2.892290] warn_bogus_irq_restore+0x34/0x50\n[ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0\n[ 2.901690] genpd_unlock_spin+0x20/0x30\n[ 2.905724] genpd_add_device+0x100/0x2d0\n[ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c\n[ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190\n[ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0\n[ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30\n[ 2.929102] psci_dt_attach_cpu+0x24/0x90\n[ 2.933230] psci_cpuidle_probe+0x2d4/0x46c\n[ 2.937534] platform_probe+0x68/0xe0\n[ 2.941304] really_probe.part.0+0x9c/0x2fc\n[ 2.945605] __driver_probe_device+0x98/0x144\n[ 2.950085] driver_probe_device+0x44/0x15c\n[ 2.954385] __device_attach_driver+0xb8/0x120\n[ 2.958950] bus_for_each_drv+0x78/0xd0\n[ 2.962896] __device_attach+0xd8/0x180\n[ 2.966843] device_initial_probe+0x14/0x20\n[ 2.971144] bus_probe_device+0x9c/0xa4\n[ 2.975092] device_add+0x380/0x88c\n[ 2.978679] platform_device_add+0x114/0x234\n[ 2.983067] platform_device_register_full+0x100/0x190\n[ 2.988344] psci_idle_init+0x6c/0xb0\n[ 2.992113] do_one_initcall+0x74/0x3a0\n[ 2.996060] kernel_init_freeable+0x2fc/0x384\n[ 3.000543] kernel_init+0x28/0x130\n[ 3.004132] ret_from_fork+0x10/0x20\n[ 3.007817] irq event stamp: 319826\n[ 3.011404] hardirqs last enabled at (319825): [\u003cffffd40e7eda0268\u003e] __up_console_sem+0x78/0x84\n[ 3.020332] hardirqs last disabled at (319826): [\u003cffffd40e7fd6d9d8\u003e] el1_dbg+0x24/0x8c\n[ 3.028458] softirqs last enabled at (318312): [\u003cffffd40e7ec90410\u003e] _stext+0x410/0x588\n[ 3.036678] softirqs last disabled at (318299): [\u003cffffd40e7ed1bf68\u003e] __irq_exit_rcu+0x158/0x174\n[ 3.045607] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:37.398Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ec80d52b9b74b9e691997632a543c73eddfeba0"
},
{
"url": "https://git.kernel.org/stable/c/78c4d68b952f5f537788dbd454031ea9bf50f642"
},
{
"url": "https://git.kernel.org/stable/c/be8bc05f38d667eda1e820bc6f69234795be7809"
},
{
"url": "https://git.kernel.org/stable/c/0cccf9d4fb45f1acbc0bbf6d7e4d8d0fb7a10416"
},
{
"url": "https://git.kernel.org/stable/c/ede1ef1a7de973321699736ef96d01a4b9a6fe9e"
},
{
"url": "https://git.kernel.org/stable/c/c29642ba72f87c0a3d7449f7db5d6d76a7ed53c3"
},
{
"url": "https://git.kernel.org/stable/c/2add538e57a2825c61d639260386f385c75e4166"
},
{
"url": "https://git.kernel.org/stable/c/c7c0ec5a1dcc3eaa1e85c804c2ccf46e457788a3"
},
{
"url": "https://git.kernel.org/stable/c/524bb1da785a7ae43dd413cd392b5071c6c367f8"
}
],
"title": "PM: core: keep irq flags in device_pm_check_callbacks()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49175",
"datePublished": "2025-02-26T01:55:30.087Z",
"dateReserved": "2025-02-26T01:49:39.280Z",
"dateUpdated": "2025-05-04T08:31:37.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49566 (GCVE-0-2022-49566)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - fix memory leak in RSA
When an RSA key represented in form 2 (as defined in PKCS #1 V2.1) is
used, some components of the private key persist even after the TFM is
released.
Replace the explicit calls to free the buffers in qat_rsa_exit_tfm()
with a call to qat_rsa_clear_ctx() which frees all buffers referenced in
the TFM context.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:03.443358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:38.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a843925e0287eebb4aa808666bf22c664dfe4c53",
"status": "affected",
"version": "879f77e9071f029e1c9bd5a75814ecf51370f846",
"versionType": "git"
},
{
"lessThan": "0f967fdc09955221a1951a279481b0bf4d359941",
"status": "affected",
"version": "879f77e9071f029e1c9bd5a75814ecf51370f846",
"versionType": "git"
},
{
"lessThan": "80a52e1ee7757b742f96bfb0d58f0c14eb6583d0",
"status": "affected",
"version": "879f77e9071f029e1c9bd5a75814ecf51370f846",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix memory leak in RSA\n\nWhen an RSA key represented in form 2 (as defined in PKCS #1 V2.1) is\nused, some components of the private key persist even after the TFM is\nreleased.\nReplace the explicit calls to free the buffers in qat_rsa_exit_tfm()\nwith a call to qat_rsa_clear_ctx() which frees all buffers referenced in\nthe TFM context."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:46.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a843925e0287eebb4aa808666bf22c664dfe4c53"
},
{
"url": "https://git.kernel.org/stable/c/0f967fdc09955221a1951a279481b0bf4d359941"
},
{
"url": "https://git.kernel.org/stable/c/80a52e1ee7757b742f96bfb0d58f0c14eb6583d0"
}
],
"title": "crypto: qat - fix memory leak in RSA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49566",
"datePublished": "2025-02-26T02:23:11.749Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-10-01T19:46:38.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21831 (GCVE-0-2025-21831)
Vulnerability from cvelistv5
Published
2025-03-06 16:22
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1
commit 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") sets the
policy that all PCIe ports are allowed to use D3. When the system is
suspended if the port is not power manageable by the platform and won't be
used for wakeup via a PME this sets up the policy for these ports to go
into D3hot.
This policy generally makes sense from an OSPM perspective but it leads to
problems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a
specific old BIOS. This manifests as a system hang.
On the affected Device + BIOS combination, add a quirk for the root port of
the problematic controller to ensure that these root ports are not put into
D3hot at suspend.
This patch is based on
https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com
but with the added condition both in the documentation and in the code to
apply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only
the affected root ports.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/pci/fixup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8852e056e297df1d8635ee7504e780d3184e45d0",
"status": "affected",
"version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
"versionType": "git"
},
{
"lessThan": "5ee3dd6e59b834e4d66e8b16fc684749ee40a257",
"status": "affected",
"version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
"versionType": "git"
},
{
"lessThan": "a78dfe50fffe6058afed2bb04c50c2c9a16664ee",
"status": "affected",
"version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
"versionType": "git"
},
{
"lessThan": "b1049f2d68693c80a576c4578d96774a68df2bad",
"status": "affected",
"version": "9d26d3a8f1b0c442339a235f9508bdad8af91043",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/pci/fixup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1\n\ncommit 9d26d3a8f1b0 (\"PCI: Put PCIe ports into D3 during suspend\") sets the\npolicy that all PCIe ports are allowed to use D3. When the system is\nsuspended if the port is not power manageable by the platform and won\u0027t be\nused for wakeup via a PME this sets up the policy for these ports to go\ninto D3hot.\n\nThis policy generally makes sense from an OSPM perspective but it leads to\nproblems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a\nspecific old BIOS. This manifests as a system hang.\n\nOn the affected Device + BIOS combination, add a quirk for the root port of\nthe problematic controller to ensure that these root ports are not put into\nD3hot at suspend.\n\nThis patch is based on\n\n https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com\n\nbut with the added condition both in the documentation and in the code to\napply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only\nthe affected root ports."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:04.294Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8852e056e297df1d8635ee7504e780d3184e45d0"
},
{
"url": "https://git.kernel.org/stable/c/5ee3dd6e59b834e4d66e8b16fc684749ee40a257"
},
{
"url": "https://git.kernel.org/stable/c/a78dfe50fffe6058afed2bb04c50c2c9a16664ee"
},
{
"url": "https://git.kernel.org/stable/c/b1049f2d68693c80a576c4578d96774a68df2bad"
}
],
"title": "PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21831",
"datePublished": "2025-03-06T16:22:33.443Z",
"dateReserved": "2024-12-29T08:45:45.776Z",
"dateUpdated": "2025-05-04T07:22:04.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49178 (GCVE-0-2022-49178)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memstick/mspro_block: fix handling of read-only devices
Use set_disk_ro to propagate the read-only state to the block layer
instead of checking for it in ->open and leaking a reference in case
of a read-only device.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/memstick/core/mspro_block.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "057b53c4f87690d626203acef8b63d52a9bf2f43",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6a0725b9d78ff6efdc95a37e4f05072e79c63918",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6dab421bfe06a59bf8f212a72e34673e8acf2018",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/memstick/core/mspro_block.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick/mspro_block: fix handling of read-only devices\n\nUse set_disk_ro to propagate the read-only state to the block layer\ninstead of checking for it in -\u003eopen and leaking a reference in case\nof a read-only device."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:41.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/057b53c4f87690d626203acef8b63d52a9bf2f43"
},
{
"url": "https://git.kernel.org/stable/c/6a0725b9d78ff6efdc95a37e4f05072e79c63918"
},
{
"url": "https://git.kernel.org/stable/c/6dab421bfe06a59bf8f212a72e34673e8acf2018"
}
],
"title": "memstick/mspro_block: fix handling of read-only devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49178",
"datePublished": "2025-02-26T01:55:31.574Z",
"dateReserved": "2025-02-26T01:49:39.281Z",
"dateUpdated": "2025-05-04T08:31:41.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49252 (GCVE-0-2022-49252)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type
Accessing enums using integer would result in array out of bounds access
on platforms like aarch64 where sizeof(long) is 8 compared to enum size
which is 4 bytes.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb15c6ea692fd88d70698d874d9a0d667fb4cde9",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "7e3629e256d1cabf801d00050550ade4d036cafe",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "aed43e92e4b9187029903880d5db608f7fa1c53c",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
},
{
"lessThan": "bcfe5f76cc4051ea3f9eb5d2c8ea621641f290a5",
"status": "affected",
"version": "4f692926f562ff48abfcca6b16f36ff8d57473b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-rx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: rx-macro: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:24.889Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb15c6ea692fd88d70698d874d9a0d667fb4cde9"
},
{
"url": "https://git.kernel.org/stable/c/7e3629e256d1cabf801d00050550ade4d036cafe"
},
{
"url": "https://git.kernel.org/stable/c/aed43e92e4b9187029903880d5db608f7fa1c53c"
},
{
"url": "https://git.kernel.org/stable/c/bcfe5f76cc4051ea3f9eb5d2c8ea621641f290a5"
}
],
"title": "ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49252",
"datePublished": "2025-02-26T01:56:08.663Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:24.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49205 (GCVE-0-2022-49205)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix double uncharge the mem of sk_msg
If tcp_bpf_sendmsg is running during a tear down operation, psock may be
freed.
tcp_bpf_sendmsg()
tcp_bpf_send_verdict()
sk_msg_return()
tcp_bpf_sendmsg_redir()
unlikely(!psock))
sk_msg_free()
The mem of msg has been uncharged in tcp_bpf_send_verdict() by
sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock
is null, we can simply returning an error code, this would then trigger
the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have
the side effect of throwing an error up to user space. This would be a
slight change in behavior from user side but would look the same as an
error if the redirect on the socket threw an error.
This issue can cause the following info:
WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260
Call Trace:
<TASK>
__sk_destruct+0x24/0x1f0
sk_psock_destroy+0x19b/0x1c0
process_one_work+0x1b3/0x3c0
worker_thread+0x30/0x350
? process_one_work+0x3c0/0x3c0
kthread+0xe6/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94c6ac22abcdede72bfaa0f4c22fb370891f4002",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "cd84ea3920aef936c559b63099ef0013ce6b2325",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "cb6f141ae705af0101e819065a79e6d029f6e393",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "223f3c51ab163852dd4819d357dcf33039929434",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "ac3ecb7760c750c8e4fc09c719241d8e6e88028c",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "2486ab434b2c2a14e9237296db00b1e1b7ae3273",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix double uncharge the mem of sk_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation, psock may be\nfreed.\n\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n sk_msg_return()\n tcp_bpf_sendmsg_redir()\n unlikely(!psock))\n sk_msg_free()\n\nThe mem of msg has been uncharged in tcp_bpf_send_verdict() by\nsk_msg_return(), and would be uncharged by sk_msg_free() again. When psock\nis null, we can simply returning an error code, this would then trigger\nthe sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have\nthe side effect of throwing an error up to user space. This would be a\nslight change in behavior from user side but would look the same as an\nerror if the redirect on the socket threw an error.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \u003cTASK\u003e\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:19.084Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002"
},
{
"url": "https://git.kernel.org/stable/c/cd84ea3920aef936c559b63099ef0013ce6b2325"
},
{
"url": "https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393"
},
{
"url": "https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434"
},
{
"url": "https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c"
},
{
"url": "https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273"
}
],
"title": "bpf, sockmap: Fix double uncharge the mem of sk_msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49205",
"datePublished": "2025-02-26T01:55:45.177Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-05-04T08:32:19.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21885 (GCVE-0-2025-21885)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers
While using nvme target with use_srq on, below kernel panic is noticed.
[ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514)
[ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI
..
[ 566.393799] <TASK>
[ 566.393807] ? __die_body+0x1a/0x60
[ 566.393823] ? die+0x38/0x60
[ 566.393835] ? do_trap+0xe4/0x110
[ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393881] ? do_error_trap+0x7c/0x120
[ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393911] ? exc_divide_error+0x34/0x50
[ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393939] ? asm_exc_divide_error+0x16/0x20
[ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re]
[ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re]
[ 566.394057] ? srso_return_thunk+0x5/0x5f
[ 566.394068] ? __init_swait_queue_head+0x4a/0x60
[ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core]
[ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma]
[ 566.394174] ? lock_release+0x22c/0x3f0
[ 566.394187] ? srso_return_thunk+0x5/0x5f
Page size and shift info is set only for the user space SRQs.
Set page size and page shift for kernel space SRQs also.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/ib_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "722c3db62bf60cd23acbdc8c4f445bfedae4498e",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "2cf8e6b52aecb8fbb71c41fe5add3212814031a2",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "b66535356a4834a234f99e16a97eb51f2c6c5a7d",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/ib_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix the page details for the srq created by kernel consumers\n\nWhile using nvme target with use_srq on, below kernel panic is noticed.\n\n[ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514)\n[ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n..\n[ 566.393799] \u003cTASK\u003e\n[ 566.393807] ? __die_body+0x1a/0x60\n[ 566.393823] ? die+0x38/0x60\n[ 566.393835] ? do_trap+0xe4/0x110\n[ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393881] ? do_error_trap+0x7c/0x120\n[ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393911] ? exc_divide_error+0x34/0x50\n[ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393939] ? asm_exc_divide_error+0x16/0x20\n[ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re]\n[ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re]\n[ 566.394057] ? srso_return_thunk+0x5/0x5f\n[ 566.394068] ? __init_swait_queue_head+0x4a/0x60\n[ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core]\n[ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma]\n[ 566.394174] ? lock_release+0x22c/0x3f0\n[ 566.394187] ? srso_return_thunk+0x5/0x5f\n\nPage size and shift info is set only for the user space SRQs.\nSet page size and page shift for kernel space SRQs also."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:19.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/722c3db62bf60cd23acbdc8c4f445bfedae4498e"
},
{
"url": "https://git.kernel.org/stable/c/2cf8e6b52aecb8fbb71c41fe5add3212814031a2"
},
{
"url": "https://git.kernel.org/stable/c/b66535356a4834a234f99e16a97eb51f2c6c5a7d"
}
],
"title": "RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21885",
"datePublished": "2025-03-27T14:57:13.219Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:19.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46736 (GCVE-0-2024-46736)
Vulnerability from cvelistv5
Published
2024-09-18 07:11
Modified
2025-05-04 09:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix double put of @cfile in smb2_rename_path()
If smb2_set_path_attr() is called with a valid @cfile and returned
-EINVAL, we need to call cifs_get_writable_path() again as the
reference of @cfile was already dropped by previous smb2_compound_op()
call.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46736",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:52:47.842995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:53:02.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b27ea9c96efd2c252a981fb00d0f001b86c90f3e",
"status": "affected",
"version": "1e60bc0e954389af82f1d9a85f13a63f6572350f",
"versionType": "git"
},
{
"lessThan": "1a46c7f6546b73cbf36f5a618a1a6bbb45391eb3",
"status": "affected",
"version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
"versionType": "git"
},
{
"lessThan": "3523a3df03c6f04f7ea9c2e7050102657e331a4f",
"status": "affected",
"version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_rename_path()\n\nIf smb2_set_path_attr() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() again as the\nreference of @cfile was already dropped by previous smb2_compound_op()\ncall."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:33:03.991Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b27ea9c96efd2c252a981fb00d0f001b86c90f3e"
},
{
"url": "https://git.kernel.org/stable/c/1a46c7f6546b73cbf36f5a618a1a6bbb45391eb3"
},
{
"url": "https://git.kernel.org/stable/c/3523a3df03c6f04f7ea9c2e7050102657e331a4f"
}
],
"title": "smb: client: fix double put of @cfile in smb2_rename_path()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46736",
"datePublished": "2024-09-18T07:11:58.499Z",
"dateReserved": "2024-09-11T15:12:18.257Z",
"dateUpdated": "2025-05-04T09:33:03.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41149 (GCVE-0-2024-41149)
Vulnerability from cvelistv5
Published
2025-01-11 12:35
Modified
2025-05-04 09:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: avoid to reuse `hctx` not removed from cpuhp callback list
If the 'hctx' isn't removed from cpuhp callback list, we can't reuse it,
otherwise use-after-free may be triggered.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:41:11.000102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:20.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee18012c80155f6809522804099621070c69ec72",
"status": "affected",
"version": "58bf93580fec30d84a46be41171c5fad98b5cc70",
"versionType": "git"
},
{
"lessThan": "b5792c162dcf6197bf3d2de2be6c8169435b73d0",
"status": "affected",
"version": "c1291ea131d186296dc8d328a36c3caf38e8e159",
"versionType": "git"
},
{
"lessThan": "85672ca9ceeaa1dcf2777a7048af5f4aee3fd02b",
"status": "affected",
"version": "22465bbac53c821319089016f268a2437de9b00a",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.7",
"status": "affected",
"version": "6.12.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"versionStartIncluding": "6.12.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid to reuse `hctx` not removed from cpuhp callback list\n\nIf the \u0027hctx\u0027 isn\u0027t removed from cpuhp callback list, we can\u0027t reuse it,\notherwise use-after-free may be triggered."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:22:05.525Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee18012c80155f6809522804099621070c69ec72"
},
{
"url": "https://git.kernel.org/stable/c/b5792c162dcf6197bf3d2de2be6c8169435b73d0"
},
{
"url": "https://git.kernel.org/stable/c/85672ca9ceeaa1dcf2777a7048af5f4aee3fd02b"
}
],
"title": "block: avoid to reuse `hctx` not removed from cpuhp callback list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41149",
"datePublished": "2025-01-11T12:35:33.428Z",
"dateReserved": "2025-01-11T12:33:33.672Z",
"dateUpdated": "2025-05-04T09:22:05.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49555 (GCVE-0-2022-49555)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_qca: Use del_timer_sync() before freeing
While looking at a crash report on a timer list being corrupted, which
usually happens when a timer is freed while still active. This is
commonly triggered by code calling del_timer() instead of
del_timer_sync() just before freeing.
One possible culprit is the hci_qca driver, which does exactly that.
Eric mentioned that wake_retrans_timer could be rearmed via the work
queue, so also move the destruction of the work queue before
del_timer_sync().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_qca.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4989bb03342941f2b730b37dfa38bce27b543661",
"status": "affected",
"version": "0ff252c1976da5d80db1377eb39b551931e61826",
"versionType": "git"
},
{
"lessThan": "db03727b4bbbbb36e6ef4cb655c670eefb6448e9",
"status": "affected",
"version": "0ff252c1976da5d80db1377eb39b551931e61826",
"versionType": "git"
},
{
"lessThan": "37d17f63d085d601011964ade7371aeebeb6ed4b",
"status": "affected",
"version": "0ff252c1976da5d80db1377eb39b551931e61826",
"versionType": "git"
},
{
"lessThan": "2717654ae022e6ea959a4b7b762702fe1a4690c2",
"status": "affected",
"version": "0ff252c1976da5d80db1377eb39b551931e61826",
"versionType": "git"
},
{
"lessThan": "72ef98445aca568a81c2da050532500a8345ad3a",
"status": "affected",
"version": "0ff252c1976da5d80db1377eb39b551931e61826",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_qca.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.120",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.45",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.13",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.2",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Use del_timer_sync() before freeing\n\nWhile looking at a crash report on a timer list being corrupted, which\nusually happens when a timer is freed while still active. This is\ncommonly triggered by code calling del_timer() instead of\ndel_timer_sync() just before freeing.\n\nOne possible culprit is the hci_qca driver, which does exactly that.\n\nEric mentioned that wake_retrans_timer could be rearmed via the work\nqueue, so also move the destruction of the work queue before\ndel_timer_sync()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:27.341Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4989bb03342941f2b730b37dfa38bce27b543661"
},
{
"url": "https://git.kernel.org/stable/c/db03727b4bbbbb36e6ef4cb655c670eefb6448e9"
},
{
"url": "https://git.kernel.org/stable/c/37d17f63d085d601011964ade7371aeebeb6ed4b"
},
{
"url": "https://git.kernel.org/stable/c/2717654ae022e6ea959a4b7b762702fe1a4690c2"
},
{
"url": "https://git.kernel.org/stable/c/72ef98445aca568a81c2da050532500a8345ad3a"
}
],
"title": "Bluetooth: hci_qca: Use del_timer_sync() before freeing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49555",
"datePublished": "2025-02-26T02:14:03.150Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-05-04T08:40:27.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49571 (GCVE-0-2024-49571)
Vulnerability from cvelistv5
Published
2025-01-11 12:35
Modified
2025-11-03 20:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
When receiving proposal msg in server, the field iparea_offset
and the field ipv6_prefixes_cnt in proposal msg are from the
remote client and can not be fully trusted. Especially the
field iparea_offset, once exceed the max value, there has the
chance to access wrong address, and crash may happen.
This patch checks iparea_offset and ipv6_prefixes_cnt before using them.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e7b7a64a8493d47433fd003efbe6543e3f676294 Version: e7b7a64a8493d47433fd003efbe6543e3f676294 Version: e7b7a64a8493d47433fd003efbe6543e3f676294 Version: e7b7a64a8493d47433fd003efbe6543e3f676294 Version: e7b7a64a8493d47433fd003efbe6543e3f676294 Version: e7b7a64a8493d47433fd003efbe6543e3f676294 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:41:09.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c",
"net/smc/smc_clc.c",
"net/smc/smc_clc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "846bada23bfcdeb83621b045ed85dc06c7833ff0",
"status": "affected",
"version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
"versionType": "git"
},
{
"lessThan": "f10635268a0a49ee902a3b63b5dbb76f4fed498e",
"status": "affected",
"version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
"versionType": "git"
},
{
"lessThan": "62056d1592e63d85e82357ee2ae6a6a294f440b0",
"status": "affected",
"version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
"versionType": "git"
},
{
"lessThan": "91a7c27c1444ed4677b83fd5308d2cf03f5f0851",
"status": "affected",
"version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
"versionType": "git"
},
{
"lessThan": "47ce46349672a7e0c361bfe39ed0b22e824ef4fb",
"status": "affected",
"version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
"versionType": "git"
},
{
"lessThan": "a29e220d3c8edbf0e1beb0f028878a4a85966556",
"status": "affected",
"version": "e7b7a64a8493d47433fd003efbe6543e3f676294",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c",
"net/smc/smc_clc.c",
"net/smc/smc_clc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.233",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.233",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg\n\nWhen receiving proposal msg in server, the field iparea_offset\nand the field ipv6_prefixes_cnt in proposal msg are from the\nremote client and can not be fully trusted. Especially the\nfield iparea_offset, once exceed the max value, there has the\nchance to access wrong address, and crash may happen.\n\nThis patch checks iparea_offset and ipv6_prefixes_cnt before using them."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:39:27.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/846bada23bfcdeb83621b045ed85dc06c7833ff0"
},
{
"url": "https://git.kernel.org/stable/c/f10635268a0a49ee902a3b63b5dbb76f4fed498e"
},
{
"url": "https://git.kernel.org/stable/c/62056d1592e63d85e82357ee2ae6a6a294f440b0"
},
{
"url": "https://git.kernel.org/stable/c/91a7c27c1444ed4677b83fd5308d2cf03f5f0851"
},
{
"url": "https://git.kernel.org/stable/c/47ce46349672a7e0c361bfe39ed0b22e824ef4fb"
},
{
"url": "https://git.kernel.org/stable/c/a29e220d3c8edbf0e1beb0f028878a4a85966556"
}
],
"title": "net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49571",
"datePublished": "2025-01-11T12:35:36.957Z",
"dateReserved": "2025-01-11T12:33:33.704Z",
"dateUpdated": "2025-11-03T20:41:09.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49465 (GCVE-0-2022-49465)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-21 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-throttle: Set BIO_THROTTLED when bio has been throttled
1.In current process, all bio will set the BIO_THROTTLED flag
after __blk_throtl_bio().
2.If bio needs to be throttled, it will start the timer and
stop submit bio directly. Bio will submit in
blk_throtl_dispatch_work_fn() when the timer expires.But in
the current process, if bio is throttled. The BIO_THROTTLED
will be set to bio after timer start. If the bio has been
completed, it may cause use-after-free blow.
BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
Read of size 2 at addr ffff88801b8902d4 by task fio/26380
dump_stack+0x9b/0xce
print_address_description.constprop.6+0x3e/0x60
kasan_report.cold.9+0x22/0x3a
blk_throtl_bio+0x12f0/0x2c70
submit_bio_checks+0x701/0x1550
submit_bio_noacct+0x83/0xc80
submit_bio+0xa7/0x330
mpage_readahead+0x380/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 26380:
kasan_save_stack+0x19/0x40
__kasan_kmalloc.constprop.2+0xc1/0xd0
kmem_cache_alloc+0x146/0x440
mempool_alloc+0x125/0x2f0
bio_alloc_bioset+0x353/0x590
mpage_alloc+0x3b/0x240
do_mpage_readpage+0xddf/0x1ef0
mpage_readahead+0x264/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 0:
kasan_save_stack+0x19/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x1b/0x30
__kasan_slab_free+0x111/0x160
kmem_cache_free+0x94/0x460
mempool_free+0xd6/0x320
bio_free+0xe0/0x130
bio_put+0xab/0xe0
bio_endio+0x3a6/0x5d0
blk_update_request+0x590/0x1370
scsi_end_request+0x7d/0x400
scsi_io_completion+0x1aa/0xe50
scsi_softirq_done+0x11b/0x240
blk_mq_complete_request+0xd4/0x120
scsi_mq_done+0xf0/0x200
virtscsi_vq_done+0xbc/0x150
vring_interrupt+0x179/0x390
__handle_irq_event_percpu+0xf7/0x490
handle_irq_event_percpu+0x7b/0x160
handle_irq_event+0xcc/0x170
handle_edge_irq+0x215/0xb20
common_interrupt+0x60/0x120
asm_common_interrupt+0x1e/0x40
Fix this by move BIO_THROTTLED set into the queue_lock.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:02.824581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cfc8a0fb07cde61915e4a77c4794c47de3114a4",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "935fa666534d7b7185e8c6b0191cd06281be4290",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
},
{
"lessThan": "5a011f889b4832aa80c2a872a5aade5c48d2756f",
"status": "affected",
"version": "2a0f61e6ecd08d260054bde4b096ff207ce5350f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-throttle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: Set BIO_THROTTLED when bio has been throttled\n\n1.In current process, all bio will set the BIO_THROTTLED flag\nafter __blk_throtl_bio().\n\n2.If bio needs to be throttled, it will start the timer and\nstop submit bio directly. Bio will submit in\nblk_throtl_dispatch_work_fn() when the timer expires.But in\nthe current process, if bio is throttled. The BIO_THROTTLED\nwill be set to bio after timer start. If the bio has been\ncompleted, it may cause use-after-free blow.\n\nBUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70\nRead of size 2 at addr ffff88801b8902d4 by task fio/26380\n\n dump_stack+0x9b/0xce\n print_address_description.constprop.6+0x3e/0x60\n kasan_report.cold.9+0x22/0x3a\n blk_throtl_bio+0x12f0/0x2c70\n submit_bio_checks+0x701/0x1550\n submit_bio_noacct+0x83/0xc80\n submit_bio+0xa7/0x330\n mpage_readahead+0x380/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAllocated by task 26380:\n kasan_save_stack+0x19/0x40\n __kasan_kmalloc.constprop.2+0xc1/0xd0\n kmem_cache_alloc+0x146/0x440\n mempool_alloc+0x125/0x2f0\n bio_alloc_bioset+0x353/0x590\n mpage_alloc+0x3b/0x240\n do_mpage_readpage+0xddf/0x1ef0\n mpage_readahead+0x264/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFreed by task 0:\n kasan_save_stack+0x19/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x1b/0x30\n __kasan_slab_free+0x111/0x160\n kmem_cache_free+0x94/0x460\n mempool_free+0xd6/0x320\n bio_free+0xe0/0x130\n bio_put+0xab/0xe0\n bio_endio+0x3a6/0x5d0\n blk_update_request+0x590/0x1370\n scsi_end_request+0x7d/0x400\n scsi_io_completion+0x1aa/0xe50\n scsi_softirq_done+0x11b/0x240\n blk_mq_complete_request+0xd4/0x120\n scsi_mq_done+0xf0/0x200\n virtscsi_vq_done+0xbc/0x150\n vring_interrupt+0x179/0x390\n __handle_irq_event_percpu+0xf7/0x490\n handle_irq_event_percpu+0x7b/0x160\n handle_irq_event+0xcc/0x170\n handle_edge_irq+0x215/0xb20\n common_interrupt+0x60/0x120\n asm_common_interrupt+0x1e/0x40\n\nFix this by move BIO_THROTTLED set into the queue_lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:07.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4"
},
{
"url": "https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290"
},
{
"url": "https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f"
}
],
"title": "blk-throttle: Set BIO_THROTTLED when bio has been throttled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49465",
"datePublished": "2025-02-26T02:13:10.975Z",
"dateReserved": "2025-02-26T02:08:31.577Z",
"dateUpdated": "2025-05-21T08:44:07.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49323 (GCVE-0-2022-49323)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()
It will cause null-ptr-deref when using 'res', if platform_get_resource()
returns NULL, so move using 'res' after devm_ioremap_resource() that
will check it to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:37.777213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:56.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu/arm-smmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3660db29b0305f9a1d95979c7af0f5db6ea99f5d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "98dd53a92825747395649f54d23512a13c3ed471",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "80776a71340f57d6a4952635fc89f0342072f3ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "449fc4561762ad9ad85362d5f01f0d0df397457a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d9ed8af1dee37f181096631fb03729ece98ba816",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu/arm-smmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:11.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3660db29b0305f9a1d95979c7af0f5db6ea99f5d"
},
{
"url": "https://git.kernel.org/stable/c/98dd53a92825747395649f54d23512a13c3ed471"
},
{
"url": "https://git.kernel.org/stable/c/80776a71340f57d6a4952635fc89f0342072f3ca"
},
{
"url": "https://git.kernel.org/stable/c/449fc4561762ad9ad85362d5f01f0d0df397457a"
},
{
"url": "https://git.kernel.org/stable/c/d9ed8af1dee37f181096631fb03729ece98ba816"
}
],
"title": "iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49323",
"datePublished": "2025-02-26T02:10:47.142Z",
"dateReserved": "2025-02-26T02:08:31.537Z",
"dateUpdated": "2025-10-01T19:46:56.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5753 (GCVE-0-2017-5753)
Vulnerability from cvelistv5
Published
2018-01-04 13:00
Modified
2024-09-16 22:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intel Corporation | Most Modern Operating Systems |
Version: All |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:48.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4609"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1422-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html"
},
{
"name": "DSA-4187",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4187"
},
{
"name": "USN-3542-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3542-2/"
},
{
"name": "GLSA-201810-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201810-06"
},
{
"name": "USN-3540-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3540-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/security/vulnerabilities/speculativeexecution"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002"
},
{
"name": "USN-3597-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3597-1/"
},
{
"name": "[debian-lts-announce] 20180715 [SECURITY] [DLA 1422-2] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html"
},
{
"name": "SUSE-SU-2018:0012",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html"
},
{
"name": "SUSE-SU-2018:0011",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4611"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en-us/advisories/vde-2018-002"
},
{
"name": "USN-3580-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3580-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K91229003"
},
{
"name": "openSUSE-SU-2018:0022",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html"
},
{
"name": "DSA-4188",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4188"
},
{
"name": "RHSA-2018:0292",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0292"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://xenbits.xen.org/xsa/advisory-254.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180104-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/support/security/Synology_SA_18_01"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt"
},
{
"name": "[debian-lts-announce] 20180718 [SECURITY] [DLA 1423-1] linux-4.9 new package",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability"
},
{
"name": "VU#584653",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/584653"
},
{
"name": "VU#180049",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/180049"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en-us/advisories/vde-2018-003"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-505225.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03871en_us"
},
{
"name": "USN-3549-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3549-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.citrix.com/article/CTX231399"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://spectreattack.com/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/"
},
{
"name": "1040071",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040071"
},
{
"name": "102371",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102371"
},
{
"name": "USN-3597-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3597-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4614"
},
{
"name": "SUSE-SU-2018:0010",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html"
},
{
"name": "USN-3540-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3540-1/"
},
{
"name": "20180104 CPU Side-Channel Information Disclosure Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel"
},
{
"name": "USN-3516-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-3516-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html"
},
{
"name": "43427",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/43427/"
},
{
"name": "USN-3541-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3541-1/"
},
{
"name": "USN-3541-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3541-2/"
},
{
"name": "USN-3542-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3542-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.lenovo.com/us/en/solutions/LEN-18282"
},
{
"name": "openSUSE-SU-2018:0023",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4613"
},
{
"name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"
},
{
"name": "[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "20190624 [SECURITY] [DSA 4469-1] libvirt security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Jun/36"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cdrdv2.intel.com/v1/dl/getContent/685359"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Most Modern Operating Systems",
"vendor": "Intel Corporation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
}
],
"datePublic": "2018-01-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T17:48:07",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4609"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1422-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html"
},
{
"name": "DSA-4187",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4187"
},
{
"name": "USN-3542-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3542-2/"
},
{
"name": "GLSA-201810-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201810-06"
},
{
"name": "USN-3540-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3540-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/security/vulnerabilities/speculativeexecution"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002"
},
{
"name": "USN-3597-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3597-1/"
},
{
"name": "[debian-lts-announce] 20180715 [SECURITY] [DLA 1422-2] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html"
},
{
"name": "SUSE-SU-2018:0012",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html"
},
{
"name": "SUSE-SU-2018:0011",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4611"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en-us/advisories/vde-2018-002"
},
{
"name": "USN-3580-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3580-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K91229003"
},
{
"name": "openSUSE-SU-2018:0022",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html"
},
{
"name": "DSA-4188",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4188"
},
{
"name": "RHSA-2018:0292",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0292"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://xenbits.xen.org/xsa/advisory-254.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180104-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/support/security/Synology_SA_18_01"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt"
},
{
"name": "[debian-lts-announce] 20180718 [SECURITY] [DLA 1423-1] linux-4.9 new package",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability"
},
{
"name": "VU#584653",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/584653"
},
{
"name": "VU#180049",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/180049"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en-us/advisories/vde-2018-003"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-505225.pdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03871en_us"
},
{
"name": "USN-3549-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3549-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.citrix.com/article/CTX231399"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://spectreattack.com/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/"
},
{
"name": "1040071",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040071"
},
{
"name": "102371",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102371"
},
{
"name": "USN-3597-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3597-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4614"
},
{
"name": "SUSE-SU-2018:0010",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html"
},
{
"name": "USN-3540-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3540-1/"
},
{
"name": "20180104 CPU Side-Channel Information Disclosure Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel"
},
{
"name": "USN-3516-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/usn/usn-3516-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html"
},
{
"name": "43427",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/43427/"
},
{
"name": "USN-3541-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3541-1/"
},
{
"name": "USN-3541-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3541-2/"
},
{
"name": "USN-3542-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3542-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.lenovo.com/us/en/solutions/LEN-18282"
},
{
"name": "openSUSE-SU-2018:0023",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4613"
},
{
"name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"
},
{
"name": "[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "20190624 [SECURITY] [DSA 4469-1] libvirt security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Jun/36"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cdrdv2.intel.com/v1/dl/getContent/685359"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@intel.com",
"DATE_PUBLIC": "2018-01-03T00:00:00",
"ID": "CVE-2017-5753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Most Modern Operating Systems",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
}
]
},
"vendor_name": "Intel Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://nvidia.custhelp.com/app/answers/detail/a_id/4609",
"refsource": "CONFIRM",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4609"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1422-1] linux security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html"
},
{
"name": "DSA-4187",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4187"
},
{
"name": "USN-3542-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3542-2/"
},
{
"name": "GLSA-201810-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201810-06"
},
{
"name": "USN-3540-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3540-2/"
},
{
"name": "https://access.redhat.com/security/vulnerabilities/speculativeexecution",
"refsource": "CONFIRM",
"url": "https://access.redhat.com/security/vulnerabilities/speculativeexecution"
},
{
"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002",
"refsource": "CONFIRM",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002"
},
{
"name": "USN-3597-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3597-1/"
},
{
"name": "[debian-lts-announce] 20180715 [SECURITY] [DLA 1422-2] linux security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html"
},
{
"name": "SUSE-SU-2018:0012",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html"
},
{
"name": "SUSE-SU-2018:0011",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html"
},
{
"name": "http://nvidia.custhelp.com/app/answers/detail/a_id/4611",
"refsource": "CONFIRM",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4611"
},
{
"name": "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html",
"refsource": "MISC",
"url": "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html"
},
{
"name": "https://cert.vde.com/en-us/advisories/vde-2018-002",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2018-002"
},
{
"name": "USN-3580-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3580-1/"
},
{
"name": "https://support.f5.com/csp/article/K91229003",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K91229003"
},
{
"name": "openSUSE-SU-2018:0022",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html"
},
{
"name": "DSA-4188",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4188"
},
{
"name": "RHSA-2018:0292",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0292"
},
{
"name": "http://xenbits.xen.org/xsa/advisory-254.html",
"refsource": "CONFIRM",
"url": "http://xenbits.xen.org/xsa/advisory-254.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180104-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180104-0001/"
},
{
"name": "https://www.synology.com/support/security/Synology_SA_18_01",
"refsource": "CONFIRM",
"url": "https://www.synology.com/support/security/Synology_SA_18_01"
},
{
"name": "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html"
},
{
"name": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt",
"refsource": "CONFIRM",
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt"
},
{
"name": "[debian-lts-announce] 20180718 [SECURITY] [DLA 1423-1] linux-4.9 new package",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html"
},
{
"name": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability",
"refsource": "CONFIRM",
"url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability"
},
{
"name": "VU#584653",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/584653"
},
{
"name": "VU#180049",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/180049"
},
{
"name": "https://cert.vde.com/en-us/advisories/vde-2018-003",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2018-003"
},
{
"name": "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes",
"refsource": "CONFIRM",
"url": "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us"
},
{
"name": "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001",
"refsource": "CONFIRM",
"url": "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-505225.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-505225.pdf"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03871en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03871en_us"
},
{
"name": "USN-3549-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3549-1/"
},
{
"name": "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/",
"refsource": "CONFIRM",
"url": "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/"
},
{
"name": "https://support.citrix.com/article/CTX231399",
"refsource": "CONFIRM",
"url": "https://support.citrix.com/article/CTX231399"
},
{
"name": "https://spectreattack.com/",
"refsource": "MISC",
"url": "https://spectreattack.com/"
},
{
"name": "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/",
"refsource": "CONFIRM",
"url": "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/"
},
{
"name": "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/",
"refsource": "CONFIRM",
"url": "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/"
},
{
"name": "1040071",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040071"
},
{
"name": "102371",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102371"
},
{
"name": "USN-3597-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3597-2/"
},
{
"name": "http://nvidia.custhelp.com/app/answers/detail/a_id/4614",
"refsource": "CONFIRM",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4614"
},
{
"name": "SUSE-SU-2018:0010",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html"
},
{
"name": "USN-3540-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3540-1/"
},
{
"name": "20180104 CPU Side-Channel Information Disclosure Vulnerabilities",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel"
},
{
"name": "USN-3516-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/usn/usn-3516-1/"
},
{
"name": "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html",
"refsource": "CONFIRM",
"url": "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html"
},
{
"name": "43427",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/43427/"
},
{
"name": "USN-3541-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3541-1/"
},
{
"name": "USN-3541-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3541-2/"
},
{
"name": "USN-3542-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3542-1/"
},
{
"name": "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html",
"refsource": "MISC",
"url": "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html"
},
{
"name": "https://support.lenovo.com/us/en/solutions/LEN-18282",
"refsource": "CONFIRM",
"url": "https://support.lenovo.com/us/en/solutions/LEN-18282"
},
{
"name": "openSUSE-SU-2018:0023",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html"
},
{
"name": "http://nvidia.custhelp.com/app/answers/detail/a_id/4613",
"refsource": "CONFIRM",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4613"
},
{
"name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"
},
{
"name": "[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "20190624 [SECURITY] [DSA 4469-1] libvirt security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Jun/36"
},
{
"name": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt",
"refsource": "CONFIRM",
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf"
},
{
"name": "https://cdrdv2.intel.com/v1/dl/getContent/685359",
"refsource": "CONFIRM",
"url": "https://cdrdv2.intel.com/v1/dl/getContent/685359"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2017-5753",
"datePublished": "2018-01-04T13:00:00Z",
"dateReserved": "2017-02-01T00:00:00",
"dateUpdated": "2024-09-16T22:24:53.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49677 (GCVE-0-2022-49677)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: cns3xxx: Fix refcount leak in cns3xxx_init
of_find_compatible_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c Version: 415f59142d9d9dd023deaeb3b4dfc1aecdd3983c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:12.364142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:47.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-cns3xxx/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8b84e01ca94e2e1f5492353e9c24dab520b2e5b",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
},
{
"lessThan": "45bebbc8cea7d586a6216dc62814bdb380b9b29b",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
},
{
"lessThan": "68d4303bf59662b64bd555e2aa0518282d20aa4f",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
},
{
"lessThan": "d1359e4129ad43e43972a28838b87291c51de23d",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
},
{
"lessThan": "c980392af1473d6d5662f70d8089c8e6d85144a4",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
},
{
"lessThan": "da3ee7cd2f15922ad88a7ca6deee2eafdc7cd214",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
},
{
"lessThan": "dc5170aae24e04068fd5ea125d06c0ab51f48a27",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
},
{
"lessThan": "1ba904b6b16e08de5aed7c1349838d9cd0d178c5",
"status": "affected",
"version": "415f59142d9d9dd023deaeb3b4dfc1aecdd3983c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-cns3xxx/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.321",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.321",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.286",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.250",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: cns3xxx: Fix refcount leak in cns3xxx_init\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:07.547Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8b84e01ca94e2e1f5492353e9c24dab520b2e5b"
},
{
"url": "https://git.kernel.org/stable/c/45bebbc8cea7d586a6216dc62814bdb380b9b29b"
},
{
"url": "https://git.kernel.org/stable/c/68d4303bf59662b64bd555e2aa0518282d20aa4f"
},
{
"url": "https://git.kernel.org/stable/c/d1359e4129ad43e43972a28838b87291c51de23d"
},
{
"url": "https://git.kernel.org/stable/c/c980392af1473d6d5662f70d8089c8e6d85144a4"
},
{
"url": "https://git.kernel.org/stable/c/da3ee7cd2f15922ad88a7ca6deee2eafdc7cd214"
},
{
"url": "https://git.kernel.org/stable/c/dc5170aae24e04068fd5ea125d06c0ab51f48a27"
},
{
"url": "https://git.kernel.org/stable/c/1ba904b6b16e08de5aed7c1349838d9cd0d178c5"
}
],
"title": "ARM: cns3xxx: Fix refcount leak in cns3xxx_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49677",
"datePublished": "2025-02-26T02:24:08.366Z",
"dateReserved": "2025-02-26T02:21:30.438Z",
"dateUpdated": "2025-10-01T19:36:47.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49057 (GCVE-0-2022-49057)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: null_blk: end timed out poll request
When poll request is timed out, it is removed from the poll list,
but not completed, so the request is leaked, and never get chance
to complete.
Fix the issue by ending it in timeout handler.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "407d09a22f3f685fd634aa5d05840c64b23bfebc",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
},
{
"lessThan": "3e3876d322aef82416ecc496a4d4a587e0fdf7a3",
"status": "affected",
"version": "0a593fbbc245a85940ed34caa3aa1e4cb060c54b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/null_blk/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: null_blk: end timed out poll request\n\nWhen poll request is timed out, it is removed from the poll list,\nbut not completed, so the request is leaked, and never get chance\nto complete.\n\nFix the issue by ending it in timeout handler."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:49.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/407d09a22f3f685fd634aa5d05840c64b23bfebc"
},
{
"url": "https://git.kernel.org/stable/c/3e3876d322aef82416ecc496a4d4a587e0fdf7a3"
}
],
"title": "block: null_blk: end timed out poll request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49057",
"datePublished": "2025-02-26T01:54:28.723Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-05-04T08:28:49.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42098 (GCVE-0-2024-42098)
Vulnerability from cvelistv5
Published
2024-07-29 17:39
Modified
2025-11-03 22:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ecdh - explicitly zeroize private_key
private_key is overwritten with the key parameter passed in by the
caller (if present), or alternatively a newly generated private key.
However, it is possible that the caller provides a key (or the newly
generated key) which is shorter than the previous key. In that
scenario, some key material from the previous key would not be
overwritten. The easiest solution is to explicitly zeroize the entire
private_key array first.
Note that this patch slightly changes the behavior of this function:
previously, if the ecc_gen_privkey failed, the old private_key would
remain. Now, the private_key is always zeroized. This behavior is
consistent with the case where params.key is set and ecc_is_key_valid
fails.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:01:33.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:18:15.393547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:59.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/ecdh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39173b04abda87872b43c331468a4a14f8f05ce8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd7ef325911eba1b7191b83cb580463242f2090d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "80575b252ab0358b7e93895b2a510beb3cb3f975",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d96187eb8e59b572a8e6a68b6a9837a867ea29df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73e5984e540a76a2ee1868b91590c922da8c24c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/ecdh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdh - explicitly zeroize private_key\n\nprivate_key is overwritten with the key parameter passed in by the\ncaller (if present), or alternatively a newly generated private key.\nHowever, it is possible that the caller provides a key (or the newly\ngenerated key) which is shorter than the previous key. In that\nscenario, some key material from the previous key would not be\noverwritten. The easiest solution is to explicitly zeroize the entire\nprivate_key array first.\n\nNote that this patch slightly changes the behavior of this function:\npreviously, if the ecc_gen_privkey failed, the old private_key would\nremain. Now, the private_key is always zeroized. This behavior is\nconsistent with the case where params.key is set and ecc_is_key_valid\nfails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:22:57.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8"
},
{
"url": "https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d"
},
{
"url": "https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975"
},
{
"url": "https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df"
},
{
"url": "https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9"
}
],
"title": "crypto: ecdh - explicitly zeroize private_key",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42098",
"datePublished": "2024-07-29T17:39:33.395Z",
"dateReserved": "2024-07-29T15:50:41.173Z",
"dateUpdated": "2025-11-03T22:01:33.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49653 (GCVE-0-2022-49653)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: piix4: Fix a memory leak in the EFCH MMIO support
The recently added support for EFCH MMIO regions introduced a memory
leak in that code path. The leak is caused by the fact that
release_resource() merely removes the resource from the tree but does
not free its memory. We need to call release_mem_region() instead,
which does free the memory. As a nice side effect, this brings back
some symmetry between the legacy and MMIO paths.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49653",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:38.203252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-piix4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2bf1a6480e8d44658a8ac3bdcec081238873212",
"status": "affected",
"version": "4b965566ca26e83553d92b8c57050e5d59911806",
"versionType": "git"
},
{
"lessThan": "a3263e4cf8265f0c9eb0ed8a9b50f132c7a42e19",
"status": "affected",
"version": "7c148722d074c29fb998578eea5de3c14b9608c9",
"versionType": "git"
},
{
"lessThan": "8ad59b397f86a4d8014966fdc0552095a0c4fb2b",
"status": "affected",
"version": "7c148722d074c29fb998578eea5de3c14b9608c9",
"versionType": "git"
},
{
"status": "affected",
"version": "f48190bca4b1a397f2e050efea2c8e8e72049ec8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-piix4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "5.15.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: piix4: Fix a memory leak in the EFCH MMIO support\n\nThe recently added support for EFCH MMIO regions introduced a memory\nleak in that code path. The leak is caused by the fact that\nrelease_resource() merely removes the resource from the tree but does\nnot free its memory. We need to call release_mem_region() instead,\nwhich does free the memory. As a nice side effect, this brings back\nsome symmetry between the legacy and MMIO paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:03.594Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2bf1a6480e8d44658a8ac3bdcec081238873212"
},
{
"url": "https://git.kernel.org/stable/c/a3263e4cf8265f0c9eb0ed8a9b50f132c7a42e19"
},
{
"url": "https://git.kernel.org/stable/c/8ad59b397f86a4d8014966fdc0552095a0c4fb2b"
}
],
"title": "i2c: piix4: Fix a memory leak in the EFCH MMIO support",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49653",
"datePublished": "2025-02-26T02:23:54.484Z",
"dateReserved": "2025-02-26T02:21:30.433Z",
"dateUpdated": "2025-10-01T19:36:48.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49732 (GCVE-0-2022-49732)
Vulnerability from cvelistv5
Published
2025-02-26 14:57
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sock: redo the psock vs ULP protection check
Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()")
has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to
the new tcp_bpf_update_proto() function. I'm guessing that this
was done to allow creating psocks for non-inet sockets.
Unfortunately the destruction path for psock includes the ULP
unwind, so we need to fail the sk_psock_init() itself.
Otherwise if ULP is already present we'll notice that later,
and call tcp_update_ulp() with the sk_proto of the ULP
itself, which will most likely result in the ULP looping
its callbacks.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/inet_sock.h",
"net/core/skmsg.c",
"net/ipv4/tcp_bpf.c",
"net/tls/tls_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72fa0f65b56605b8a9ae9fba2082f2123f7fe017",
"status": "affected",
"version": "8a59f9d1e3d4340659fdfee8879dc09a6f2546e1",
"versionType": "git"
},
{
"lessThan": "922309e50befb0cfa5cb65e4989b7706d6578846",
"status": "affected",
"version": "8a59f9d1e3d4340659fdfee8879dc09a6f2546e1",
"versionType": "git"
},
{
"lessThan": "e34a07c0ae3906f97eb18df50902e2a01c1015b6",
"status": "affected",
"version": "8a59f9d1e3d4340659fdfee8879dc09a6f2546e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/inet_sock.h",
"net/core/skmsg.c",
"net/ipv4/tcp_bpf.c",
"net/tls/tls_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock: redo the psock vs ULP protection check\n\nCommit 8a59f9d1e3d4 (\"sock: Introduce sk-\u003esk_prot-\u003epsock_update_sk_prot()\")\nhas moved the inet_csk_has_ulp(sk) check from sk_psock_init() to\nthe new tcp_bpf_update_proto() function. I\u0027m guessing that this\nwas done to allow creating psocks for non-inet sockets.\n\nUnfortunately the destruction path for psock includes the ULP\nunwind, so we need to fail the sk_psock_init() itself.\nOtherwise if ULP is already present we\u0027ll notice that later,\nand call tcp_update_ulp() with the sk_proto of the ULP\nitself, which will most likely result in the ULP looping\nits callbacks."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:16.828Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72fa0f65b56605b8a9ae9fba2082f2123f7fe017"
},
{
"url": "https://git.kernel.org/stable/c/922309e50befb0cfa5cb65e4989b7706d6578846"
},
{
"url": "https://git.kernel.org/stable/c/e34a07c0ae3906f97eb18df50902e2a01c1015b6"
}
],
"title": "sock: redo the psock vs ULP protection check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49732",
"datePublished": "2025-02-26T14:57:24.827Z",
"dateReserved": "2025-02-26T02:21:30.449Z",
"dateUpdated": "2025-05-04T08:44:16.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52930 (GCVE-0-2023-52930)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-10-01 19:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix potential bit_17 double-free
A userspace with multiple threads racing I915_GEM_SET_TILING to set the
tiling to I915_TILING_NONE could trigger a double free of the bit_17
bitmask. (Or conversely leak memory on the transition to tiled.) Move
allocation/free'ing of the bitmask within the section protected by the
obj lock.
[tursulin: Correct fixes tag and added cc stable.]
(cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e)
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:16.883410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:36.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_tiling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b591abac78e25269b12e3d7170c99463f8c5cb02",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
},
{
"lessThan": "e3ebc3e23bd9028a8a9a26cbc5985f99be445f65",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
},
{
"lessThan": "0769f997a7b6d5cb8336db0b4ec3d2d311b8097c",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
},
{
"lessThan": "7057a8f126f14f14b040faecfa220fd27c6c2f85",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_tiling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential bit_17 double-free\n\nA userspace with multiple threads racing I915_GEM_SET_TILING to set the\ntiling to I915_TILING_NONE could trigger a double free of the bit_17\nbitmask. (Or conversely leak memory on the transition to tiled.) Move\nallocation/free\u0027ing of the bitmask within the section protected by the\nobj lock.\n\n[tursulin: Correct fixes tag and added cc stable.]\n(cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:14.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b591abac78e25269b12e3d7170c99463f8c5cb02"
},
{
"url": "https://git.kernel.org/stable/c/e3ebc3e23bd9028a8a9a26cbc5985f99be445f65"
},
{
"url": "https://git.kernel.org/stable/c/0769f997a7b6d5cb8336db0b4ec3d2d311b8097c"
},
{
"url": "https://git.kernel.org/stable/c/7057a8f126f14f14b040faecfa220fd27c6c2f85"
}
],
"title": "drm/i915: Fix potential bit_17 double-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52930",
"datePublished": "2025-03-27T16:37:12.302Z",
"dateReserved": "2024-08-21T06:07:11.019Z",
"dateUpdated": "2025-10-01T19:26:36.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49090 (GCVE-0-2022-49090)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arch/arm64: Fix topology initialization for core scheduling
Arm64 systems rely on store_cpu_topology() to call update_siblings_masks()
to transfer the toplogy to the various cpu masks. This needs to be done
before the call to notify_cpu_starting() which tells the scheduler about
each cpu found, otherwise the core scheduling data structures are setup
in a way that does not match the actual topology.
With smt_mask not setup correctly we bail on `cpumask_weight(smt_mask) == 1`
for !leaders in:
notify_cpu_starting()
cpuhp_invoke_callback_range()
sched_cpu_starting()
sched_core_cpu_starting()
which leads to rq->core not being correctly set for !leader-rq's.
Without this change stress-ng (which enables core scheduling in its prctl
tests in newer versions -- i.e. with PR_SCHED_CORE support) causes a warning
and then a crash (trimmed for legibility):
[ 1853.805168] ------------[ cut here ]------------
[ 1853.809784] task_rq(b)->core != rq->core
[ 1853.809792] WARNING: CPU: 117 PID: 0 at kernel/sched/fair.c:11102 cfs_prio_less+0x1b4/0x1c4
...
[ 1854.015210] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
[ 1854.231256] Call trace:
[ 1854.233689] pick_next_task+0x3dc/0x81c
[ 1854.237512] __schedule+0x10c/0x4cc
[ 1854.240988] schedule_idle+0x34/0x54
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/smp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87f5d66daa5f457449bb95d6b8d18bb7596aa627",
"status": "affected",
"version": "9edeaea1bc452372718837ed2ba775811baf1ba1",
"versionType": "git"
},
{
"lessThan": "790c1567582bda8f1153015436e3330a7c6eb278",
"status": "affected",
"version": "9edeaea1bc452372718837ed2ba775811baf1ba1",
"versionType": "git"
},
{
"lessThan": "c78a1b2d0bff678570c8dc9f14035606f5e5257d",
"status": "affected",
"version": "9edeaea1bc452372718837ed2ba775811baf1ba1",
"versionType": "git"
},
{
"lessThan": "5524cbb1bfcdff0cad0aaa9f94e6092002a07259",
"status": "affected",
"version": "9edeaea1bc452372718837ed2ba775811baf1ba1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/smp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narch/arm64: Fix topology initialization for core scheduling\n\nArm64 systems rely on store_cpu_topology() to call update_siblings_masks()\nto transfer the toplogy to the various cpu masks. This needs to be done\nbefore the call to notify_cpu_starting() which tells the scheduler about\neach cpu found, otherwise the core scheduling data structures are setup\nin a way that does not match the actual topology.\n\nWith smt_mask not setup correctly we bail on `cpumask_weight(smt_mask) == 1`\nfor !leaders in:\n\n notify_cpu_starting()\n cpuhp_invoke_callback_range()\n sched_cpu_starting()\n sched_core_cpu_starting()\n\nwhich leads to rq-\u003ecore not being correctly set for !leader-rq\u0027s.\n\nWithout this change stress-ng (which enables core scheduling in its prctl\ntests in newer versions -- i.e. with PR_SCHED_CORE support) causes a warning\nand then a crash (trimmed for legibility):\n\n[ 1853.805168] ------------[ cut here ]------------\n[ 1853.809784] task_rq(b)-\u003ecore != rq-\u003ecore\n[ 1853.809792] WARNING: CPU: 117 PID: 0 at kernel/sched/fair.c:11102 cfs_prio_less+0x1b4/0x1c4\n...\n[ 1854.015210] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n...\n[ 1854.231256] Call trace:\n[ 1854.233689] pick_next_task+0x3dc/0x81c\n[ 1854.237512] __schedule+0x10c/0x4cc\n[ 1854.240988] schedule_idle+0x34/0x54"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:30.905Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87f5d66daa5f457449bb95d6b8d18bb7596aa627"
},
{
"url": "https://git.kernel.org/stable/c/790c1567582bda8f1153015436e3330a7c6eb278"
},
{
"url": "https://git.kernel.org/stable/c/c78a1b2d0bff678570c8dc9f14035606f5e5257d"
},
{
"url": "https://git.kernel.org/stable/c/5524cbb1bfcdff0cad0aaa9f94e6092002a07259"
}
],
"title": "arch/arm64: Fix topology initialization for core scheduling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49090",
"datePublished": "2025-02-26T01:54:46.227Z",
"dateReserved": "2025-02-26T01:49:39.249Z",
"dateUpdated": "2025-05-04T08:29:30.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49351 (GCVE-0-2022-49351)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: altera: Fix refcount leak in altera_tse_mdio_create
Every iteration of for_each_child_of_node() decrements
the reference count of the previous node.
When break from a for_each_child_of_node() loop,
we need to explicitly call of_node_put() on the child node when
not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a Version: bbd2190ce96d8fce031f0526c1f970b68adc9d1a |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:52.544103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:54.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/altera/altera_tse_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a013fa884d8738ad8455aa1a843b8c9d80c6c833",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "1fd12298a0e0ca23478c715e672ee64c85670584",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "5cd0e22fa11f4a21a8c09cc258f20b1474c95801",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "8174acbef87b8dd8bf3731eba2a5af1ac857e239",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "96bf5ed057df2d157274d4e2079002f9a9404bb8",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "e31d9ba169860687dba19bdc8fccbfd34077f655",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "803b217f1fb49a2dbb2123acdb45111b9c48b8be",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "4f850fe0a32c3f1e19b76996a3b1ca32637a14de",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "11ec18b1d8d92b9df307d31950dcba0b3dd7283c",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/altera/altera_tse_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: altera: Fix refcount leak in altera_tse_mdio_create\n\nEvery iteration of for_each_child_of_node() decrements\nthe reference count of the previous node.\nWhen break from a for_each_child_of_node() loop,\nwe need to explicitly call of_node_put() on the child node when\nnot need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:52.462Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a013fa884d8738ad8455aa1a843b8c9d80c6c833"
},
{
"url": "https://git.kernel.org/stable/c/1fd12298a0e0ca23478c715e672ee64c85670584"
},
{
"url": "https://git.kernel.org/stable/c/5cd0e22fa11f4a21a8c09cc258f20b1474c95801"
},
{
"url": "https://git.kernel.org/stable/c/8174acbef87b8dd8bf3731eba2a5af1ac857e239"
},
{
"url": "https://git.kernel.org/stable/c/96bf5ed057df2d157274d4e2079002f9a9404bb8"
},
{
"url": "https://git.kernel.org/stable/c/e31d9ba169860687dba19bdc8fccbfd34077f655"
},
{
"url": "https://git.kernel.org/stable/c/803b217f1fb49a2dbb2123acdb45111b9c48b8be"
},
{
"url": "https://git.kernel.org/stable/c/4f850fe0a32c3f1e19b76996a3b1ca32637a14de"
},
{
"url": "https://git.kernel.org/stable/c/11ec18b1d8d92b9df307d31950dcba0b3dd7283c"
}
],
"title": "net: altera: Fix refcount leak in altera_tse_mdio_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49351",
"datePublished": "2025-02-26T02:11:04.014Z",
"dateReserved": "2025-02-26T02:08:31.544Z",
"dateUpdated": "2025-10-01T19:46:54.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21743 (GCVE-0-2025-21743)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: ipheth: fix possible overflow in DPE length check
Originally, it was possible for the DPE length check to overflow if
wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB
read.
Move the wDatagramIndex term to the other side of the inequality.
An existing condition ensures that wDatagramIndex < urb->actual_length.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:31:04.007074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:41.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/ipheth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18bf6f5cce3172cb303c3f0551aa9443d5ed74f8",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "d677e7dd59ad6837496f5a02d8e5d39824278dfd",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "d824a964185910e317287f034c0a439c08b4fe49",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "c219427ed296f94bb4b91d08626776dc7719ee27",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/ipheth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: fix possible overflow in DPE length check\n\nOriginally, it was possible for the DPE length check to overflow if\nwDatagramIndex + wDatagramLength \u003e U16_MAX. This could lead to an OoB\nread.\n\nMove the wDatagramIndex term to the other side of the inequality.\n\nAn existing condition ensures that wDatagramIndex \u003c urb-\u003eactual_length."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:10.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18bf6f5cce3172cb303c3f0551aa9443d5ed74f8"
},
{
"url": "https://git.kernel.org/stable/c/d677e7dd59ad6837496f5a02d8e5d39824278dfd"
},
{
"url": "https://git.kernel.org/stable/c/d824a964185910e317287f034c0a439c08b4fe49"
},
{
"url": "https://git.kernel.org/stable/c/c219427ed296f94bb4b91d08626776dc7719ee27"
}
],
"title": "usbnet: ipheth: fix possible overflow in DPE length check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21743",
"datePublished": "2025-02-27T02:12:16.696Z",
"dateReserved": "2024-12-29T08:45:45.757Z",
"dateUpdated": "2025-10-01T19:36:41.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49272 (GCVE-0-2022-49272)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
syzbot caught a potential deadlock between the PCM
runtime->buffer_mutex and the mm->mmap_lock. It was brought by the
recent fix to cover the racy read/write and other ioctls, and in that
commit, I overlooked a (hopefully only) corner case that may take the
revert lock, namely, the OSS mmap. The OSS mmap operation
exceptionally allows to re-configure the parameters inside the OSS
mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the
copy_from/to_user calls at read/write operations also take the
mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.
A similar problem was already seen in the past and we fixed it with a
refcount (in commit b248371628aa). The former fix covered only the
call paths with OSS read/write and OSS ioctls, while we need to cover
the concurrent access via both ALSA and OSS APIs now.
This patch addresses the problem above by replacing the buffer_mutex
lock in the read/write operations with a refcount similar as we've
used for OSS. The new field, runtime->buffer_accessing, keeps the
number of concurrent read/write operations. Unlike the former
buffer_mutex protection, this protects only around the
copy_from/to_user() calls; the other codes are basically protected by
the PCM stream lock. The refcount can be a negative, meaning blocked
by the ioctls. If a negative value is seen, the read/write aborts
with -EBUSY. In the ioctl side, OTOH, they check this refcount, too,
and set to a negative value for blocking unless it's already being
accessed.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 73867cb2bc7dfa7fbd219e53a0b68d253d8fda09 Version: b3830197aa7413c65767cf5a1aa8775c83f0dbf7 Version: 08d1807f097a63ea00a7067dad89c1c81cb2115e Version: 8527c8f052fb42091c6569cb928e472376a4a889 Version: 47711ff10c7e126702cfa725f6d86ef529d15a5f Version: 4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5 Version: dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03 Version: dca947d4d26dbf925a64a6cfb2ddbc035e831a3d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/sound/pcm.h",
"sound/core/pcm.c",
"sound/core/pcm_lib.c",
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e9133607e1501c94881be35e118d8f84d96dcb4",
"status": "affected",
"version": "73867cb2bc7dfa7fbd219e53a0b68d253d8fda09",
"versionType": "git"
},
{
"lessThan": "40f4cffbe13a51faf136faf5f9ef6847782cd595",
"status": "affected",
"version": "b3830197aa7413c65767cf5a1aa8775c83f0dbf7",
"versionType": "git"
},
{
"lessThan": "9661bf674d6a82b76e4ae424438a8ce1e3ed855d",
"status": "affected",
"version": "08d1807f097a63ea00a7067dad89c1c81cb2115e",
"versionType": "git"
},
{
"lessThan": "9017201e8d8c6d1472273361389ed431188584a0",
"status": "affected",
"version": "8527c8f052fb42091c6569cb928e472376a4a889",
"versionType": "git"
},
{
"lessThan": "7777744e92a0b30e3e0cce2758d911837011ebd9",
"status": "affected",
"version": "47711ff10c7e126702cfa725f6d86ef529d15a5f",
"versionType": "git"
},
{
"lessThan": "abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e",
"status": "affected",
"version": "4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5",
"versionType": "git"
},
{
"lessThan": "be9813ad2fc8f0885f5ce6925af0d993ce5da4e5",
"status": "affected",
"version": "dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03",
"versionType": "git"
},
{
"lessThan": "bc55cfd5718c7c23e5524582e9fa70b4d10f2433",
"status": "affected",
"version": "dca947d4d26dbf925a64a6cfb2ddbc035e831a3d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/sound/pcm.h",
"sound/core/pcm.c",
"sound/core/pcm_lib.c",
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.10.110",
"status": "affected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThan": "5.15.33",
"status": "affected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThan": "5.16.19",
"status": "affected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThan": "5.17.2",
"status": "affected",
"version": "5.17.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.10.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock\n\nsyzbot caught a potential deadlock between the PCM\nruntime-\u003ebuffer_mutex and the mm-\u003emmap_lock. It was brought by the\nrecent fix to cover the racy read/write and other ioctls, and in that\ncommit, I overlooked a (hopefully only) corner case that may take the\nrevert lock, namely, the OSS mmap. The OSS mmap operation\nexceptionally allows to re-configure the parameters inside the OSS\nmmap syscall, where mm-\u003emmap_mutex is already held. Meanwhile, the\ncopy_from/to_user calls at read/write operations also take the\nmm-\u003emmap_lock internally, hence it may lead to a AB/BA deadlock.\n\nA similar problem was already seen in the past and we fixed it with a\nrefcount (in commit b248371628aa). The former fix covered only the\ncall paths with OSS read/write and OSS ioctls, while we need to cover\nthe concurrent access via both ALSA and OSS APIs now.\n\nThis patch addresses the problem above by replacing the buffer_mutex\nlock in the read/write operations with a refcount similar as we\u0027ve\nused for OSS. The new field, runtime-\u003ebuffer_accessing, keeps the\nnumber of concurrent read/write operations. Unlike the former\nbuffer_mutex protection, this protects only around the\ncopy_from/to_user() calls; the other codes are basically protected by\nthe PCM stream lock. The refcount can be a negative, meaning blocked\nby the ioctls. If a negative value is seen, the read/write aborts\nwith -EBUSY. In the ioctl side, OTOH, they check this refcount, too,\nand set to a negative value for blocking unless it\u0027s already being\naccessed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:54.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4"
},
{
"url": "https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595"
},
{
"url": "https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d"
},
{
"url": "https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0"
},
{
"url": "https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9"
},
{
"url": "https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e"
},
{
"url": "https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5"
},
{
"url": "https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433"
}
],
"title": "ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49272",
"datePublished": "2025-02-26T01:56:18.626Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:54.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49188 (GCVE-0-2022-49188)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region
The device_node pointer is returned by of_parse_phandle() or
of_get_child_by_name() with refcount incremented.
We should use of_node_put() on it when done.
This function only call of_node_put(node) when of_address_to_resource
succeeds, missing error cases.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_q6v5_mss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7210ca29a783c94478da02368731e4c9cf7cdb7",
"status": "affected",
"version": "051fb70fd4ea40fbc7139186a4890b2fe5cb1e76",
"versionType": "git"
},
{
"lessThan": "bd4771ba2cf9e18473a42b5b70175e50d67a64bb",
"status": "affected",
"version": "051fb70fd4ea40fbc7139186a4890b2fe5cb1e76",
"versionType": "git"
},
{
"lessThan": "a7d988735e757e111f9722de7cf1b40a84a48b1f",
"status": "affected",
"version": "051fb70fd4ea40fbc7139186a4890b2fe5cb1e76",
"versionType": "git"
},
{
"lessThan": "b9df3007b3cda4936cc50f5a7d2d30505a652828",
"status": "affected",
"version": "051fb70fd4ea40fbc7139186a4890b2fe5cb1e76",
"versionType": "git"
},
{
"lessThan": "07a5dcc4bed9d7cae54adf5aa10ff9f037a3204b",
"status": "affected",
"version": "051fb70fd4ea40fbc7139186a4890b2fe5cb1e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_q6v5_mss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region\n\nThe device_node pointer is returned by of_parse_phandle() or\nof_get_child_by_name() with refcount incremented.\nWe should use of_node_put() on it when done.\n\nThis function only call of_node_put(node) when of_address_to_resource\nsucceeds, missing error cases."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:52.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7210ca29a783c94478da02368731e4c9cf7cdb7"
},
{
"url": "https://git.kernel.org/stable/c/bd4771ba2cf9e18473a42b5b70175e50d67a64bb"
},
{
"url": "https://git.kernel.org/stable/c/a7d988735e757e111f9722de7cf1b40a84a48b1f"
},
{
"url": "https://git.kernel.org/stable/c/b9df3007b3cda4936cc50f5a7d2d30505a652828"
},
{
"url": "https://git.kernel.org/stable/c/07a5dcc4bed9d7cae54adf5aa10ff9f037a3204b"
}
],
"title": "remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49188",
"datePublished": "2025-02-26T01:55:36.582Z",
"dateReserved": "2025-02-26T01:49:39.286Z",
"dateUpdated": "2025-05-04T08:31:52.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49635 (GCVE-0-2022-49635)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/selftests: fix subtraction overflow bug
On some machines hole_end can be small enough to cause subtraction
overflow. On the other side (addr + 2 * min_alignment) can overflow
in case of mock tests. This patch should handle both cases.
(cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8997d2d6b8d764e12489f1af2a1ce1d7384ca2a",
"status": "affected",
"version": "e1c5f754067b594de58d387aa5873dec83b6c9fd",
"versionType": "git"
},
{
"lessThan": "333991c4e66b3d4b5613315f18016da80344f659",
"status": "affected",
"version": "e1c5f754067b594de58d387aa5873dec83b6c9fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/selftests: fix subtraction overflow bug\n\nOn some machines hole_end can be small enough to cause subtraction\noverflow. On the other side (addr + 2 * min_alignment) can overflow\nin case of mock tests. This patch should handle both cases.\n\n(cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:16.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8997d2d6b8d764e12489f1af2a1ce1d7384ca2a"
},
{
"url": "https://git.kernel.org/stable/c/333991c4e66b3d4b5613315f18016da80344f659"
}
],
"title": "drm/i915/selftests: fix subtraction overflow bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49635",
"datePublished": "2025-02-26T02:23:45.744Z",
"dateReserved": "2025-02-26T02:21:30.429Z",
"dateUpdated": "2025-05-04T08:42:16.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56719 (GCVE-0-2024-56719)
Vulnerability from cvelistv5
Published
2024-12-29 08:48
Modified
2025-10-01 20:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix TSO DMA API usage causing oops
Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap
for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s
members to be later in stmmac_tso_xmit().
The buf (dma cookie) and len stored in this structure are passed to
dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that
the dma cookie passed to dma_unmap_single() is the same as the value
returned from dma_map_single(). However, by moving the assignment
later, this is not the case when priv->dma_cap.addr64 > 32 as "des"
is offset by proto_hdr_len.
This causes problems such as:
dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed
and with DMA_API_DEBUG enabled:
DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]
Fix this by maintaining "des" as the original DMA cookie, and use
tso_des to pass the offset DMA cookie to stmmac_tso_allocator().
Full details of the crashes can be found at:
https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/
https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 07c9c26e37542486e34d767505e842f48f29c3f6 Version: 66600fac7a984dea4ae095411f644770b2561ede Version: 66600fac7a984dea4ae095411f644770b2561ede Version: ece593fc9c00741b682869d3f3dc584d37b7c9df Version: a3ff23f7c3f0e13f718900803e090fd3997d6bc9 Version: 58d23d835eb498336716cca55b5714191a309286 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:58:24.752519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:06.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db3667c9bbfbbf5de98e6c9542f7e03fb5243286",
"status": "affected",
"version": "07c9c26e37542486e34d767505e842f48f29c3f6",
"versionType": "git"
},
{
"lessThan": "9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2",
"status": "affected",
"version": "66600fac7a984dea4ae095411f644770b2561ede",
"versionType": "git"
},
{
"lessThan": "4c49f38e20a57f8abaebdf95b369295b153d1f8e",
"status": "affected",
"version": "66600fac7a984dea4ae095411f644770b2561ede",
"versionType": "git"
},
{
"status": "affected",
"version": "ece593fc9c00741b682869d3f3dc584d37b7c9df",
"versionType": "git"
},
{
"status": "affected",
"version": "a3ff23f7c3f0e13f718900803e090fd3997d6bc9",
"versionType": "git"
},
{
"status": "affected",
"version": "58d23d835eb498336716cca55b5714191a309286",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"versionStartIncluding": "6.6.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.116",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix TSO DMA API usage causing oops\n\nCommit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap\nfor non-paged SKB data\") moved the assignment of tx_skbuff_dma[]\u0027s\nmembers to be later in stmmac_tso_xmit().\n\nThe buf (dma cookie) and len stored in this structure are passed to\ndma_unmap_single() by stmmac_tx_clean(). The DMA API requires that\nthe dma cookie passed to dma_unmap_single() is the same as the value\nreturned from dma_map_single(). However, by moving the assignment\nlater, this is not the case when priv-\u003edma_cap.addr64 \u003e 32 as \"des\"\nis offset by proto_hdr_len.\n\nThis causes problems such as:\n\n dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed\n\nand with DMA_API_DEBUG enabled:\n\n DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]\n\nFix this by maintaining \"des\" as the original DMA cookie, and use\ntso_des to pass the offset DMA cookie to stmmac_tso_allocator().\n\nFull details of the crashes can be found at:\nhttps://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/\nhttps://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:01:18.123Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286"
},
{
"url": "https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2"
},
{
"url": "https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e"
}
],
"title": "net: stmmac: fix TSO DMA API usage causing oops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56719",
"datePublished": "2024-12-29T08:48:51.495Z",
"dateReserved": "2024-12-27T15:00:39.858Z",
"dateUpdated": "2025-10-01T20:07:06.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21871 (GCVE-0-2025-21871)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tee: optee: Fix supplicant wait loop
OP-TEE supplicant is a user-space daemon and it's possible for it
be hung or crashed or killed in the middle of processing an OP-TEE
RPC call. It becomes more complicated when there is incorrect shutdown
ordering of the supplicant process vs the OP-TEE client application which
can eventually lead to system hang-up waiting for the closure of the
client application.
Allow the client process waiting in kernel for supplicant response to
be killed rather than indefinitely waiting in an unkillable state. Also,
a normal uninterruptible wait should not have resulted in the hung-task
watchdog getting triggered, but the endless loop would.
This fixes issues observed during system reboot/shutdown when supplicant
got hung for some reason or gets crashed/killed which lead to client
getting hung in an unkillable state. It in turn lead to system being in
hung up state requiring hard power off/on to recover.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:27.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tee/optee/supp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3eb4911364c764572e9db4ab900a57689a54e8ce",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "0180cf0373f84fff61b16f8c062553a13dd7cfca",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "c0a9a948159153be145f9471435695373904ee6d",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "ec18520f5edc20a00c34a8c9fdd6507c355e880f",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "d61cc1a435e6894bfb0dd3370c6f765d2d12825d",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "fd9d2d6124c293e40797a080adf8a9c237efd8b8",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "21234efe2a8474a6d2d01ea9573319de7858ce44",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "70b0d6b0a199c5a3ee6c72f5e61681ed6f759612",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tee/optee/supp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix supplicant wait loop\n\nOP-TEE supplicant is a user-space daemon and it\u0027s possible for it\nbe hung or crashed or killed in the middle of processing an OP-TEE\nRPC call. It becomes more complicated when there is incorrect shutdown\nordering of the supplicant process vs the OP-TEE client application which\ncan eventually lead to system hang-up waiting for the closure of the\nclient application.\n\nAllow the client process waiting in kernel for supplicant response to\nbe killed rather than indefinitely waiting in an unkillable state. Also,\na normal uninterruptible wait should not have resulted in the hung-task\nwatchdog getting triggered, but the endless loop would.\n\nThis fixes issues observed during system reboot/shutdown when supplicant\ngot hung for some reason or gets crashed/killed which lead to client\ngetting hung in an unkillable state. It in turn lead to system being in\nhung up state requiring hard power off/on to recover."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:55.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3eb4911364c764572e9db4ab900a57689a54e8ce"
},
{
"url": "https://git.kernel.org/stable/c/0180cf0373f84fff61b16f8c062553a13dd7cfca"
},
{
"url": "https://git.kernel.org/stable/c/c0a9a948159153be145f9471435695373904ee6d"
},
{
"url": "https://git.kernel.org/stable/c/ec18520f5edc20a00c34a8c9fdd6507c355e880f"
},
{
"url": "https://git.kernel.org/stable/c/d61cc1a435e6894bfb0dd3370c6f765d2d12825d"
},
{
"url": "https://git.kernel.org/stable/c/fd9d2d6124c293e40797a080adf8a9c237efd8b8"
},
{
"url": "https://git.kernel.org/stable/c/21234efe2a8474a6d2d01ea9573319de7858ce44"
},
{
"url": "https://git.kernel.org/stable/c/70b0d6b0a199c5a3ee6c72f5e61681ed6f759612"
}
],
"title": "tee: optee: Fix supplicant wait loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21871",
"datePublished": "2025-03-27T13:38:23.461Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-11-03T19:38:27.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-1016 (GCVE-0-2022-1016)
Vulnerability from cvelistv5
Published
2022-08-29 14:03
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-824 - - Access of Uninitialized Pointer.
Summary
A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2022/q1/205"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066614"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-1016"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Affects v3.13-rc1 and later, Fixed in v5.18-rc1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle \u0027return\u0027 with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-824",
"description": "CWE-824 - Access of Uninitialized Pointer.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-29T14:03:06",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/oss-sec/2022/q1/205"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066614"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-1016"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1016",
"datePublished": "2022-08-29T14:03:06",
"dateReserved": "2022-03-17T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49137 (GCVE-0-2022-49137)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj
This issue takes place in an error path in
amdgpu_cs_fence_to_handle_ioctl(). When `info->in.what` falls into
default case, the function simply returns -EINVAL, forgetting to
decrement the reference count of a dma_fence obj, which is bumped
earlier by amdgpu_cs_get_fence(). This may result in reference count
leaks.
Fix it by decreasing the refcount of specific object before returning
the error code.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:05.650366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:02.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72d77ddb2224ebc00648f4f78f8a9a259dccbdf7",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "4009f104b02b223d1a11d74b36b1cc083bc37028",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "927beb05aaa429c883cc0ec6adc48964b187e291",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "3edd8646cb7c11b57c90e026bda6f21076223f5b",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "b6d1f7d97c81ebaf2cda9c4c943ee2e484fffdcf",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "bc2d5c0775c839e2b072884f4ee6a93ba410f107",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "dfced44f122c500004a48ecc8db516bb6a295a1b",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj\n\nThis issue takes place in an error path in\namdgpu_cs_fence_to_handle_ioctl(). When `info-\u003ein.what` falls into\ndefault case, the function simply returns -EINVAL, forgetting to\ndecrement the reference count of a dma_fence obj, which is bumped\nearlier by amdgpu_cs_get_fence(). This may result in reference count\nleaks.\n\nFix it by decreasing the refcount of specific object before returning\nthe error code."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:01:57.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72d77ddb2224ebc00648f4f78f8a9a259dccbdf7"
},
{
"url": "https://git.kernel.org/stable/c/4009f104b02b223d1a11d74b36b1cc083bc37028"
},
{
"url": "https://git.kernel.org/stable/c/927beb05aaa429c883cc0ec6adc48964b187e291"
},
{
"url": "https://git.kernel.org/stable/c/3edd8646cb7c11b57c90e026bda6f21076223f5b"
},
{
"url": "https://git.kernel.org/stable/c/b6d1f7d97c81ebaf2cda9c4c943ee2e484fffdcf"
},
{
"url": "https://git.kernel.org/stable/c/bc2d5c0775c839e2b072884f4ee6a93ba410f107"
},
{
"url": "https://git.kernel.org/stable/c/dfced44f122c500004a48ecc8db516bb6a295a1b"
}
],
"title": "drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49137",
"datePublished": "2025-02-26T01:55:10.030Z",
"dateReserved": "2025-02-26T01:49:39.268Z",
"dateUpdated": "2025-10-01T19:57:02.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49135 (GCVE-0-2022-49135)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix memory leak
[why]
Resource release is needed on the error handling path
to prevent memory leak.
[how]
Fix this by adding kfree on the error handling path.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49135",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:09.216128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:02.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e10369c72db7a0e2f77b2e306aadc07aef6b07a",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "3ce1497add6d17b48cc9df65095bd20202d93994",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9d0bef3cc22cf250278ed45b829f062a00af9e27",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "5d5c6dba2b43e28845d7d7ed32a36802329a5f52",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak\n\n[why]\nResource release is needed on the error handling path\nto prevent memory leak.\n\n[how]\nFix this by adding kfree on the error handling path."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T17:19:07.774Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e10369c72db7a0e2f77b2e306aadc07aef6b07a"
},
{
"url": "https://git.kernel.org/stable/c/3ce1497add6d17b48cc9df65095bd20202d93994"
},
{
"url": "https://git.kernel.org/stable/c/9d0bef3cc22cf250278ed45b829f062a00af9e27"
},
{
"url": "https://git.kernel.org/stable/c/5d5c6dba2b43e28845d7d7ed32a36802329a5f52"
}
],
"title": "drm/amd/display: Fix memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49135",
"datePublished": "2025-02-26T01:55:08.814Z",
"dateReserved": "2025-02-26T01:49:39.268Z",
"dateUpdated": "2025-10-01T19:57:02.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47633 (GCVE-0-2021-47633)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-21 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
The bug was found during fuzzing. Stacktrace locates it in
ath5k_eeprom_convert_pcal_info_5111.
When none of the curve is selected in the loop, idx can go
up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.
pd = &chinfo[pier].pd_curves[idx];
There are many OOB writes using pd later in the code. So I
added a sanity check for idx. Checks for other loops involving
AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not
used outside the loops.
The patch is NOT tested with real device.
The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
Write of size 1 at addr ffff8880174a4d60 by task modprobe/214
CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
__kasan_report.cold+0x37/0x7c
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
kasan_report+0xe/0x20
ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]
ath5k_eeprom_init+0x2513/0x6290 [ath5k]
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? usleep_range+0xb8/0x100
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]
ath5k_hw_init+0xb60/0x1970 [ath5k]
ath5k_init_ah+0x6fe/0x2530 [ath5k]
? kasprintf+0xa6/0xe0
? ath5k_stop+0x140/0x140 [ath5k]
? _dev_notice+0xf6/0xf6
? apic_timer_interrupt+0xa/0x20
ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
? mutex_lock+0x89/0xd0
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
local_pci_probe+0xd3/0x160
pci_device_probe+0x23f/0x3e0
? pci_device_remove+0x280/0x280
? pci_device_remove+0x280/0x280
really_probe+0x209/0x5d0
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 Version: 8e218fb24faef0bfe95bc91b3c05261e20439527 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/eeprom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4de974019a0adf34d0e7de6b86252f1bd266b06",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "25efc5d03455c3839249bc77fce5e29ecb54677e",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "c4e2f577271e158d87a916afb4e87415a88ce856",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "9d7d83d0399e23d66fd431b553842a84ac10398f",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "be2f81024e7981565d90a4c9ca3067d11b6bca7f",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "fc8f7752a82f4accb99c0f1a868906ba1eb7b86f",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "cbd96d6cad6625feba9c8d101ed4977d53e82f8e",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
},
{
"lessThan": "564d4eceb97eaf381dd6ef6470b06377bb50c95a",
"status": "affected",
"version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/eeprom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111\n\nThe bug was found during fuzzing. Stacktrace locates it in\nath5k_eeprom_convert_pcal_info_5111.\nWhen none of the curve is selected in the loop, idx can go\nup to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.\npd = \u0026chinfo[pier].pd_curves[idx];\n\nThere are many OOB writes using pd later in the code. So I\nadded a sanity check for idx. Checks for other loops involving\nAR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not\nused outside the loops.\n\nThe patch is NOT tested with real device.\n\nThe following is the fuzzing report\n\nBUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\nWrite of size 1 at addr ffff8880174a4d60 by task modprobe/214\n\nCPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1\nCall Trace:\n dump_stack+0x76/0xa0\n print_address_description.constprop.0+0x16/0x200\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n __kasan_report.cold+0x37/0x7c\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n kasan_report+0xe/0x20\n ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n ? apic_timer_interrupt+0xa/0x20\n ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]\n ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]\n ath5k_eeprom_init+0x2513/0x6290 [ath5k]\n ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]\n ? usleep_range+0xb8/0x100\n ? apic_timer_interrupt+0xa/0x20\n ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]\n ath5k_hw_init+0xb60/0x1970 [ath5k]\n ath5k_init_ah+0x6fe/0x2530 [ath5k]\n ? kasprintf+0xa6/0xe0\n ? ath5k_stop+0x140/0x140 [ath5k]\n ? _dev_notice+0xf6/0xf6\n ? apic_timer_interrupt+0xa/0x20\n ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]\n ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]\n ? mutex_lock+0x89/0xd0\n ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]\n local_pci_probe+0xd3/0x160\n pci_device_probe+0x23f/0x3e0\n ? pci_device_remove+0x280/0x280\n ? pci_device_remove+0x280/0x280\n really_probe+0x209/0x5d0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:31:54.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4de974019a0adf34d0e7de6b86252f1bd266b06"
},
{
"url": "https://git.kernel.org/stable/c/ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84"
},
{
"url": "https://git.kernel.org/stable/c/25efc5d03455c3839249bc77fce5e29ecb54677e"
},
{
"url": "https://git.kernel.org/stable/c/c4e2f577271e158d87a916afb4e87415a88ce856"
},
{
"url": "https://git.kernel.org/stable/c/9d7d83d0399e23d66fd431b553842a84ac10398f"
},
{
"url": "https://git.kernel.org/stable/c/be2f81024e7981565d90a4c9ca3067d11b6bca7f"
},
{
"url": "https://git.kernel.org/stable/c/fc8f7752a82f4accb99c0f1a868906ba1eb7b86f"
},
{
"url": "https://git.kernel.org/stable/c/cbd96d6cad6625feba9c8d101ed4977d53e82f8e"
},
{
"url": "https://git.kernel.org/stable/c/564d4eceb97eaf381dd6ef6470b06377bb50c95a"
}
],
"title": "ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47633",
"datePublished": "2025-02-26T01:54:08.651Z",
"dateReserved": "2025-02-26T01:48:21.518Z",
"dateUpdated": "2025-05-21T08:31:54.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49062 (GCVE-0-2022-49062)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: Fix KASAN slab-out-of-bounds in cachefiles_set_volume_xattr
Use the actual length of volume coherency data when setting the
xattr to avoid the following KASAN report.
BUG: KASAN: slab-out-of-bounds in cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]
Write of size 4 at addr ffff888101e02af4 by task kworker/6:0/1347
CPU: 6 PID: 1347 Comm: kworker/6:0 Kdump: loaded Not tainted 5.18.0-rc1-nfs-fscache-netfs+ #13
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014
Workqueue: events fscache_create_volume_work [fscache]
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5a
print_report.cold+0x5e/0x5db
? __lock_text_start+0x8/0x8
? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]
kasan_report+0xab/0x120
? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]
kasan_check_range+0xf5/0x1d0
memcpy+0x39/0x60
cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]
cachefiles_acquire_volume+0x2be/0x500 [cachefiles]
? __cachefiles_free_volume+0x90/0x90 [cachefiles]
fscache_create_volume_work+0x68/0x160 [fscache]
process_one_work+0x3b7/0x6a0
worker_thread+0x2c4/0x650
? process_one_work+0x6a0/0x6a0
kthread+0x16c/0x1a0
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Allocated by task 1347:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
cachefiles_set_volume_xattr+0x76/0x350 [cachefiles]
cachefiles_acquire_volume+0x2be/0x500 [cachefiles]
fscache_create_volume_work+0x68/0x160 [fscache]
process_one_work+0x3b7/0x6a0
worker_thread+0x2c4/0x650
kthread+0x16c/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888101e02af0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 4 bytes inside of
8-byte region [ffff888101e02af0, ffff888101e02af8)
The buggy address belongs to the physical page:
page:00000000a2292d70 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e02
flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
raw: 0017ffffc0000200 0000000000000000 dead000000000001 ffff888100042280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888101e02980: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc
ffff888101e02a00: 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00
>ffff888101e02a80: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 04 fc
^
ffff888101e02b00: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc
ffff888101e02b80: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc
==================================================================
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:46.162321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cachefiles/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09a5df1b88c8f126c8ff9938edf160edd4e92f42",
"status": "affected",
"version": "413a4a6b0b5553f2423d210f65e98c211b99c3f8",
"versionType": "git"
},
{
"lessThan": "7b2f6c306601240635c72caa61f682e74d4591b2",
"status": "affected",
"version": "413a4a6b0b5553f2423d210f65e98c211b99c3f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cachefiles/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Fix KASAN slab-out-of-bounds in cachefiles_set_volume_xattr\n\nUse the actual length of volume coherency data when setting the\nxattr to avoid the following KASAN report.\n\n BUG: KASAN: slab-out-of-bounds in cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n Write of size 4 at addr ffff888101e02af4 by task kworker/6:0/1347\n\n CPU: 6 PID: 1347 Comm: kworker/6:0 Kdump: loaded Not tainted 5.18.0-rc1-nfs-fscache-netfs+ #13\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014\n Workqueue: events fscache_create_volume_work [fscache]\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x45/0x5a\n print_report.cold+0x5e/0x5db\n ? __lock_text_start+0x8/0x8\n ? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n kasan_report+0xab/0x120\n ? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n kasan_check_range+0xf5/0x1d0\n memcpy+0x39/0x60\n cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n cachefiles_acquire_volume+0x2be/0x500 [cachefiles]\n ? __cachefiles_free_volume+0x90/0x90 [cachefiles]\n fscache_create_volume_work+0x68/0x160 [fscache]\n process_one_work+0x3b7/0x6a0\n worker_thread+0x2c4/0x650\n ? process_one_work+0x6a0/0x6a0\n kthread+0x16c/0x1a0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e\n\n Allocated by task 1347:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n cachefiles_set_volume_xattr+0x76/0x350 [cachefiles]\n cachefiles_acquire_volume+0x2be/0x500 [cachefiles]\n fscache_create_volume_work+0x68/0x160 [fscache]\n process_one_work+0x3b7/0x6a0\n worker_thread+0x2c4/0x650\n kthread+0x16c/0x1a0\n ret_from_fork+0x22/0x30\n\n The buggy address belongs to the object at ffff888101e02af0\n which belongs to the cache kmalloc-8 of size 8\n The buggy address is located 4 bytes inside of\n 8-byte region [ffff888101e02af0, ffff888101e02af8)\n\n The buggy address belongs to the physical page:\n page:00000000a2292d70 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e02\n flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\n raw: 0017ffffc0000200 0000000000000000 dead000000000001 ffff888100042280\n raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888101e02980: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc\n ffff888101e02a00: 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00\n \u003effff888101e02a80: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 04 fc\n ^\n ffff888101e02b00: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc\n ffff888101e02b80: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc\n =================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:55.397Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09a5df1b88c8f126c8ff9938edf160edd4e92f42"
},
{
"url": "https://git.kernel.org/stable/c/7b2f6c306601240635c72caa61f682e74d4591b2"
}
],
"title": "cachefiles: Fix KASAN slab-out-of-bounds in cachefiles_set_volume_xattr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49062",
"datePublished": "2025-02-26T01:54:31.788Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-10-01T19:57:06.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49650 (GCVE-0-2022-49650)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: bam_dma: fix runtime PM underflow
Commit dbad41e7bb5f ("dmaengine: qcom: bam_dma: check if the runtime pm enabled")
caused unbalanced pm_runtime_get/put() calls when the bam is
controlled remotely. This commit reverts it and just enables pm_runtime
in all cases, the clk_* functions already just nop when the clock is NULL.
Also clean up a bit by removing unnecessary bamclk null checks.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f6ded79068cac8cff41d5d5632564165d98ee12",
"status": "affected",
"version": "dbad41e7bb5f4b9949ff5ea1d76c20711f326308",
"versionType": "git"
},
{
"lessThan": "b702a1077b51fcb39507cc3bd39206f539319a96",
"status": "affected",
"version": "dbad41e7bb5f4b9949ff5ea1d76c20711f326308",
"versionType": "git"
},
{
"lessThan": "0ac9c3dd0d6fe293cd5044cfad10bec27d171e4e",
"status": "affected",
"version": "dbad41e7bb5f4b9949ff5ea1d76c20711f326308",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: fix runtime PM underflow\n\nCommit dbad41e7bb5f (\"dmaengine: qcom: bam_dma: check if the runtime pm enabled\")\ncaused unbalanced pm_runtime_get/put() calls when the bam is\ncontrolled remotely. This commit reverts it and just enables pm_runtime\nin all cases, the clk_* functions already just nop when the clock is NULL.\n\nAlso clean up a bit by removing unnecessary bamclk null checks."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:34.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f6ded79068cac8cff41d5d5632564165d98ee12"
},
{
"url": "https://git.kernel.org/stable/c/b702a1077b51fcb39507cc3bd39206f539319a96"
},
{
"url": "https://git.kernel.org/stable/c/0ac9c3dd0d6fe293cd5044cfad10bec27d171e4e"
}
],
"title": "dmaengine: qcom: bam_dma: fix runtime PM underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49650",
"datePublished": "2025-02-26T02:23:53.006Z",
"dateReserved": "2025-02-26T02:21:30.433Z",
"dateUpdated": "2025-05-04T08:42:34.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49321 (GCVE-0-2022-49321)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xprtrdma: treat all calls not a bcall when bc_serv is NULL
When a rdma server returns a fault format reply, nfs v3 client may
treats it as a bcall when bc service is not exist.
The debug message at rpcrdma_bc_receive_call are,
[56579.837169] RPC: rpcrdma_bc_receive_call: callback XID
00000001, length=20
[56579.837174] RPC: rpcrdma_bc_receive_call: 00 00 00 01 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 04
After that, rpcrdma_bc_receive_call will meets NULL pointer as,
[ 226.057890] BUG: unable to handle kernel NULL pointer dereference at
00000000000000c8
...
[ 226.058704] RIP: 0010:_raw_spin_lock+0xc/0x20
...
[ 226.059732] Call Trace:
[ 226.059878] rpcrdma_bc_receive_call+0x138/0x327 [rpcrdma]
[ 226.060011] __ib_process_cq+0x89/0x170 [ib_core]
[ 226.060092] ib_cq_poll_work+0x26/0x80 [ib_core]
[ 226.060257] process_one_work+0x1a7/0x360
[ 226.060367] ? create_worker+0x1a0/0x1a0
[ 226.060440] worker_thread+0x30/0x390
[ 226.060500] ? create_worker+0x1a0/0x1a0
[ 226.060574] kthread+0x116/0x130
[ 226.060661] ? kthread_flush_work_fn+0x10/0x10
[ 226.060724] ret_from_fork+0x35/0x40
...
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:44.893562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:56.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/rpc_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e3943c50764dc7c5f25911970c3ff062ec1f18c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "998d35a2aff4b81a1c784f3aa45cd3afff6814c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da99331fa62131a38a0947a8204c5208de7b0454",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8dbae5affbdbf524b48000f9d357925bb001e5f4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a3fc8051ee061e31db13e2fe011e8e0b71a7f815",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90c4f73104016748533a5707ecd15930fbeff402",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91784f3d77b73885e1b2e6b59d3cbf0de0a1126a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11270e7ca268e8d61b5d9e5c3a54bd1550642c9c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/rpc_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: treat all calls not a bcall when bc_serv is NULL\n\nWhen a rdma server returns a fault format reply, nfs v3 client may\ntreats it as a bcall when bc service is not exist.\n\nThe debug message at rpcrdma_bc_receive_call are,\n\n[56579.837169] RPC: rpcrdma_bc_receive_call: callback XID\n00000001, length=20\n[56579.837174] RPC: rpcrdma_bc_receive_call: 00 00 00 01 00 00 00\n00 00 00 00 00 00 00 00 00 00 00 00 04\n\nAfter that, rpcrdma_bc_receive_call will meets NULL pointer as,\n\n[ 226.057890] BUG: unable to handle kernel NULL pointer dereference at\n00000000000000c8\n...\n[ 226.058704] RIP: 0010:_raw_spin_lock+0xc/0x20\n...\n[ 226.059732] Call Trace:\n[ 226.059878] rpcrdma_bc_receive_call+0x138/0x327 [rpcrdma]\n[ 226.060011] __ib_process_cq+0x89/0x170 [ib_core]\n[ 226.060092] ib_cq_poll_work+0x26/0x80 [ib_core]\n[ 226.060257] process_one_work+0x1a7/0x360\n[ 226.060367] ? create_worker+0x1a0/0x1a0\n[ 226.060440] worker_thread+0x30/0x390\n[ 226.060500] ? create_worker+0x1a0/0x1a0\n[ 226.060574] kthread+0x116/0x130\n[ 226.060661] ? kthread_flush_work_fn+0x10/0x10\n[ 226.060724] ret_from_fork+0x35/0x40\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:09.386Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e3943c50764dc7c5f25911970c3ff062ec1f18c"
},
{
"url": "https://git.kernel.org/stable/c/998d35a2aff4b81a1c784f3aa45cd3afff6814c1"
},
{
"url": "https://git.kernel.org/stable/c/da99331fa62131a38a0947a8204c5208de7b0454"
},
{
"url": "https://git.kernel.org/stable/c/8dbae5affbdbf524b48000f9d357925bb001e5f4"
},
{
"url": "https://git.kernel.org/stable/c/a3fc8051ee061e31db13e2fe011e8e0b71a7f815"
},
{
"url": "https://git.kernel.org/stable/c/90c4f73104016748533a5707ecd15930fbeff402"
},
{
"url": "https://git.kernel.org/stable/c/91784f3d77b73885e1b2e6b59d3cbf0de0a1126a"
},
{
"url": "https://git.kernel.org/stable/c/11270e7ca268e8d61b5d9e5c3a54bd1550642c9c"
}
],
"title": "xprtrdma: treat all calls not a bcall when bc_serv is NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49321",
"datePublished": "2025-02-26T02:10:46.186Z",
"dateReserved": "2025-02-26T02:08:31.537Z",
"dateUpdated": "2025-10-01T19:46:56.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4454 (GCVE-0-2021-4454)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 12:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate
The conclusion "j1939_session_deactivate() should be called with a
session ref-count of at least 2" is incorrect. In some concurrent
scenarios, j1939_session_deactivate can be called with the session
ref-count less than 2. But there is not any problem because it
will check the session active state before session putting in
j1939_session_deactivate_locked().
Here is the concurrent scenario of the problem reported by syzbot
and my reproduction log.
cpu0 cpu1
j1939_xtp_rx_eoma
j1939_xtp_rx_abort_one
j1939_session_get_by_addr [kref == 2]
j1939_session_get_by_addr [kref == 3]
j1939_session_deactivate [kref == 2]
j1939_session_put [kref == 1]
j1939_session_completed
j1939_session_deactivate
WARN_ON_ONCE(kref < 2)
=====================================================
WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:j1939_session_deactivate+0x5f/0x70
Call Trace:
j1939_session_deactivate_activate_next+0x11/0x28
j1939_xtp_rx_eoma+0x12a/0x180
j1939_tp_recv+0x4a2/0x510
j1939_can_recv+0x226/0x380
can_rcv_filter+0xf8/0x220
can_receive+0x102/0x220
? process_backlog+0xf0/0x2c0
can_rcv+0x53/0xf0
__netif_receive_skb_one_core+0x67/0x90
? process_backlog+0x97/0x2c0
__netif_receive_skb+0x22/0x80
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7eef18c0479ba5d9f54fba30cd77c233ebca3eb1 Version: 55dd22c5d029423f513fd849e633adf0e9c10d0c Version: 0c71437dd50dd687c15d8ca80b3b68f10bb21d63 Version: 0c71437dd50dd687c15d8ca80b3b68f10bb21d63 Version: 0c71437dd50dd687c15d8ca80b3b68f10bb21d63 Version: 5e1fc537c1be332aef9621ca9146aeb3ba59522f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6950df42a03c9ac9290503ced3f371199cb68fa9",
"status": "affected",
"version": "7eef18c0479ba5d9f54fba30cd77c233ebca3eb1",
"versionType": "git"
},
{
"lessThan": "b6d44072117bba057d50f7a2f96e5d070c65926d",
"status": "affected",
"version": "55dd22c5d029423f513fd849e633adf0e9c10d0c",
"versionType": "git"
},
{
"lessThan": "9ab896775f98ff54b68512f345eed178bf961084",
"status": "affected",
"version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63",
"versionType": "git"
},
{
"lessThan": "1740a1e45eee65099a92fb502e1e67e63aad277d",
"status": "affected",
"version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63",
"versionType": "git"
},
{
"lessThan": "d0553680f94c49bbe0e39eb50d033ba563b4212d",
"status": "affected",
"version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63",
"versionType": "git"
},
{
"status": "affected",
"version": "5e1fc537c1be332aef9621ca9146aeb3ba59522f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.4.138",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate\n\nThe conclusion \"j1939_session_deactivate() should be called with a\nsession ref-count of at least 2\" is incorrect. In some concurrent\nscenarios, j1939_session_deactivate can be called with the session\nref-count less than 2. But there is not any problem because it\nwill check the session active state before session putting in\nj1939_session_deactivate_locked().\n\nHere is the concurrent scenario of the problem reported by syzbot\nand my reproduction log.\n\n cpu0 cpu1\n j1939_xtp_rx_eoma\nj1939_xtp_rx_abort_one\n j1939_session_get_by_addr [kref == 2]\nj1939_session_get_by_addr [kref == 3]\nj1939_session_deactivate [kref == 2]\nj1939_session_put [kref == 1]\n\t\t\t\tj1939_session_completed\n\t\t\t\tj1939_session_deactivate\n\t\t\t\tWARN_ON_ONCE(kref \u003c 2)\n\n=====================================================\nWARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70\nCPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\nRIP: 0010:j1939_session_deactivate+0x5f/0x70\nCall Trace:\n j1939_session_deactivate_activate_next+0x11/0x28\n j1939_xtp_rx_eoma+0x12a/0x180\n j1939_tp_recv+0x4a2/0x510\n j1939_can_recv+0x226/0x380\n can_rcv_filter+0xf8/0x220\n can_receive+0x102/0x220\n ? process_backlog+0xf0/0x2c0\n can_rcv+0x53/0xf0\n __netif_receive_skb_one_core+0x67/0x90\n ? process_backlog+0x97/0x2c0\n __netif_receive_skb+0x22/0x80"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:40:33.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6950df42a03c9ac9290503ced3f371199cb68fa9"
},
{
"url": "https://git.kernel.org/stable/c/b6d44072117bba057d50f7a2f96e5d070c65926d"
},
{
"url": "https://git.kernel.org/stable/c/9ab896775f98ff54b68512f345eed178bf961084"
},
{
"url": "https://git.kernel.org/stable/c/1740a1e45eee65099a92fb502e1e67e63aad277d"
},
{
"url": "https://git.kernel.org/stable/c/d0553680f94c49bbe0e39eb50d033ba563b4212d"
}
],
"title": "can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-4454",
"datePublished": "2025-03-27T16:37:09.381Z",
"dateReserved": "2025-02-26T02:29:43.631Z",
"dateUpdated": "2025-05-04T12:40:33.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49377 (GCVE-0-2022-49377)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: don't touch ->tagset in blk_mq_get_sq_hctx
blk_mq_run_hw_queues() could be run when there isn't queued request and
after queue is cleaned up, at that time tagset is freed, because tagset
lifetime is covered by driver, and often freed after blk_cleanup_queue()
returns.
So don't touch ->tagset for figuring out current default hctx by the mapping
built in request queue, so use-after-free on tagset can be avoided. Meantime
this way should be fast than retrieving mapping from tagset.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:30.402440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "460aa288c5cd0544dcf933a2f0ad0e8c6d2d35ff",
"status": "affected",
"version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
"versionType": "git"
},
{
"lessThan": "b140bac470b4f707cda59c7266214246238661df",
"status": "affected",
"version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
"versionType": "git"
},
{
"lessThan": "70fdd922c7bf8949f8df109cf2635dff64c90392",
"status": "affected",
"version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
"versionType": "git"
},
{
"lessThan": "5d05426e2d5fd7df8afc866b78c36b37b00188b7",
"status": "affected",
"version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: don\u0027t touch -\u003etagset in blk_mq_get_sq_hctx\n\nblk_mq_run_hw_queues() could be run when there isn\u0027t queued request and\nafter queue is cleaned up, at that time tagset is freed, because tagset\nlifetime is covered by driver, and often freed after blk_cleanup_queue()\nreturns.\n\nSo don\u0027t touch -\u003etagset for figuring out current default hctx by the mapping\nbuilt in request queue, so use-after-free on tagset can be avoided. Meantime\nthis way should be fast than retrieving mapping from tagset."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:23.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/460aa288c5cd0544dcf933a2f0ad0e8c6d2d35ff"
},
{
"url": "https://git.kernel.org/stable/c/b140bac470b4f707cda59c7266214246238661df"
},
{
"url": "https://git.kernel.org/stable/c/70fdd922c7bf8949f8df109cf2635dff64c90392"
},
{
"url": "https://git.kernel.org/stable/c/5d05426e2d5fd7df8afc866b78c36b37b00188b7"
}
],
"title": "blk-mq: don\u0027t touch -\u003etagset in blk_mq_get_sq_hctx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49377",
"datePublished": "2025-02-26T02:11:16.607Z",
"dateReserved": "2025-02-26T02:08:31.558Z",
"dateUpdated": "2025-05-04T08:36:23.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38606 (GCVE-0-2024-38606)
Vulnerability from cvelistv5
Published
2024-06-19 13:48
Modified
2025-05-04 09:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - validate slices count returned by FW
The function adf_send_admin_tl_start() enables the telemetry (TL)
feature on a QAT device by sending the ICP_QAT_FW_TL_START message to
the firmware. This triggers the FW to start writing TL data to a DMA
buffer in memory and returns an array containing the number of
accelerators of each type (slices) supported by this HW.
The pointer to this array is stored in the adf_tl_hw_data data
structure called slice_cnt.
The array slice_cnt is then used in the function tl_print_dev_data()
to report in debugfs only statistics about the supported accelerators.
An incorrect value of the elements in slice_cnt might lead to an out
of bounds memory read.
At the moment, there isn't an implementation of FW that returns a wrong
value, but for robustness validate the slice count array returned by FW.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T18:15:45.557603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T18:15:53.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c",
"drivers/crypto/intel/qat/qat_common/adf_telemetry.c",
"drivers/crypto/intel/qat/qat_common/adf_telemetry.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e57ed345e2e6043629fc74aa5be051415dcc4f77",
"status": "affected",
"version": "69e7649f7cc2aaa7889174456d39319a623c1a18",
"versionType": "git"
},
{
"lessThan": "9b284b915e2a5e63ca133353f8c456eff4446f82",
"status": "affected",
"version": "69e7649f7cc2aaa7889174456d39319a623c1a18",
"versionType": "git"
},
{
"lessThan": "483fd65ce29317044d1d00757e3fd23503b6b04c",
"status": "affected",
"version": "69e7649f7cc2aaa7889174456d39319a623c1a18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c",
"drivers/crypto/intel/qat/qat_common/adf_telemetry.c",
"drivers/crypto/intel/qat/qat_common/adf_telemetry.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.12",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - validate slices count returned by FW\n\nThe function adf_send_admin_tl_start() enables the telemetry (TL)\nfeature on a QAT device by sending the ICP_QAT_FW_TL_START message to\nthe firmware. This triggers the FW to start writing TL data to a DMA\nbuffer in memory and returns an array containing the number of\naccelerators of each type (slices) supported by this HW.\nThe pointer to this array is stored in the adf_tl_hw_data data\nstructure called slice_cnt.\n\nThe array slice_cnt is then used in the function tl_print_dev_data()\nto report in debugfs only statistics about the supported accelerators.\nAn incorrect value of the elements in slice_cnt might lead to an out\nof bounds memory read.\nAt the moment, there isn\u0027t an implementation of FW that returns a wrong\nvalue, but for robustness validate the slice count array returned by FW."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:15:09.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77"
},
{
"url": "https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82"
},
{
"url": "https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c"
}
],
"title": "crypto: qat - validate slices count returned by FW",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-38606",
"datePublished": "2024-06-19T13:48:16.428Z",
"dateReserved": "2024-06-18T19:36:34.935Z",
"dateUpdated": "2025-05-04T09:15:09.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49054 (GCVE-0-2022-49054)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests
hv_panic_page might contain guest-sensitive information, do not dump it
over to Hyper-V by default in isolated guests.
While at it, update some comments in hyperv_{panic,die}_event().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b576e81d31b56b248316b8ff816b1cc5c4407c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6230bc50d6d21cae4c084766623d0a6d17958721",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f8b577f7b43b2170628d6c537252785dcc2dcea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests\n\nhv_panic_page might contain guest-sensitive information, do not dump it\nover to Hyper-V by default in isolated guests.\n\nWhile at it, update some comments in hyperv_{panic,die}_event()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:45.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b576e81d31b56b248316b8ff816b1cc5c4407c7"
},
{
"url": "https://git.kernel.org/stable/c/6230bc50d6d21cae4c084766623d0a6d17958721"
},
{
"url": "https://git.kernel.org/stable/c/9f8b577f7b43b2170628d6c537252785dcc2dcea"
}
],
"title": "Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49054",
"datePublished": "2025-02-26T01:54:27.286Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-05-04T08:28:45.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49336 (GCVE-0-2022-49336)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/etnaviv: check for reaped mapping in etnaviv_iommu_unmap_gem
When the mapping is already reaped the unmap must be a no-op, as we
would otherwise try to remove the mapping twice, corrupting the involved
data structures.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a8c21a5451d831e67b7a6fb910f9ca8bc7b43554 Version: a8c21a5451d831e67b7a6fb910f9ca8bc7b43554 Version: a8c21a5451d831e67b7a6fb910f9ca8bc7b43554 Version: a8c21a5451d831e67b7a6fb910f9ca8bc7b43554 Version: a8c21a5451d831e67b7a6fb910f9ca8bc7b43554 Version: a8c21a5451d831e67b7a6fb910f9ca8bc7b43554 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/etnaviv/etnaviv_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19323b3671a85788569d15685c8f83a05ec48cbb",
"status": "affected",
"version": "a8c21a5451d831e67b7a6fb910f9ca8bc7b43554",
"versionType": "git"
},
{
"lessThan": "436cff507f2a41230baacc3e2ef1d3b2d2653f40",
"status": "affected",
"version": "a8c21a5451d831e67b7a6fb910f9ca8bc7b43554",
"versionType": "git"
},
{
"lessThan": "03bd455a79f69d97fee3e3b212ab754442f10e5c",
"status": "affected",
"version": "a8c21a5451d831e67b7a6fb910f9ca8bc7b43554",
"versionType": "git"
},
{
"lessThan": "461c0fdf9434188875da9f10cfc86065866bb797",
"status": "affected",
"version": "a8c21a5451d831e67b7a6fb910f9ca8bc7b43554",
"versionType": "git"
},
{
"lessThan": "64f4edec081cb7c97c5e928529d0e1b0dbbffb83",
"status": "affected",
"version": "a8c21a5451d831e67b7a6fb910f9ca8bc7b43554",
"versionType": "git"
},
{
"lessThan": "e168c25526cd0368af098095c2ded4a008007e1b",
"status": "affected",
"version": "a8c21a5451d831e67b7a6fb910f9ca8bc7b43554",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/etnaviv/etnaviv_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/etnaviv: check for reaped mapping in etnaviv_iommu_unmap_gem\n\nWhen the mapping is already reaped the unmap must be a no-op, as we\nwould otherwise try to remove the mapping twice, corrupting the involved\ndata structures."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:28.578Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19323b3671a85788569d15685c8f83a05ec48cbb"
},
{
"url": "https://git.kernel.org/stable/c/436cff507f2a41230baacc3e2ef1d3b2d2653f40"
},
{
"url": "https://git.kernel.org/stable/c/03bd455a79f69d97fee3e3b212ab754442f10e5c"
},
{
"url": "https://git.kernel.org/stable/c/461c0fdf9434188875da9f10cfc86065866bb797"
},
{
"url": "https://git.kernel.org/stable/c/64f4edec081cb7c97c5e928529d0e1b0dbbffb83"
},
{
"url": "https://git.kernel.org/stable/c/e168c25526cd0368af098095c2ded4a008007e1b"
}
],
"title": "drm/etnaviv: check for reaped mapping in etnaviv_iommu_unmap_gem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49336",
"datePublished": "2025-02-26T02:10:55.234Z",
"dateReserved": "2025-02-26T02:08:31.539Z",
"dateUpdated": "2025-05-04T08:35:28.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49044 (GCVE-0-2022-49044)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm integrity: fix memory corruption when tag_size is less than digest size
It is possible to set up dm-integrity in such a way that the
"tag_size" parameter is less than the actual digest size. In this
situation, a part of the digest beyond tag_size is ignored.
In this case, dm-integrity would write beyond the end of the
ic->recalc_tags array and corrupt memory. The corruption happened in
integrity_recalc->integrity_sector_checksum->crypto_shash_final.
Fix this corruption by increasing the tags array so that it has enough
padding at the end to accomodate the loop in integrity_recalc() being
able to write a full digest size for the last member of the tags
array.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 Version: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a95d91c0b315c965198f6ab7dec7c94129e17e0",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "7f84c937222944c03f4615ca4742df6bed0e5adf",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "cd02b2687d66f0a8e716384de4b9a0671331f1dc",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "6b4bf97587ef6c1927a78934b700204920655123",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "4d485cf9b609709e45d5113e6e2b1b01254b2fe9",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "08c1af8f1c13bbf210f1760132f4df24d0ed46d6",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.240",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: fix memory corruption when tag_size is less than digest size\n\nIt is possible to set up dm-integrity in such a way that the\n\"tag_size\" parameter is less than the actual digest size. In this\nsituation, a part of the digest beyond tag_size is ignored.\n\nIn this case, dm-integrity would write beyond the end of the\nic-\u003erecalc_tags array and corrupt memory. The corruption happened in\nintegrity_recalc-\u003eintegrity_sector_checksum-\u003ecrypto_shash_final.\n\nFix this corruption by increasing the tags array so that it has enough\npadding at the end to accomodate the loop in integrity_recalc() being\nable to write a full digest size for the last member of the tags\narray."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:33.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a95d91c0b315c965198f6ab7dec7c94129e17e0"
},
{
"url": "https://git.kernel.org/stable/c/7f84c937222944c03f4615ca4742df6bed0e5adf"
},
{
"url": "https://git.kernel.org/stable/c/cd02b2687d66f0a8e716384de4b9a0671331f1dc"
},
{
"url": "https://git.kernel.org/stable/c/6b4bf97587ef6c1927a78934b700204920655123"
},
{
"url": "https://git.kernel.org/stable/c/4d485cf9b609709e45d5113e6e2b1b01254b2fe9"
},
{
"url": "https://git.kernel.org/stable/c/08c1af8f1c13bbf210f1760132f4df24d0ed46d6"
}
],
"title": "dm integrity: fix memory corruption when tag_size is less than digest size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49044",
"datePublished": "2025-02-26T01:54:21.389Z",
"dateReserved": "2025-02-26T01:49:39.241Z",
"dateUpdated": "2025-05-04T08:28:33.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49730 (GCVE-0-2022-49730)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted
A use-after-free crash can occur after an ELS LOGO is aborted.
Specifically, a nodelist structure is freed and then
ndlp->vport->cfg_log_verbose is dereferenced in lpfc_nlp_get() when the
discovery state machine is mistakenly called a second time with
NLP_EVT_DEVICE_RM argument.
Rework lpfc_cmpl_els_logo() to prevent the duplicate calls to release a
nodelist structure.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:14:49.491525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:30.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_els.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e83869e29448958f8ae2c6911f350318f75e4fc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eea34ce23dc3a595695856dc73bb132a9c5a2902",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1b3440f437b75fb2a9b0cfe58df461e40eca474",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_els.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted\n\nA use-after-free crash can occur after an ELS LOGO is aborted.\n\nSpecifically, a nodelist structure is freed and then\nndlp-\u003evport-\u003ecfg_log_verbose is dereferenced in lpfc_nlp_get() when the\ndiscovery state machine is mistakenly called a second time with\nNLP_EVT_DEVICE_RM argument.\n\nRework lpfc_cmpl_els_logo() to prevent the duplicate calls to release a\nnodelist structure."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:14.341Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e83869e29448958f8ae2c6911f350318f75e4fc"
},
{
"url": "https://git.kernel.org/stable/c/eea34ce23dc3a595695856dc73bb132a9c5a2902"
},
{
"url": "https://git.kernel.org/stable/c/b1b3440f437b75fb2a9b0cfe58df461e40eca474"
}
],
"title": "scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49730",
"datePublished": "2025-02-26T02:24:40.643Z",
"dateReserved": "2025-02-26T02:21:30.449Z",
"dateUpdated": "2025-05-04T08:44:14.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49224 (GCVE-0-2022-49224)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
kobject_init_and_add() takes reference even when it fails.
According to the doc of kobject_init_and_add():
If this function returns an error, kobject_put() must be called to
properly clean up the memory associated with the object.
Fix memory leak by calling kobject_put().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd Version: 8c0984e5a75337df513047ec92a6c09d78e3e5cd |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:22.689840Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:04.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/ab8500_fg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31cdf7897dba1f096b74f69d840f0575b8cdb9ae",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "19aa3c98ed7b2616e105946cec804f897837ab84",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "db3a61ef8e6aef3b888baa6a85926c2230c2cc56",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "41ed61364285ff38bbbe9ca8a45c8372ba72921d",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "879356a6a05559582b0a7895d86d2d4359745c08",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "ffb8e92b4cef92bd25563cf3d8b4489eb22bc61f",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "261041097ab3470f1120b7733cbf472712304d1e",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "c32f6b6196b6efc1c68990dfeaac36fb8eb3b8e1",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
},
{
"lessThan": "6a4760463dbc6b603690938c468839985189ce0a",
"status": "affected",
"version": "8c0984e5a75337df513047ec92a6c09d78e3e5cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/ab8500_fg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\uff1a\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix memory leak by calling kobject_put()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:48.944Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31cdf7897dba1f096b74f69d840f0575b8cdb9ae"
},
{
"url": "https://git.kernel.org/stable/c/19aa3c98ed7b2616e105946cec804f897837ab84"
},
{
"url": "https://git.kernel.org/stable/c/db3a61ef8e6aef3b888baa6a85926c2230c2cc56"
},
{
"url": "https://git.kernel.org/stable/c/41ed61364285ff38bbbe9ca8a45c8372ba72921d"
},
{
"url": "https://git.kernel.org/stable/c/879356a6a05559582b0a7895d86d2d4359745c08"
},
{
"url": "https://git.kernel.org/stable/c/ffb8e92b4cef92bd25563cf3d8b4489eb22bc61f"
},
{
"url": "https://git.kernel.org/stable/c/261041097ab3470f1120b7733cbf472712304d1e"
},
{
"url": "https://git.kernel.org/stable/c/c32f6b6196b6efc1c68990dfeaac36fb8eb3b8e1"
},
{
"url": "https://git.kernel.org/stable/c/6a4760463dbc6b603690938c468839985189ce0a"
}
],
"title": "power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49224",
"datePublished": "2025-02-26T01:55:54.755Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-10-01T19:47:04.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49338 (GCVE-0-2022-49338)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: CT: Fix cleanup of CT before cleanup of TC ct rules
CT cleanup assumes that all tc rules were deleted first, and so
is free to delete the CT shared resources (e.g the dr_action
fwd_action which is shared for all tuples). But currently for
uplink, this is happens in reverse, causing the below trace.
CT cleanup is called from:
mlx5e_cleanup_rep_tx()->mlx5e_cleanup_uplink_rep_tx()->
mlx5e_rep_tc_cleanup()->mlx5e_tc_esw_cleanup()->
mlx5_tc_ct_clean()
Only afterwards, tc cleanup is called from:
mlx5e_cleanup_rep_tx()->mlx5e_tc_ht_cleanup()
which would have deleted all the tc ct rules, and so delete
all the offloaded tuples.
Fix this reversing the order of init and on cleanup, which
will result in tc cleanup then ct cleanup.
[ 9443.593347] WARNING: CPU: 2 PID: 206774 at drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c:1882 mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]
[ 9443.593349] Modules linked in: act_ct nf_flow_table rdma_ucm(O) rdma_cm(O) iw_cm(O) ib_ipoib(O) ib_cm(O) ib_umad(O) mlx5_core(O-) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) psample ib_core(O) mlx_compat(O) ip_gre gre ip_tunnel act_vlan bonding geneve esp6_offload esp6 esp4_offload esp4 act_tunnel_key vxlan ip6_udp_tunnel udp_tunnel act_mirred act_skbedit act_gact cls_flower sch_ingress nfnetlink_cttimeout nfnetlink xfrm_user xfrm_algo 8021q garp stp ipmi_devintf mrp ipmi_msghandler llc openvswitch nsh nf_conncount nf_nat mst_pciconf(O) dm_multipath sbsa_gwdt uio_pdrv_genirq uio mlxbf_pmc mlxbf_pka mlx_trio mlx_bootctl(O) bluefield_edac sch_fq_codel ip_tables ipv6 crc_ccitt btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq raid1 raid0 crct10dif_ce i2c_mlxbf gpio_mlxbf2 mlxbf_gige aes_neon_bs aes_neon_blk [last unloaded: mlx5_ib]
[ 9443.593419] CPU: 2 PID: 206774 Comm: modprobe Tainted: G O 5.4.0-1023.24.gc14613d-bluefield #1
[ 9443.593422] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:143ebaf Jan 11 2022
[ 9443.593424] pstate: 20000005 (nzCv daif -PAN -UAO)
[ 9443.593489] pc : mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]
[ 9443.593545] lr : mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]
[ 9443.593546] sp : ffff8000135dbab0
[ 9443.593548] x29: ffff8000135dbab0 x28: ffff0003a6ab8e80
[ 9443.593550] x27: 0000000000000000 x26: ffff0003e07d7000
[ 9443.593552] x25: ffff800009609de0 x24: ffff000397fb2120
[ 9443.593554] x23: ffff0003975c0000 x22: 0000000000000000
[ 9443.593556] x21: ffff0003975f08c0 x20: ffff800009609de0
[ 9443.593558] x19: ffff0003c8a13380 x18: 0000000000000014
[ 9443.593560] x17: 0000000067f5f125 x16: 000000006529c620
[ 9443.593561] x15: 000000000000000b x14: 0000000000000000
[ 9443.593563] x13: 0000000000000002 x12: 0000000000000001
[ 9443.593565] x11: ffff800011108868 x10: 0000000000000000
[ 9443.593567] x9 : 0000000000000000 x8 : ffff8000117fb270
[ 9443.593569] x7 : ffff0003ebc01288 x6 : 0000000000000000
[ 9443.593571] x5 : ffff800009591ab8 x4 : fffffe000f6d9a20
[ 9443.593572] x3 : 0000000080040001 x2 : fffffe000f6d9a20
[ 9443.593574] x1 : ffff8000095901d8 x0 : 0000000000000025
[ 9443.593577] Call trace:
[ 9443.593634] mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]
[ 9443.593688] mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]
[ 9443.593743] mlx5_tc_ct_clean+0x34/0xa8 [mlx5_core]
[ 9443.593797] mlx5e_tc_esw_cleanup+0x58/0x88 [mlx5_core]
[ 9443.593851] mlx5e_rep_tc_cleanup+0x24/0x30 [mlx5_core]
[ 9443.593905] mlx5e_cleanup_rep_tx+0x6c/0x78 [mlx5_core]
[ 9443.593959] mlx5e_detach_netdev+0x74/0x98 [mlx5_core]
[ 9443.594013] mlx5e_netdev_change_profile+0x70/0x180 [mlx5_core]
[ 9443.594067] mlx5e_netdev_attach_nic_profile+0x34/0x40 [mlx5_core]
[ 9443.594122] mlx5e_vport_rep_unload+0x15c/0x1a8 [mlx5_core]
[ 9443.594177] mlx5_eswitch_unregister_vport_reps+0x228/0x298 [mlx5_core]
[ 9443.594231] mlx5e_rep_remove+0x2c/0x38
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11bcc79f4bcd244145e6a2c04d5dc755303492a8",
"status": "affected",
"version": "d1a3138f7913014e0714cb1d3d44793d76fc38a1",
"versionType": "git"
},
{
"lessThan": "15ef9efa855cf405fadd78272e1e5d04e09a1cf3",
"status": "affected",
"version": "d1a3138f7913014e0714cb1d3d44793d76fc38a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: CT: Fix cleanup of CT before cleanup of TC ct rules\n\nCT cleanup assumes that all tc rules were deleted first, and so\nis free to delete the CT shared resources (e.g the dr_action\nfwd_action which is shared for all tuples). But currently for\nuplink, this is happens in reverse, causing the below trace.\n\nCT cleanup is called from:\nmlx5e_cleanup_rep_tx()-\u003emlx5e_cleanup_uplink_rep_tx()-\u003e\nmlx5e_rep_tc_cleanup()-\u003emlx5e_tc_esw_cleanup()-\u003e\nmlx5_tc_ct_clean()\n\nOnly afterwards, tc cleanup is called from:\nmlx5e_cleanup_rep_tx()-\u003emlx5e_tc_ht_cleanup()\nwhich would have deleted all the tc ct rules, and so delete\nall the offloaded tuples.\n\nFix this reversing the order of init and on cleanup, which\nwill result in tc cleanup then ct cleanup.\n\n[ 9443.593347] WARNING: CPU: 2 PID: 206774 at drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c:1882 mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]\n[ 9443.593349] Modules linked in: act_ct nf_flow_table rdma_ucm(O) rdma_cm(O) iw_cm(O) ib_ipoib(O) ib_cm(O) ib_umad(O) mlx5_core(O-) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) psample ib_core(O) mlx_compat(O) ip_gre gre ip_tunnel act_vlan bonding geneve esp6_offload esp6 esp4_offload esp4 act_tunnel_key vxlan ip6_udp_tunnel udp_tunnel act_mirred act_skbedit act_gact cls_flower sch_ingress nfnetlink_cttimeout nfnetlink xfrm_user xfrm_algo 8021q garp stp ipmi_devintf mrp ipmi_msghandler llc openvswitch nsh nf_conncount nf_nat mst_pciconf(O) dm_multipath sbsa_gwdt uio_pdrv_genirq uio mlxbf_pmc mlxbf_pka mlx_trio mlx_bootctl(O) bluefield_edac sch_fq_codel ip_tables ipv6 crc_ccitt btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq raid1 raid0 crct10dif_ce i2c_mlxbf gpio_mlxbf2 mlxbf_gige aes_neon_bs aes_neon_blk [last unloaded: mlx5_ib]\n[ 9443.593419] CPU: 2 PID: 206774 Comm: modprobe Tainted: G O 5.4.0-1023.24.gc14613d-bluefield #1\n[ 9443.593422] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:143ebaf Jan 11 2022\n[ 9443.593424] pstate: 20000005 (nzCv daif -PAN -UAO)\n[ 9443.593489] pc : mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]\n[ 9443.593545] lr : mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]\n[ 9443.593546] sp : ffff8000135dbab0\n[ 9443.593548] x29: ffff8000135dbab0 x28: ffff0003a6ab8e80\n[ 9443.593550] x27: 0000000000000000 x26: ffff0003e07d7000\n[ 9443.593552] x25: ffff800009609de0 x24: ffff000397fb2120\n[ 9443.593554] x23: ffff0003975c0000 x22: 0000000000000000\n[ 9443.593556] x21: ffff0003975f08c0 x20: ffff800009609de0\n[ 9443.593558] x19: ffff0003c8a13380 x18: 0000000000000014\n[ 9443.593560] x17: 0000000067f5f125 x16: 000000006529c620\n[ 9443.593561] x15: 000000000000000b x14: 0000000000000000\n[ 9443.593563] x13: 0000000000000002 x12: 0000000000000001\n[ 9443.593565] x11: ffff800011108868 x10: 0000000000000000\n[ 9443.593567] x9 : 0000000000000000 x8 : ffff8000117fb270\n[ 9443.593569] x7 : ffff0003ebc01288 x6 : 0000000000000000\n[ 9443.593571] x5 : ffff800009591ab8 x4 : fffffe000f6d9a20\n[ 9443.593572] x3 : 0000000080040001 x2 : fffffe000f6d9a20\n[ 9443.593574] x1 : ffff8000095901d8 x0 : 0000000000000025\n[ 9443.593577] Call trace:\n[ 9443.593634] mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]\n[ 9443.593688] mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]\n[ 9443.593743] mlx5_tc_ct_clean+0x34/0xa8 [mlx5_core]\n[ 9443.593797] mlx5e_tc_esw_cleanup+0x58/0x88 [mlx5_core]\n[ 9443.593851] mlx5e_rep_tc_cleanup+0x24/0x30 [mlx5_core]\n[ 9443.593905] mlx5e_cleanup_rep_tx+0x6c/0x78 [mlx5_core]\n[ 9443.593959] mlx5e_detach_netdev+0x74/0x98 [mlx5_core]\n[ 9443.594013] mlx5e_netdev_change_profile+0x70/0x180 [mlx5_core]\n[ 9443.594067] mlx5e_netdev_attach_nic_profile+0x34/0x40 [mlx5_core]\n[ 9443.594122] mlx5e_vport_rep_unload+0x15c/0x1a8 [mlx5_core]\n[ 9443.594177] mlx5_eswitch_unregister_vport_reps+0x228/0x298 [mlx5_core]\n[ 9443.594231] mlx5e_rep_remove+0x2c/0x38\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:30.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11bcc79f4bcd244145e6a2c04d5dc755303492a8"
},
{
"url": "https://git.kernel.org/stable/c/15ef9efa855cf405fadd78272e1e5d04e09a1cf3"
}
],
"title": "net/mlx5e: CT: Fix cleanup of CT before cleanup of TC ct rules",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49338",
"datePublished": "2025-02-26T02:10:56.181Z",
"dateReserved": "2025-02-26T02:08:31.539Z",
"dateUpdated": "2025-05-04T08:35:30.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21883 (GCVE-0-2025-21883)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix deinitializing VF in error path
If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees
all VFs without removing them from snapshot PF-VF mailbox list, leading
to list corruption.
Reproducer:
devlink dev eswitch set $PF1_PCI mode switchdev
ip l s $PF1 up
ip l s $PF1 promisc on
sleep 1
echo 1 > /sys/class/net/$PF1/device/sriov_numvfs
sleep 1
echo 1 > /sys/class/net/$PF1/device/sriov_numvfs
Trace (minimized):
list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).
kernel BUG at lib/list_debug.c:29!
RIP: 0010:__list_add_valid_or_report+0xa6/0x100
ice_mbx_init_vf_info+0xa7/0x180 [ice]
ice_initialize_vf_entry+0x1fa/0x250 [ice]
ice_sriov_configure+0x8d7/0x1520 [ice]
? __percpu_ref_switch_mode+0x1b1/0x5d0
? __pfx_ice_sriov_configure+0x10/0x10 [ice]
Sometimes a KASAN report can be seen instead with a similar stack trace:
BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100
VFs are added to this list in ice_mbx_init_vf_info(), but only removed
in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is
also being called in other places where VFs are being removed (including
ice_free_vfs() itself).
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_sriov.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c01102bec9592928e6b155da41cfcd5d25a2066",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
},
{
"lessThan": "a4880583f88deba63504ce1c8287a70d39c01378",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
},
{
"lessThan": "34393fd78d7183a007eaf0090966ebedcc29bd57",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
},
{
"lessThan": "79990cf5e7aded76d0c092c9f5ed31eb1c75e02c",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_sriov.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix deinitializing VF in error path\n\nIf ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees\nall VFs without removing them from snapshot PF-VF mailbox list, leading\nto list corruption.\n\nReproducer:\n devlink dev eswitch set $PF1_PCI mode switchdev\n ip l s $PF1 up\n ip l s $PF1 promisc on\n sleep 1\n echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n sleep 1\n echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n\nTrace (minimized):\n list_add corruption. next-\u003eprev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).\n kernel BUG at lib/list_debug.c:29!\n RIP: 0010:__list_add_valid_or_report+0xa6/0x100\n ice_mbx_init_vf_info+0xa7/0x180 [ice]\n ice_initialize_vf_entry+0x1fa/0x250 [ice]\n ice_sriov_configure+0x8d7/0x1520 [ice]\n ? __percpu_ref_switch_mode+0x1b1/0x5d0\n ? __pfx_ice_sriov_configure+0x10/0x10 [ice]\n\nSometimes a KASAN report can be seen instead with a similar stack trace:\n BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100\n\nVFs are added to this list in ice_mbx_init_vf_info(), but only removed\nin ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is\nalso being called in other places where VFs are being removed (including\nice_free_vfs() itself)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:16.768Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c01102bec9592928e6b155da41cfcd5d25a2066"
},
{
"url": "https://git.kernel.org/stable/c/a4880583f88deba63504ce1c8287a70d39c01378"
},
{
"url": "https://git.kernel.org/stable/c/34393fd78d7183a007eaf0090966ebedcc29bd57"
},
{
"url": "https://git.kernel.org/stable/c/79990cf5e7aded76d0c092c9f5ed31eb1c75e02c"
}
],
"title": "ice: Fix deinitializing VF in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21883",
"datePublished": "2025-03-27T14:57:11.766Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:16.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49753 (GCVE-0-2022-49753)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: Fix double increment of client_count in dma_chan_get()
The first time dma_chan_get() is called for a channel the channel
client_count is incorrectly incremented twice for public channels,
first in balance_ref_count(), and again prior to returning. This
results in an incorrect client count which will lead to the
channel resources not being freed when they should be. A simple
test of repeated module load and unload of async_tx on a Dell
Power Edge R7425 also shows this resulting in a kref underflow
warning.
[ 124.329662] async_tx: api initialized (async)
[ 129.000627] async_tx: api initialized (async)
[ 130.047839] ------------[ cut here ]------------
[ 130.052472] refcount_t: underflow; use-after-free.
[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
refcount_warn_saturate+0xba/0x110
[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
dm_log dm_mod [last unloaded: async_tx]
[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
tainted 5.14.0-185.el9.x86_64 #1
[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
1.18.0 01/17/2022
[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
48 c7
[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)
knlGS:0000000000000000
[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
[ 130.219729] Call Trace:
[ 130.222192] <TASK>
[ 130.224305] dma_chan_put+0x10d/0x110
[ 130.227988] dmaengine_put+0x7a/0xa0
[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280
[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0
[ 130.242652] do_syscall_64+0x5c/0x90
[ 130.246240] ? exc_page_fault+0x62/0x150
[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 130.255243] RIP: 0033:0x7f6463a3f5ab
[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
01 48
[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
[ 130.320875] </TASK>
[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---
cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
2
2
2
Test-by: Jie Hai <haijie1@huawei.com>
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:36.398911Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/dmaengine.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b409e14b4b7af034e0450f95c165b6c5c87dbc1",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "c6221afe573413fd2981e291f7df4a58283e0654",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "18dd3b30d4c7e8440c63118c7a7b687372b9567f",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "71c601965532c38030133535f7cd93c1efa75af1",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "142d644fd2cc059ffa042fbfb68e766433ef3afd",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "f3dc1b3b4750851a94212dba249703dd0e50bb20",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/dmaengine.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: Fix double increment of client_count in dma_chan_get()\n\nThe first time dma_chan_get() is called for a channel the channel\nclient_count is incorrectly incremented twice for public channels,\nfirst in balance_ref_count(), and again prior to returning. This\nresults in an incorrect client count which will lead to the\nchannel resources not being freed when they should be. A simple\n test of repeated module load and unload of async_tx on a Dell\n Power Edge R7425 also shows this resulting in a kref underflow\n warning.\n\n[ 124.329662] async_tx: api initialized (async)\n[ 129.000627] async_tx: api initialized (async)\n[ 130.047839] ------------[ cut here ]------------\n[ 130.052472] refcount_t: underflow; use-after-free.\n[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28\nrefcount_warn_saturate+0xba/0x110\n[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr\nintel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm\nmgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si\nsyscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops\nk10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat\nfat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul\nlibahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas\ni40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash\ndm_log dm_mod [last unloaded: async_tx]\n[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not\ntainted 5.14.0-185.el9.x86_64 #1\n[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS\n1.18.0 01/17/2022\n[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110\n[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d\n26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a\nbd 55 00 \u003c0f\u003e 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff\n48 c7\n[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286\n[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000\n[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0\n[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff\n[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970\n[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)\nknlGS:0000000000000000\n[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0\n[ 130.219729] Call Trace:\n[ 130.222192] \u003cTASK\u003e\n[ 130.224305] dma_chan_put+0x10d/0x110\n[ 130.227988] dmaengine_put+0x7a/0xa0\n[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280\n[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0\n[ 130.242652] do_syscall_64+0x5c/0x90\n[ 130.246240] ? exc_page_fault+0x62/0x150\n[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 130.255243] RIP: 0033:0x7f6463a3f5ab\n[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48\n83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00\n00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89\n01 48\n[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:\n00000000000000b0\n[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab\n[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8\n[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000\n[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8\n[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8\n[ 130.320875] \u003c/TASK\u003e\n[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---\n\ncat /sys/class/dma/dma0chan*/in_use would get the wrong result.\n2\n2\n2\n\nTest-by: Jie Hai \u003chaijie1@huawei.com\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:39.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b409e14b4b7af034e0450f95c165b6c5c87dbc1"
},
{
"url": "https://git.kernel.org/stable/c/c6221afe573413fd2981e291f7df4a58283e0654"
},
{
"url": "https://git.kernel.org/stable/c/18dd3b30d4c7e8440c63118c7a7b687372b9567f"
},
{
"url": "https://git.kernel.org/stable/c/42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1"
},
{
"url": "https://git.kernel.org/stable/c/71c601965532c38030133535f7cd93c1efa75af1"
},
{
"url": "https://git.kernel.org/stable/c/142d644fd2cc059ffa042fbfb68e766433ef3afd"
},
{
"url": "https://git.kernel.org/stable/c/f3dc1b3b4750851a94212dba249703dd0e50bb20"
}
],
"title": "dmaengine: Fix double increment of client_count in dma_chan_get()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49753",
"datePublished": "2025-03-27T16:43:01.252Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:39.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53023 (GCVE-0-2023-53023)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: Fix use-after-free in local_cleanup()
Fix a use-after-free that occurs in kfree_skb() called from
local_cleanup(). This could happen when killing nfc daemon (e.g. neard)
after detaching an nfc device.
When detaching an nfc device, local_cleanup() called from
nfc_llcp_unregister_device() frees local->rx_pending and decreases
local->ref by kref_put() in nfc_llcp_local_put().
In the terminating process, nfc daemon releases all sockets and it leads
to decreasing local->ref. After the last release of local->ref,
local_cleanup() called from local_release() frees local->rx_pending
again, which leads to the bug.
Setting local->rx_pending to NULL in local_cleanup() could prevent
use-after-free when local_cleanup() is called twice.
Found by a modified version of syzkaller.
BUG: KASAN: use-after-free in kfree_skb()
Call Trace:
dump_stack_lvl (lib/dump_stack.c:106)
print_address_description.constprop.0.cold (mm/kasan/report.c:306)
kasan_check_range (mm/kasan/generic.c:189)
kfree_skb (net/core/skbuff.c:955)
local_cleanup (net/nfc/llcp_core.c:159)
nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)
nfc_llcp_local_put (net/nfc/llcp_core.c:181)
llcp_sock_destruct (net/nfc/llcp_sock.c:959)
__sk_destruct (net/core/sock.c:2133)
sk_destruct (net/core/sock.c:2181)
__sk_free (net/core/sock.c:2192)
sk_free (net/core/sock.c:2203)
llcp_sock_release (net/nfc/llcp_sock.c:646)
__sock_release (net/socket.c:650)
sock_close (net/socket.c:1365)
__fput (fs/file_table.c:306)
task_work_run (kernel/task_work.c:179)
ptrace_notify (kernel/signal.c:2354)
syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)
syscall_exit_to_user_mode (kernel/entry/common.c:296)
do_syscall_64 (arch/x86/entry/common.c:86)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)
Allocated by task 4719:
kasan_save_stack (mm/kasan/common.c:45)
__kasan_slab_alloc (mm/kasan/common.c:325)
slab_post_alloc_hook (mm/slab.h:766)
kmem_cache_alloc_node (mm/slub.c:3497)
__alloc_skb (net/core/skbuff.c:552)
pn533_recv_response (drivers/nfc/pn533/usb.c:65)
__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)
usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)
tasklet_action_common.isra.0 (kernel/softirq.c:797)
__do_softirq (kernel/softirq.c:571)
Freed by task 1901:
kasan_save_stack (mm/kasan/common.c:45)
kasan_set_track (mm/kasan/common.c:52)
kasan_save_free_info (mm/kasan/genericdd.c:518)
__kasan_slab_free (mm/kasan/common.c:236)
kmem_cache_free (mm/slub.c:3809)
kfree_skbmem (net/core/skbuff.c:874)
kfree_skb (net/core/skbuff.c:931)
local_cleanup (net/nfc/llcp_core.c:159)
nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)
nfc_unregister_device (net/nfc/core.c:1179)
pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)
pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)
usb_unbind_interface (drivers/usb/core/driver.c:458)
device_release_driver_internal (drivers/base/dd.c:1279)
bus_remove_device (drivers/base/bus.c:529)
device_del (drivers/base/core.c:3665)
usb_disable_device (drivers/usb/core/message.c:1420)
usb_disconnect (drivers/usb/core.c:2261)
hub_event (drivers/usb/core/hub.c:5833)
process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)
worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)
kthread (kernel/kthread.c:319)
ret_from_fork (arch/x86/entry/entry_64.S:301)
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T17:01:08.115465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:23.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b09ae26f08aaf2d85f96ea7f90ddd3387f62216f",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "54f7be61584b8ec4c6df405f479495b9397bae4a",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "a59cdbda3714e11aa3ab579132864c4c8c6d54f9",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "ad1baab3a5c03692d22ce446f38596a126377f6a",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "7f129927feaf7c10b1c38bbce630172e9a08c834",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "d3605282ec3502ec8847915eb2cf1f340493ff79",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: Fix use-after-free in local_cleanup()\n\nFix a use-after-free that occurs in kfree_skb() called from\nlocal_cleanup(). This could happen when killing nfc daemon (e.g. neard)\nafter detaching an nfc device.\nWhen detaching an nfc device, local_cleanup() called from\nnfc_llcp_unregister_device() frees local-\u003erx_pending and decreases\nlocal-\u003eref by kref_put() in nfc_llcp_local_put().\nIn the terminating process, nfc daemon releases all sockets and it leads\nto decreasing local-\u003eref. After the last release of local-\u003eref,\nlocal_cleanup() called from local_release() frees local-\u003erx_pending\nagain, which leads to the bug.\n\nSetting local-\u003erx_pending to NULL in local_cleanup() could prevent\nuse-after-free when local_cleanup() is called twice.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in kfree_skb()\n\nCall Trace:\ndump_stack_lvl (lib/dump_stack.c:106)\nprint_address_description.constprop.0.cold (mm/kasan/report.c:306)\nkasan_check_range (mm/kasan/generic.c:189)\nkfree_skb (net/core/skbuff.c:955)\nlocal_cleanup (net/nfc/llcp_core.c:159)\nnfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)\nnfc_llcp_local_put (net/nfc/llcp_core.c:181)\nllcp_sock_destruct (net/nfc/llcp_sock.c:959)\n__sk_destruct (net/core/sock.c:2133)\nsk_destruct (net/core/sock.c:2181)\n__sk_free (net/core/sock.c:2192)\nsk_free (net/core/sock.c:2203)\nllcp_sock_release (net/nfc/llcp_sock.c:646)\n__sock_release (net/socket.c:650)\nsock_close (net/socket.c:1365)\n__fput (fs/file_table.c:306)\ntask_work_run (kernel/task_work.c:179)\nptrace_notify (kernel/signal.c:2354)\nsyscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)\nsyscall_exit_to_user_mode (kernel/entry/common.c:296)\ndo_syscall_64 (arch/x86/entry/common.c:86)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)\n\nAllocated by task 4719:\nkasan_save_stack (mm/kasan/common.c:45)\n__kasan_slab_alloc (mm/kasan/common.c:325)\nslab_post_alloc_hook (mm/slab.h:766)\nkmem_cache_alloc_node (mm/slub.c:3497)\n__alloc_skb (net/core/skbuff.c:552)\npn533_recv_response (drivers/nfc/pn533/usb.c:65)\n__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)\nusb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)\ntasklet_action_common.isra.0 (kernel/softirq.c:797)\n__do_softirq (kernel/softirq.c:571)\n\nFreed by task 1901:\nkasan_save_stack (mm/kasan/common.c:45)\nkasan_set_track (mm/kasan/common.c:52)\nkasan_save_free_info (mm/kasan/genericdd.c:518)\n__kasan_slab_free (mm/kasan/common.c:236)\nkmem_cache_free (mm/slub.c:3809)\nkfree_skbmem (net/core/skbuff.c:874)\nkfree_skb (net/core/skbuff.c:931)\nlocal_cleanup (net/nfc/llcp_core.c:159)\nnfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)\nnfc_unregister_device (net/nfc/core.c:1179)\npn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)\npn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)\nusb_unbind_interface (drivers/usb/core/driver.c:458)\ndevice_release_driver_internal (drivers/base/dd.c:1279)\nbus_remove_device (drivers/base/bus.c:529)\ndevice_del (drivers/base/core.c:3665)\nusb_disable_device (drivers/usb/core/message.c:1420)\nusb_disconnect (drivers/usb/core.c:2261)\nhub_event (drivers/usb/core/hub.c:5833)\nprocess_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)\nworker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)\nkthread (kernel/kthread.c:319)\nret_from_fork (arch/x86/entry/entry_64.S:301)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:53.637Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b09ae26f08aaf2d85f96ea7f90ddd3387f62216f"
},
{
"url": "https://git.kernel.org/stable/c/54f7be61584b8ec4c6df405f479495b9397bae4a"
},
{
"url": "https://git.kernel.org/stable/c/a59cdbda3714e11aa3ab579132864c4c8c6d54f9"
},
{
"url": "https://git.kernel.org/stable/c/ad1baab3a5c03692d22ce446f38596a126377f6a"
},
{
"url": "https://git.kernel.org/stable/c/7f129927feaf7c10b1c38bbce630172e9a08c834"
},
{
"url": "https://git.kernel.org/stable/c/d3605282ec3502ec8847915eb2cf1f340493ff79"
},
{
"url": "https://git.kernel.org/stable/c/4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6"
}
],
"title": "net: nfc: Fix use-after-free in local_cleanup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53023",
"datePublished": "2025-03-27T16:43:49.142Z",
"dateReserved": "2025-03-27T16:40:15.753Z",
"dateUpdated": "2025-05-04T07:47:53.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57900 (GCVE-0-2024-57900)
Vulnerability from cvelistv5
Published
2025-01-15 13:05
Modified
2025-11-03 20:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ila: serialize calls to nf_register_net_hooks()
syzbot found a race in ila_add_mapping() [1]
commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner")
attempted to fix a similar issue.
Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.
Add a mutex to make sure at most one thread is calling nf_register_net_hooks().
[1]
BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501
CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
rht_key_hashfn include/linux/rhashtable.h:159 [inline]
__rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
process_backlog+0x443/0x15f0 net/core/dev.c:6117
__napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883
napi_poll net/core/dev.c:6952 [inline]
net_rx_action+0xa94/0x1010 net/core/dev.c:7074
handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:662
irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T13:56:44.602768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T14:04:27.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:55:16.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ila/ila_xlat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1638f430f8900f2375f5de45508fbe553997e190",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "d3017895e393536b234cf80a83fc463c08a28137",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "ad0677c37c14fa28913daea92d139644d7acf04e",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "17e8fa894345e8d2c7a7642482267b275c3d4553",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "3d1b63cf468e446b9feaf4e4e73182b9cc82f460",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "260466b576bca0081a7d4acecc8e93687aa22d0e",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ila/ila_xlat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.233",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.289",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.233",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.124",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.70",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.9",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: serialize calls to nf_register_net_hooks()\n\nsyzbot found a race in ila_add_mapping() [1]\n\ncommit 031ae72825ce (\"ila: call nf_unregister_net_hooks() sooner\")\nattempted to fix a similar issue.\n\nLooking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.\n\nAdd a mutex to make sure at most one thread is calling nf_register_net_hooks().\n\n[1]\n BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\nRead of size 4 at addr ffff888028f40008 by task dhcpcd/5501\n\nCPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:489\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]\n ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626\n nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309\n __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785\n process_backlog+0x443/0x15f0 net/core/dev.c:6117\n __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883\n napi_poll net/core/dev.c:6952 [inline]\n net_rx_action+0xa94/0x1010 net/core/dev.c:7074\n handle_softirqs+0x213/0x8f0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:06:12.424Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190"
},
{
"url": "https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137"
},
{
"url": "https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04e"
},
{
"url": "https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca"
},
{
"url": "https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553"
},
{
"url": "https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460"
},
{
"url": "https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0e"
}
],
"title": "ila: serialize calls to nf_register_net_hooks()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57900",
"datePublished": "2025-01-15T13:05:51.798Z",
"dateReserved": "2025-01-11T14:45:42.030Z",
"dateUpdated": "2025-11-03T20:55:16.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49711 (GCVE-0-2022-49711)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()
In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to
fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in
fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io
triggers KASAN use-after-free. To avoid the use-after-free, keep the
reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to
fsl_destroy_mc_io().
This patch needs rework to apply to kernels older than v5.15.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:14:53.258258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:30.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ccd1751092341ac120a961835211f9f2e3735963",
"status": "affected",
"version": "f93627146f0e371093966ed3d44c065aa077cfb1",
"versionType": "git"
},
{
"lessThan": "161b68b0a728377aaa10a8e14c70e7734f3c9ff7",
"status": "affected",
"version": "f93627146f0e371093966ed3d44c065aa077cfb1",
"versionType": "git"
},
{
"lessThan": "928ea98252ad75118950941683893cf904541da9",
"status": "affected",
"version": "f93627146f0e371093966ed3d44c065aa077cfb1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/fsl-mc/fsl-mc-bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()\n\nIn fsl_mc_bus_remove(), mc-\u003eroot_mc_bus_dev-\u003emc_io is passed to\nfsl_destroy_mc_io(). However, mc-\u003eroot_mc_bus_dev is already freed in\nfsl_mc_device_remove(). Then reference to mc-\u003eroot_mc_bus_dev-\u003emc_io\ntriggers KASAN use-after-free. To avoid the use-after-free, keep the\nreference to mc-\u003eroot_mc_bus_dev-\u003emc_io in a local variable and pass to\nfsl_destroy_mc_io().\n\nThis patch needs rework to apply to kernels older than v5.15."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:51.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ccd1751092341ac120a961835211f9f2e3735963"
},
{
"url": "https://git.kernel.org/stable/c/161b68b0a728377aaa10a8e14c70e7734f3c9ff7"
},
{
"url": "https://git.kernel.org/stable/c/928ea98252ad75118950941683893cf904541da9"
}
],
"title": "bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49711",
"datePublished": "2025-02-26T02:24:28.224Z",
"dateReserved": "2025-02-26T02:21:30.444Z",
"dateUpdated": "2025-05-04T08:43:51.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3567 (GCVE-0-2023-3567)
Vulnerability from cvelistv5
Published
2023-07-24 15:19
Modified
2025-11-06 19:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected: 0:4.18.0-553.rt7.342.el8_10 < * cpe:/a:redhat:enterprise_linux:8::realtime cpe:/a:redhat:enterprise_linux:8::nfv |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"
},
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0431",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0431"
},
{
"name": "RHSA-2024:0432",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0432"
},
{
"name": "RHSA-2024:0439",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0439"
},
{
"name": "RHSA-2024:0448",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0448"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"name": "RHSA-2024:2394",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2394"
},
{
"name": "RHSA-2024:2950",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2950"
},
{
"name": "RHSA-2024:3138",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3138"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3567"
},
{
"name": "RHBZ#2221463",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221463"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.spinics.net/lists/stable-commits/msg285184.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime",
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-553.rt7.342.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-553.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhev_hypervisor:4.4::el8",
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhel_eus:8.6::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:8.8::baseos",
"cpe:/a:redhat:rhel_eus:8.8::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-477.43.1.el8_8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-427.13.1.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-427.13.1.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.0::baseos",
"cpe:/a:redhat:rhel_eus:9.0::crb",
"cpe:/a:redhat:rhel_eus:9.0::appstream"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-70.85.1.el9_0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.0::realtime",
"cpe:/a:redhat:rhel_eus:9.0::nfv"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-70.85.1.rt21.156.el9_0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.2::appstream",
"cpe:/a:redhat:rhel_eus:9.2::crb",
"cpe:/o:redhat:rhel_eus:9.2::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-284.48.1.el9_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.2::nfv",
"cpe:/a:redhat:rhel_eus:9.2::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-284.48.1.rt14.333.el9_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhev_hypervisor:4.4::el8",
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhel_eus:8.6::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.87.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2023-01-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T19:46:34.822Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:0412",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"name": "RHSA-2024:0431",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0431"
},
{
"name": "RHSA-2024:0432",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0432"
},
{
"name": "RHSA-2024:0439",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0439"
},
{
"name": "RHSA-2024:0448",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0448"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"name": "RHSA-2024:2394",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2394"
},
{
"name": "RHSA-2024:2950",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2950"
},
{
"name": "RHSA-2024:3138",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3138"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3567"
},
{
"name": "RHBZ#2221463",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221463"
},
{
"url": "https://www.spinics.net/lists/stable-commits/msg285184.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-04-13T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-01-14T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: use after free in vcs_read in drivers/tty/vt/vc_screen.c due to race",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_redhatCweChain": "CWE-416: Use After Free"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-3567",
"datePublished": "2023-07-24T15:19:19.795Z",
"dateReserved": "2023-07-09T09:05:56.937Z",
"dateUpdated": "2025-11-06T19:46:34.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52988 (GCVE-0-2023-52988)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()
snd_hda_get_connections() can return a negative error code.
It may lead to accessing 'conn' array at a negative index.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:20:44.580398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:20:48.141Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_via.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "437e50ef6290ac835d526d0e45f466a0aa69ba1b",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "6e1f586ddec48d71016b81acf68ba9f49ca54db8",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "d6870f3800dbb212ae8433183ee82f566d067c6c",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "2b557fa635e7487f638c0f030c305870839eeda2",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "1b9256c96220bcdba287eeeb90e7c910c77f8c46",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "f011360ad234a07cb6fbcc720fff646a93a9f0d6",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_via.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()\n\nsnd_hda_get_connections() can return a negative error code.\nIt may lead to accessing \u0027conn\u0027 array at a negative index.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:00.427Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/437e50ef6290ac835d526d0e45f466a0aa69ba1b"
},
{
"url": "https://git.kernel.org/stable/c/6e1f586ddec48d71016b81acf68ba9f49ca54db8"
},
{
"url": "https://git.kernel.org/stable/c/d6870f3800dbb212ae8433183ee82f566d067c6c"
},
{
"url": "https://git.kernel.org/stable/c/2b557fa635e7487f638c0f030c305870839eeda2"
},
{
"url": "https://git.kernel.org/stable/c/1b9256c96220bcdba287eeeb90e7c910c77f8c46"
},
{
"url": "https://git.kernel.org/stable/c/f011360ad234a07cb6fbcc720fff646a93a9f0d6"
},
{
"url": "https://git.kernel.org/stable/c/b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa"
}
],
"title": "ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52988",
"datePublished": "2025-03-27T16:43:25.056Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-10-01T17:20:48.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49293 (GCVE-0-2022-49293)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: initialize registers in nft_do_chain()
Initialize registers to avoid stack leak into userspace.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 Version: 96518518cc417bb0a8c80b9fb736202e28acdf96 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d28522acd1c4415c85f6b33463713a268f68965",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "a3cc32863b175168283cb0a5fde08de6a1e27df9",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "88791b79a1eb2ba94e95d039243e28433583a67b",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "06f0ff82c70241a766a811ae1acf07d6e2734dcb",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "2c74374c2e88c7b7992bf808d9f9391f7452f9d9",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "fafb904156fbb8f1dd34970cd5223e00b47c33be",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "64f24c76dd0ce53d0fa3a0bfb9aeea507c769485",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "dd03640529204ef4b8189fbdea08217d8d98271f",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "4c905f6740a365464e91467aa50916555b28213d",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.309",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.309",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.274",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.237",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.188",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: initialize registers in nft_do_chain()\n\nInitialize registers to avoid stack leak into userspace."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:24.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d28522acd1c4415c85f6b33463713a268f68965"
},
{
"url": "https://git.kernel.org/stable/c/a3cc32863b175168283cb0a5fde08de6a1e27df9"
},
{
"url": "https://git.kernel.org/stable/c/88791b79a1eb2ba94e95d039243e28433583a67b"
},
{
"url": "https://git.kernel.org/stable/c/06f0ff82c70241a766a811ae1acf07d6e2734dcb"
},
{
"url": "https://git.kernel.org/stable/c/2c74374c2e88c7b7992bf808d9f9391f7452f9d9"
},
{
"url": "https://git.kernel.org/stable/c/fafb904156fbb8f1dd34970cd5223e00b47c33be"
},
{
"url": "https://git.kernel.org/stable/c/64f24c76dd0ce53d0fa3a0bfb9aeea507c769485"
},
{
"url": "https://git.kernel.org/stable/c/dd03640529204ef4b8189fbdea08217d8d98271f"
},
{
"url": "https://git.kernel.org/stable/c/4c905f6740a365464e91467aa50916555b28213d"
}
],
"title": "netfilter: nf_tables: initialize registers in nft_do_chain()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49293",
"datePublished": "2025-02-26T01:56:29.033Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:24.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49407 (GCVE-0-2022-49407)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dlm: fix plock invalid read
This patch fixes an invalid read showed by KASAN. A unlock will allocate a
"struct plock_op" and a followed send_op() will append it to a global
send_list data structure. In some cases a followed dev_read() moves it
to recv_list and dev_write() will cast it to "struct plock_xop" and access
fields which are only available in those structures. At this point an
invalid read happens by accessing those fields.
To fix this issue the "callback" field is moved to "struct plock_op" to
indicate that a cast to "plock_xop" is allowed and does the additional
"plock_xop" handling if set.
Example of the KASAN output which showed the invalid read:
[ 2064.296453] ==================================================================
[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]
[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484
[ 2064.308168]
[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9
[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 2064.311618] Call Trace:
[ 2064.312218] dump_stack_lvl+0x56/0x7b
[ 2064.313150] print_address_description.constprop.8+0x21/0x150
[ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.316595] kasan_report.cold.14+0x7f/0x11b
[ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm]
[ 2064.318687] dev_write+0x52b/0x5a0 [dlm]
[ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm]
[ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10
[ 2064.321926] vfs_write+0x17e/0x930
[ 2064.322769] ? __fget_light+0x1aa/0x220
[ 2064.323753] ksys_write+0xf1/0x1c0
[ 2064.324548] ? __ia32_sys_read+0xb0/0xb0
[ 2064.325464] do_syscall_64+0x3a/0x80
[ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2064.327606] RIP: 0033:0x7f807e4ba96f
[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48
[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f
[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010
[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001
[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80
[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001
[ 2064.342857]
[ 2064.343226] Allocated by task 12438:
[ 2064.344057] kasan_save_stack+0x1c/0x40
[ 2064.345079] __kasan_kmalloc+0x84/0xa0
[ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220
[ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm]
[ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0
[ 2064.351070] fcntl_setlk+0x281/0xbc0
[ 2064.352879] do_fcntl+0x5e4/0xfe0
[ 2064.354657] __x64_sys_fcntl+0x11f/0x170
[ 2064.356550] do_syscall_64+0x3a/0x80
[ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2064.360745]
[ 2064.361511] Last potentially related work creation:
[ 2064.363957] kasan_save_stack+0x1c/0x40
[ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0
[ 2064.368100] call_rcu+0x11b/0xf70
[ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
[ 2064.372404] receive_from_sock+0x290/0x770 [dlm]
[ 2064.374607] process_recv_sockets+0x32/0x40 [dlm]
[ 2064.377290] process_one_work+0x9a8/0x16e0
[ 2064.379357] worker_thread+0x87/0xbf0
[ 2064.381188] kthread+0x3ac/0x490
[ 2064.383460] ret_from_fork+0x22/0x30
[ 2064.385588]
[ 2064.386518] Second to last potentially related work creation:
[ 2064.389219] kasan_save_stack+0x1c/0x40
[ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0
[ 2064.393303] call_rcu+0x11b/0xf70
[ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
[ 2064.397694] receive_from_sock+0x290/0x770
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a Version: 586759f03e2e9031ac5589912a51a909ed53c30a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dlm/plock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c55155cc365861044d9e6e80e342693e8805e33",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "72f2f68970f9bdc252d59e119b385a6441b0b155",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "5a1765adf9855cf0f6d3f7e0eb4b78ca66f70dee",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "49cd9eb7b9a7b88124b31e31f8e539acaf1b3a6d",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "899bc4429174861122f0c236588700a4710c1fec",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "acdad5bc9827922ec2f2e84fd198718aa8e8ab92",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "56aa8d1fbd02357f3bf81bdfba1cde87ce8402fc",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "e421872fa17542cf33747071fb141b0130ce9ef7",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
},
{
"lessThan": "42252d0d2aa9b94d168241710a761588b3959019",
"status": "affected",
"version": "586759f03e2e9031ac5589912a51a909ed53c30a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dlm/plock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix plock invalid read\n\nThis patch fixes an invalid read showed by KASAN. A unlock will allocate a\n\"struct plock_op\" and a followed send_op() will append it to a global\nsend_list data structure. In some cases a followed dev_read() moves it\nto recv_list and dev_write() will cast it to \"struct plock_xop\" and access\nfields which are only available in those structures. At this point an\ninvalid read happens by accessing those fields.\n\nTo fix this issue the \"callback\" field is moved to \"struct plock_op\" to\nindicate that a cast to \"plock_xop\" is allowed and does the additional\n\"plock_xop\" handling if set.\n\nExample of the KASAN output which showed the invalid read:\n\n[ 2064.296453] ==================================================================\n[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]\n[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484\n[ 2064.308168]\n[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9\n[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n[ 2064.311618] Call Trace:\n[ 2064.312218] dump_stack_lvl+0x56/0x7b\n[ 2064.313150] print_address_description.constprop.8+0x21/0x150\n[ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.316595] kasan_report.cold.14+0x7f/0x11b\n[ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.318687] dev_write+0x52b/0x5a0 [dlm]\n[ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm]\n[ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10\n[ 2064.321926] vfs_write+0x17e/0x930\n[ 2064.322769] ? __fget_light+0x1aa/0x220\n[ 2064.323753] ksys_write+0xf1/0x1c0\n[ 2064.324548] ? __ia32_sys_read+0xb0/0xb0\n[ 2064.325464] do_syscall_64+0x3a/0x80\n[ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 2064.327606] RIP: 0033:0x7f807e4ba96f\n[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48\n[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f\n[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010\n[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001\n[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80\n[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001\n[ 2064.342857]\n[ 2064.343226] Allocated by task 12438:\n[ 2064.344057] kasan_save_stack+0x1c/0x40\n[ 2064.345079] __kasan_kmalloc+0x84/0xa0\n[ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220\n[ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm]\n[ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0\n[ 2064.351070] fcntl_setlk+0x281/0xbc0\n[ 2064.352879] do_fcntl+0x5e4/0xfe0\n[ 2064.354657] __x64_sys_fcntl+0x11f/0x170\n[ 2064.356550] do_syscall_64+0x3a/0x80\n[ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 2064.360745]\n[ 2064.361511] Last potentially related work creation:\n[ 2064.363957] kasan_save_stack+0x1c/0x40\n[ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0\n[ 2064.368100] call_rcu+0x11b/0xf70\n[ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]\n[ 2064.372404] receive_from_sock+0x290/0x770 [dlm]\n[ 2064.374607] process_recv_sockets+0x32/0x40 [dlm]\n[ 2064.377290] process_one_work+0x9a8/0x16e0\n[ 2064.379357] worker_thread+0x87/0xbf0\n[ 2064.381188] kthread+0x3ac/0x490\n[ 2064.383460] ret_from_fork+0x22/0x30\n[ 2064.385588]\n[ 2064.386518] Second to last potentially related work creation:\n[ 2064.389219] kasan_save_stack+0x1c/0x40\n[ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0\n[ 2064.393303] call_rcu+0x11b/0xf70\n[ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]\n[ 2064.397694] receive_from_sock+0x290/0x770 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:01.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c55155cc365861044d9e6e80e342693e8805e33"
},
{
"url": "https://git.kernel.org/stable/c/72f2f68970f9bdc252d59e119b385a6441b0b155"
},
{
"url": "https://git.kernel.org/stable/c/5a1765adf9855cf0f6d3f7e0eb4b78ca66f70dee"
},
{
"url": "https://git.kernel.org/stable/c/49cd9eb7b9a7b88124b31e31f8e539acaf1b3a6d"
},
{
"url": "https://git.kernel.org/stable/c/899bc4429174861122f0c236588700a4710c1fec"
},
{
"url": "https://git.kernel.org/stable/c/acdad5bc9827922ec2f2e84fd198718aa8e8ab92"
},
{
"url": "https://git.kernel.org/stable/c/56aa8d1fbd02357f3bf81bdfba1cde87ce8402fc"
},
{
"url": "https://git.kernel.org/stable/c/e421872fa17542cf33747071fb141b0130ce9ef7"
},
{
"url": "https://git.kernel.org/stable/c/42252d0d2aa9b94d168241710a761588b3959019"
}
],
"title": "dlm: fix plock invalid read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49407",
"datePublished": "2025-02-26T02:12:31.562Z",
"dateReserved": "2025-02-26T02:08:31.566Z",
"dateUpdated": "2025-05-04T08:37:01.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49591 (GCVE-0-2022-49591)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: microchip: ksz_common: Fix refcount leak bug
In ksz_switch_register(), we should call of_node_put() for the
reference returned by of_get_child_by_name() which has increased
the refcount.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:35:47.908060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:53.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88ec2ff42da3ac93b2437dc52fe25cd4372148e6",
"status": "affected",
"version": "912aae27c6af6605eae967ab540c5e26bd76d421",
"versionType": "git"
},
{
"lessThan": "4165e02716518bbbe9c9104b39530d40928bc7ce",
"status": "affected",
"version": "912aae27c6af6605eae967ab540c5e26bd76d421",
"versionType": "git"
},
{
"lessThan": "a14bd7475452c51835dd5a0cee4c8fa48dd0b539",
"status": "affected",
"version": "912aae27c6af6605eae967ab540c5e26bd76d421",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: ksz_common: Fix refcount leak bug\n\nIn ksz_switch_register(), we should call of_node_put() for the\nreference returned by of_get_child_by_name() which has increased\nthe refcount."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:20.097Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88ec2ff42da3ac93b2437dc52fe25cd4372148e6"
},
{
"url": "https://git.kernel.org/stable/c/4165e02716518bbbe9c9104b39530d40928bc7ce"
},
{
"url": "https://git.kernel.org/stable/c/a14bd7475452c51835dd5a0cee4c8fa48dd0b539"
}
],
"title": "net: dsa: microchip: ksz_common: Fix refcount leak bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49591",
"datePublished": "2025-02-26T02:23:24.078Z",
"dateReserved": "2025-02-26T02:21:30.412Z",
"dateUpdated": "2025-10-01T19:36:53.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47632 (GCVE-0-2021-47632)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/set_memory: Avoid spinlock recursion in change_page_attr()
Commit 1f9ad21c3b38 ("powerpc/mm: Implement set_memory() routines")
included a spin_lock() to change_page_attr() in order to
safely perform the three step operations. But then
commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against
concurrent accesses") modify it to use pte_update() and do
the operation safely against concurrent access.
In the meantime, Maxime reported some spinlock recursion.
[ 15.351649] BUG: spinlock recursion on CPU#0, kworker/0:2/217
[ 15.357540] lock: init_mm+0x3c/0x420, .magic: dead4ead, .owner: kworker/0:2/217, .owner_cpu: 0
[ 15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 Not tainted 5.15.0+ #523
[ 15.373350] Workqueue: events do_free_init
[ 15.377615] Call Trace:
[ 15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable)
[ 15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4
[ 15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310
[ 15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0
[ 15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8
[ 15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94
[ 15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310
[ 15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134
[ 15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8
[ 15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c
[ 15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8
[ 15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94
[ 15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8
[ 15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8
[ 15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210
[ 15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c
Remove the read / modify / write sequence to make the operation atomic
and remove the spin_lock() in change_page_attr().
To do the operation atomically, we can't use pte modification helpers
anymore. Because all platforms have different combination of bits, it
is not easy to use those bits directly. But all have the
_PAGE_KERNEL_{RO/ROX/RW/RWX} set of flags. All we need it to compare
two sets to know which bits are set or cleared.
For instance, by comparing _PAGE_KERNEL_ROX and _PAGE_KERNEL_RO you
know which bit gets cleared and which bit get set when changing exec
permission.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47632",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:57.835061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:08.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/mm/pageattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6def4eaf0391f24be541633a954c0e4876858b1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "96917107e67846f1d959ed03be281048efad14c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ebe5ca2cbe438a688f2ae238ef5a0b0b5f3468a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a4c182ecf33584b9b2d1aa9dad073014a504c01f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/mm/pageattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/set_memory: Avoid spinlock recursion in change_page_attr()\n\nCommit 1f9ad21c3b38 (\"powerpc/mm: Implement set_memory() routines\")\nincluded a spin_lock() to change_page_attr() in order to\nsafely perform the three step operations. But then\ncommit 9f7853d7609d (\"powerpc/mm: Fix set_memory_*() against\nconcurrent accesses\") modify it to use pte_update() and do\nthe operation safely against concurrent access.\n\nIn the meantime, Maxime reported some spinlock recursion.\n\n[ 15.351649] BUG: spinlock recursion on CPU#0, kworker/0:2/217\n[ 15.357540] lock: init_mm+0x3c/0x420, .magic: dead4ead, .owner: kworker/0:2/217, .owner_cpu: 0\n[ 15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 Not tainted 5.15.0+ #523\n[ 15.373350] Workqueue: events do_free_init\n[ 15.377615] Call Trace:\n[ 15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable)\n[ 15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4\n[ 15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310\n[ 15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0\n[ 15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8\n[ 15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94\n[ 15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310\n[ 15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134\n[ 15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8\n[ 15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c\n[ 15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8\n[ 15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94\n[ 15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8\n[ 15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8\n[ 15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210\n[ 15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c\n\nRemove the read / modify / write sequence to make the operation atomic\nand remove the spin_lock() in change_page_attr().\n\nTo do the operation atomically, we can\u0027t use pte modification helpers\nanymore. Because all platforms have different combination of bits, it\nis not easy to use those bits directly. But all have the\n_PAGE_KERNEL_{RO/ROX/RW/RWX} set of flags. All we need it to compare\ntwo sets to know which bits are set or cleared.\n\nFor instance, by comparing _PAGE_KERNEL_ROX and _PAGE_KERNEL_RO you\nknow which bit gets cleared and which bit get set when changing exec\npermission."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:11.017Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6def4eaf0391f24be541633a954c0e4876858b1e"
},
{
"url": "https://git.kernel.org/stable/c/96917107e67846f1d959ed03be281048efad14c5"
},
{
"url": "https://git.kernel.org/stable/c/6ebe5ca2cbe438a688f2ae238ef5a0b0b5f3468a"
},
{
"url": "https://git.kernel.org/stable/c/a4c182ecf33584b9b2d1aa9dad073014a504c01f"
}
],
"title": "powerpc/set_memory: Avoid spinlock recursion in change_page_attr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47632",
"datePublished": "2025-02-26T01:54:08.162Z",
"dateReserved": "2025-02-26T01:48:21.518Z",
"dateUpdated": "2025-10-01T19:57:08.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21815 (GCVE-0-2025-21815)
Vulnerability from cvelistv5
Published
2025-02-27 20:04
Modified
2025-05-04 07:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/compaction: fix UBSAN shift-out-of-bounds warning
syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order)
in isolate_freepages_block(). The bogus compound_order can be any value
because it is union with flags. Add back the MAX_PAGE_ORDER check to fix
the warning.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/compaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4491159774d973a9e2e998d25d8fbb20fada6dfa",
"status": "affected",
"version": "3da0272a4c7d0d37b47b28e87014f421296fc2be",
"versionType": "git"
},
{
"lessThan": "10b7d3eb535098ccd4c82a182a33655d8a0e5c88",
"status": "affected",
"version": "3da0272a4c7d0d37b47b28e87014f421296fc2be",
"versionType": "git"
},
{
"lessThan": "d1366e74342e75555af2648a2964deb2d5c92200",
"status": "affected",
"version": "3da0272a4c7d0d37b47b28e87014f421296fc2be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/compaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/compaction: fix UBSAN shift-out-of-bounds warning\n\nsyzkaller reported a UBSAN shift-out-of-bounds warning of (1UL \u003c\u003c order)\nin isolate_freepages_block(). The bogus compound_order can be any value\nbecause it is union with flags. Add back the MAX_PAGE_ORDER check to fix\nthe warning."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:46.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4491159774d973a9e2e998d25d8fbb20fada6dfa"
},
{
"url": "https://git.kernel.org/stable/c/10b7d3eb535098ccd4c82a182a33655d8a0e5c88"
},
{
"url": "https://git.kernel.org/stable/c/d1366e74342e75555af2648a2964deb2d5c92200"
}
],
"title": "mm/compaction: fix UBSAN shift-out-of-bounds warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21815",
"datePublished": "2025-02-27T20:04:14.733Z",
"dateReserved": "2024-12-29T08:45:45.774Z",
"dateUpdated": "2025-05-04T07:21:46.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47637 (GCVE-0-2021-47637)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix deadlock in concurrent rename whiteout and inode writeback
Following hung tasks:
[ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132
[ 77.028820] Call Trace:
[ 77.029027] schedule+0x8c/0x1b0
[ 77.029067] mutex_lock+0x50/0x60
[ 77.029074] ubifs_write_inode+0x68/0x1f0 [ubifs]
[ 77.029117] __writeback_single_inode+0x43c/0x570
[ 77.029128] writeback_sb_inodes+0x259/0x740
[ 77.029148] wb_writeback+0x107/0x4d0
[ 77.029163] wb_workfn+0x162/0x7b0
[ 92.390442] task:aa state:D stack: 0 pid: 1506
[ 92.390448] Call Trace:
[ 92.390458] schedule+0x8c/0x1b0
[ 92.390461] wb_wait_for_completion+0x82/0xd0
[ 92.390469] __writeback_inodes_sb_nr+0xb2/0x110
[ 92.390472] writeback_inodes_sb_nr+0x14/0x20
[ 92.390476] ubifs_budget_space+0x705/0xdd0 [ubifs]
[ 92.390503] do_rename.cold+0x7f/0x187 [ubifs]
[ 92.390549] ubifs_rename+0x8b/0x180 [ubifs]
[ 92.390571] vfs_rename+0xdb2/0x1170
[ 92.390580] do_renameat2+0x554/0x770
, are caused by concurrent rename whiteout and inode writeback processes:
rename_whiteout(Thread 1) wb_workfn(Thread2)
ubifs_rename
do_rename
lock_4_inodes (Hold ui_mutex)
ubifs_budget_space
make_free_space
shrink_liability
__writeback_inodes_sb_nr
bdi_split_work_to_wbs (Queue new wb work)
wb_do_writeback(wb work)
__writeback_single_inode
ubifs_write_inode
LOCK(ui_mutex)
↑
wb_wait_for_completion (Wait wb work) <-- deadlock!
Reproducer (Detail program in [Link]):
1. SYS_renameat2("/mp/dir/file", "/mp/dir/whiteout", RENAME_WHITEOUT)
2. Consume out of space before kernel(mdelay) doing budget for whiteout
Fix it by doing whiteout space budget before locking ubifs inodes.
BTW, it also fixes wrong goto tag 'out_release' in whiteout budget
error handling path(It should at least recover dir i_size and unlock
4 ubifs inodes).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 Version: 9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:51.071622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:08.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9dddc8211430fb851ddf0b168e3a00c6f66cc185",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "37bdf1ad592555ecda1d55b89f6e393e4c0589d1",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "83e42a78428fc354f5e2049935b84c8d8d29b787",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "c58af8564a7b08757173009030b74baf4b2b762b",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "70e9090acc32348cedc5def0cd6d5c126efc97b9",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "8b278c8dcfb565cb65eceb62a38cbf7a7c326db5",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
},
{
"lessThan": "afd427048047e8efdedab30e8888044e2be5aa9c",
"status": "affected",
"version": "9e0a1fff8db56eaaebb74b4a3ef65f86811c4798",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix deadlock in concurrent rename whiteout and inode writeback\n\nFollowing hung tasks:\n[ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132\n[ 77.028820] Call Trace:\n[ 77.029027] schedule+0x8c/0x1b0\n[ 77.029067] mutex_lock+0x50/0x60\n[ 77.029074] ubifs_write_inode+0x68/0x1f0 [ubifs]\n[ 77.029117] __writeback_single_inode+0x43c/0x570\n[ 77.029128] writeback_sb_inodes+0x259/0x740\n[ 77.029148] wb_writeback+0x107/0x4d0\n[ 77.029163] wb_workfn+0x162/0x7b0\n\n[ 92.390442] task:aa state:D stack: 0 pid: 1506\n[ 92.390448] Call Trace:\n[ 92.390458] schedule+0x8c/0x1b0\n[ 92.390461] wb_wait_for_completion+0x82/0xd0\n[ 92.390469] __writeback_inodes_sb_nr+0xb2/0x110\n[ 92.390472] writeback_inodes_sb_nr+0x14/0x20\n[ 92.390476] ubifs_budget_space+0x705/0xdd0 [ubifs]\n[ 92.390503] do_rename.cold+0x7f/0x187 [ubifs]\n[ 92.390549] ubifs_rename+0x8b/0x180 [ubifs]\n[ 92.390571] vfs_rename+0xdb2/0x1170\n[ 92.390580] do_renameat2+0x554/0x770\n\n, are caused by concurrent rename whiteout and inode writeback processes:\n\trename_whiteout(Thread 1)\t wb_workfn(Thread2)\nubifs_rename\n do_rename\n lock_4_inodes (Hold ui_mutex)\n ubifs_budget_space\n make_free_space\n shrink_liability\n\t __writeback_inodes_sb_nr\n\t bdi_split_work_to_wbs (Queue new wb work)\n\t\t\t\t\t wb_do_writeback(wb work)\n\t\t\t\t\t\t__writeback_single_inode\n\t\t\t\t\t ubifs_write_inode\n\t\t\t\t\t LOCK(ui_mutex)\n\t\t\t\t\t\t\t \u2191\n\t wb_wait_for_completion (Wait wb work) \u003c-- deadlock!\n\nReproducer (Detail program in [Link]):\n 1. SYS_renameat2(\"/mp/dir/file\", \"/mp/dir/whiteout\", RENAME_WHITEOUT)\n 2. Consume out of space before kernel(mdelay) doing budget for whiteout\n\nFix it by doing whiteout space budget before locking ubifs inodes.\nBTW, it also fixes wrong goto tag \u0027out_release\u0027 in whiteout budget\nerror handling path(It should at least recover dir i_size and unlock\n4 ubifs inodes)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:16.452Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9dddc8211430fb851ddf0b168e3a00c6f66cc185"
},
{
"url": "https://git.kernel.org/stable/c/37bdf1ad592555ecda1d55b89f6e393e4c0589d1"
},
{
"url": "https://git.kernel.org/stable/c/83e42a78428fc354f5e2049935b84c8d8d29b787"
},
{
"url": "https://git.kernel.org/stable/c/c58af8564a7b08757173009030b74baf4b2b762b"
},
{
"url": "https://git.kernel.org/stable/c/70e9090acc32348cedc5def0cd6d5c126efc97b9"
},
{
"url": "https://git.kernel.org/stable/c/8b278c8dcfb565cb65eceb62a38cbf7a7c326db5"
},
{
"url": "https://git.kernel.org/stable/c/afd427048047e8efdedab30e8888044e2be5aa9c"
}
],
"title": "ubifs: Fix deadlock in concurrent rename whiteout and inode writeback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47637",
"datePublished": "2025-02-26T01:54:10.709Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-10-01T19:57:08.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49076 (GCVE-0-2022-49076)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hfi1: Fix use-after-free bug for mm struct
Under certain conditions, such as MPI_Abort, the hfi1 cleanup code may
represent the last reference held on the task mm.
hfi1_mmu_rb_unregister() then drops the last reference and the mm is freed
before the final use in hfi1_release_user_pages(). A new task may
allocate the mm structure while it is still being used, resulting in
problems. One manifestation is corruption of the mmap_sem counter leading
to a hang in down_write(). Another is corruption of an mm struct that is
in use by another task.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3d2a9d642512c21a12d19b9250e7a835dcb41a79 Version: 3d2a9d642512c21a12d19b9250e7a835dcb41a79 Version: 3d2a9d642512c21a12d19b9250e7a835dcb41a79 Version: 3d2a9d642512c21a12d19b9250e7a835dcb41a79 Version: 3d2a9d642512c21a12d19b9250e7a835dcb41a79 Version: 5732f83596f8a573f2cde814cc76a54e1a8995c7 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:39.018953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:35.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/mmu_rb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f54364ff6cfcd14cddf5441c4a490bb28dd69f7",
"status": "affected",
"version": "3d2a9d642512c21a12d19b9250e7a835dcb41a79",
"versionType": "git"
},
{
"lessThan": "9ca11bd8222a612de0d2f54d050bfcf61ae2883f",
"status": "affected",
"version": "3d2a9d642512c21a12d19b9250e7a835dcb41a79",
"versionType": "git"
},
{
"lessThan": "0b7186d657ee55e2cdefae498f07d5c1961e8023",
"status": "affected",
"version": "3d2a9d642512c21a12d19b9250e7a835dcb41a79",
"versionType": "git"
},
{
"lessThan": "5a9a1b24ddb510715f8f621263938186579a965c",
"status": "affected",
"version": "3d2a9d642512c21a12d19b9250e7a835dcb41a79",
"versionType": "git"
},
{
"lessThan": "2bbac98d0930e8161b1957dc0ec99de39ade1b3c",
"status": "affected",
"version": "3d2a9d642512c21a12d19b9250e7a835dcb41a79",
"versionType": "git"
},
{
"status": "affected",
"version": "5732f83596f8a573f2cde814cc76a54e1a8995c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/mmu_rb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Fix use-after-free bug for mm struct\n\nUnder certain conditions, such as MPI_Abort, the hfi1 cleanup code may\nrepresent the last reference held on the task mm.\nhfi1_mmu_rb_unregister() then drops the last reference and the mm is freed\nbefore the final use in hfi1_release_user_pages(). A new task may\nallocate the mm structure while it is still being used, resulting in\nproblems. One manifestation is corruption of the mmap_sem counter leading\nto a hang in down_write(). Another is corruption of an mm struct that is\nin use by another task."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:15.733Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f54364ff6cfcd14cddf5441c4a490bb28dd69f7"
},
{
"url": "https://git.kernel.org/stable/c/9ca11bd8222a612de0d2f54d050bfcf61ae2883f"
},
{
"url": "https://git.kernel.org/stable/c/0b7186d657ee55e2cdefae498f07d5c1961e8023"
},
{
"url": "https://git.kernel.org/stable/c/5a9a1b24ddb510715f8f621263938186579a965c"
},
{
"url": "https://git.kernel.org/stable/c/2bbac98d0930e8161b1957dc0ec99de39ade1b3c"
}
],
"title": "RDMA/hfi1: Fix use-after-free bug for mm struct",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49076",
"datePublished": "2025-02-26T01:54:39.251Z",
"dateReserved": "2025-02-26T01:49:39.246Z",
"dateUpdated": "2025-05-04T12:44:15.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49505 (GCVE-0-2022-49505)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: NULL out the dev->rfkill to prevent UAF
Commit 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
assumes the device_is_registered() in function nfc_dev_up() will help
to check when the rfkill is unregistered. However, this check only
take effect when device_del(&dev->dev) is done in nfc_unregister_device().
Hence, the rfkill object is still possible be dereferenced.
The crash trace in latest kernel (5.18-rc2):
[ 68.760105] ==================================================================
[ 68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750
[ 68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313
[ 68.760756]
[ 68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4
[ 68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 68.760756] Call Trace:
[ 68.760756] <TASK>
[ 68.760756] dump_stack_lvl+0x57/0x7d
[ 68.760756] print_report.cold+0x5e/0x5db
[ 68.760756] ? __lock_acquire+0x3ec1/0x6750
[ 68.760756] kasan_report+0xbe/0x1c0
[ 68.760756] ? __lock_acquire+0x3ec1/0x6750
[ 68.760756] __lock_acquire+0x3ec1/0x6750
[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 68.760756] ? register_lock_class+0x18d0/0x18d0
[ 68.760756] lock_acquire+0x1ac/0x4f0
[ 68.760756] ? rfkill_blocked+0xe/0x60
[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 68.760756] ? mutex_lock_io_nested+0x12c0/0x12c0
[ 68.760756] ? nla_get_range_signed+0x540/0x540
[ 68.760756] ? _raw_spin_lock_irqsave+0x4e/0x50
[ 68.760756] _raw_spin_lock_irqsave+0x39/0x50
[ 68.760756] ? rfkill_blocked+0xe/0x60
[ 68.760756] rfkill_blocked+0xe/0x60
[ 68.760756] nfc_dev_up+0x84/0x260
[ 68.760756] nfc_genl_dev_up+0x90/0xe0
[ 68.760756] genl_family_rcv_msg_doit+0x1f4/0x2f0
[ 68.760756] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230
[ 68.760756] ? security_capable+0x51/0x90
[ 68.760756] genl_rcv_msg+0x280/0x500
[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0
[ 68.760756] ? lock_acquire+0x1ac/0x4f0
[ 68.760756] ? nfc_genl_dev_down+0xe0/0xe0
[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 68.760756] netlink_rcv_skb+0x11b/0x340
[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0
[ 68.760756] ? netlink_ack+0x9c0/0x9c0
[ 68.760756] ? netlink_deliver_tap+0x136/0xb00
[ 68.760756] genl_rcv+0x1f/0x30
[ 68.760756] netlink_unicast+0x430/0x710
[ 68.760756] ? memset+0x20/0x40
[ 68.760756] ? netlink_attachskb+0x740/0x740
[ 68.760756] ? __build_skb_around+0x1f4/0x2a0
[ 68.760756] netlink_sendmsg+0x75d/0xc00
[ 68.760756] ? netlink_unicast+0x710/0x710
[ 68.760756] ? netlink_unicast+0x710/0x710
[ 68.760756] sock_sendmsg+0xdf/0x110
[ 68.760756] __sys_sendto+0x19e/0x270
[ 68.760756] ? __ia32_sys_getpeername+0xa0/0xa0
[ 68.760756] ? fd_install+0x178/0x4c0
[ 68.760756] ? fd_install+0x195/0x4c0
[ 68.760756] ? kernel_fpu_begin_mask+0x1c0/0x1c0
[ 68.760756] __x64_sys_sendto+0xd8/0x1b0
[ 68.760756] ? lockdep_hardirqs_on+0xbf/0x130
[ 68.760756] ? syscall_enter_from_user_mode+0x1d/0x50
[ 68.760756] do_syscall_64+0x3b/0x90
[ 68.760756] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 68.760756] RIP: 0033:0x7f67fb50e6b3
...
[ 68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[ 68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3
[ 68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003
[ 68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c
[ 68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e
[ 68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003
[ 68.760756] </TASK>
[ 68.760756]
[ 68.760756] Allocated by task 279:
[ 68.760756] kasan_save_stack+0x1e/0x40
[
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 Version: 47244ac0b65bd74cc70007d8e1bac68bd2baad19 Version: c45cea83e13699bdfd47842e04d09dd43af4c371 Version: 307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6 Version: 73a0d12114b4bc1a9def79a623264754b9df698e Version: 8a9c61c3ef187d8891225f9b932390670a43a0d3 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 Version: 5ef16d2d172ee56714cff37cd005b98aba08ef5a |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:28.672028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:28.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8e03bcad52dc9afabf650fdbad84f739cec9efa",
"status": "affected",
"version": "ff169909eac9e00bf1aa0af739ba6ddfb1b1d135",
"versionType": "git"
},
{
"lessThan": "f81270125b50532624400063281e6611ecd61ddf",
"status": "affected",
"version": "47244ac0b65bd74cc70007d8e1bac68bd2baad19",
"versionType": "git"
},
{
"lessThan": "6abfaca8711803d0d7cc8c0fac1070a88509d463",
"status": "affected",
"version": "c45cea83e13699bdfd47842e04d09dd43af4c371",
"versionType": "git"
},
{
"lessThan": "fbf9c4c714d3cdeb98b6a18e4d057f931cad1d81",
"status": "affected",
"version": "307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6",
"versionType": "git"
},
{
"lessThan": "2a1b5110c95e4d49c8c3906270dfcde680a5a7be",
"status": "affected",
"version": "73a0d12114b4bc1a9def79a623264754b9df698e",
"versionType": "git"
},
{
"lessThan": "1632be63862f183cd5cf1cc094e698e6ec005dfd",
"status": "affected",
"version": "8a9c61c3ef187d8891225f9b932390670a43a0d3",
"versionType": "git"
},
{
"lessThan": "4a68938f43b7c2663e4c90bb9bbe29ac8b9a42a0",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "4f5d71930f41be78557f9714393179025baacd65",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"status": "affected",
"version": "5ef16d2d172ee56714cff37cd005b98aba08ef5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.9.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.14.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.19.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "5.4.162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.293",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: NULL out the dev-\u003erfkill to prevent UAF\n\nCommit 3e3b5dfcd16a (\"NFC: reorder the logic in nfc_{un,}register_device\")\nassumes the device_is_registered() in function nfc_dev_up() will help\nto check when the rfkill is unregistered. However, this check only\ntake effect when device_del(\u0026dev-\u003edev) is done in nfc_unregister_device().\nHence, the rfkill object is still possible be dereferenced.\n\nThe crash trace in latest kernel (5.18-rc2):\n\n[ 68.760105] ==================================================================\n[ 68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750\n[ 68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313\n[ 68.760756]\n[ 68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4\n[ 68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 68.760756] Call Trace:\n[ 68.760756] \u003cTASK\u003e\n[ 68.760756] dump_stack_lvl+0x57/0x7d\n[ 68.760756] print_report.cold+0x5e/0x5db\n[ 68.760756] ? __lock_acquire+0x3ec1/0x6750\n[ 68.760756] kasan_report+0xbe/0x1c0\n[ 68.760756] ? __lock_acquire+0x3ec1/0x6750\n[ 68.760756] __lock_acquire+0x3ec1/0x6750\n[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 68.760756] ? register_lock_class+0x18d0/0x18d0\n[ 68.760756] lock_acquire+0x1ac/0x4f0\n[ 68.760756] ? rfkill_blocked+0xe/0x60\n[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 68.760756] ? mutex_lock_io_nested+0x12c0/0x12c0\n[ 68.760756] ? nla_get_range_signed+0x540/0x540\n[ 68.760756] ? _raw_spin_lock_irqsave+0x4e/0x50\n[ 68.760756] _raw_spin_lock_irqsave+0x39/0x50\n[ 68.760756] ? rfkill_blocked+0xe/0x60\n[ 68.760756] rfkill_blocked+0xe/0x60\n[ 68.760756] nfc_dev_up+0x84/0x260\n[ 68.760756] nfc_genl_dev_up+0x90/0xe0\n[ 68.760756] genl_family_rcv_msg_doit+0x1f4/0x2f0\n[ 68.760756] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230\n[ 68.760756] ? security_capable+0x51/0x90\n[ 68.760756] genl_rcv_msg+0x280/0x500\n[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0\n[ 68.760756] ? lock_acquire+0x1ac/0x4f0\n[ 68.760756] ? nfc_genl_dev_down+0xe0/0xe0\n[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 68.760756] netlink_rcv_skb+0x11b/0x340\n[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0\n[ 68.760756] ? netlink_ack+0x9c0/0x9c0\n[ 68.760756] ? netlink_deliver_tap+0x136/0xb00\n[ 68.760756] genl_rcv+0x1f/0x30\n[ 68.760756] netlink_unicast+0x430/0x710\n[ 68.760756] ? memset+0x20/0x40\n[ 68.760756] ? netlink_attachskb+0x740/0x740\n[ 68.760756] ? __build_skb_around+0x1f4/0x2a0\n[ 68.760756] netlink_sendmsg+0x75d/0xc00\n[ 68.760756] ? netlink_unicast+0x710/0x710\n[ 68.760756] ? netlink_unicast+0x710/0x710\n[ 68.760756] sock_sendmsg+0xdf/0x110\n[ 68.760756] __sys_sendto+0x19e/0x270\n[ 68.760756] ? __ia32_sys_getpeername+0xa0/0xa0\n[ 68.760756] ? fd_install+0x178/0x4c0\n[ 68.760756] ? fd_install+0x195/0x4c0\n[ 68.760756] ? kernel_fpu_begin_mask+0x1c0/0x1c0\n[ 68.760756] __x64_sys_sendto+0xd8/0x1b0\n[ 68.760756] ? lockdep_hardirqs_on+0xbf/0x130\n[ 68.760756] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 68.760756] do_syscall_64+0x3b/0x90\n[ 68.760756] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 68.760756] RIP: 0033:0x7f67fb50e6b3\n...\n[ 68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\n[ 68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3\n[ 68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003\n[ 68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c\n[ 68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e\n[ 68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003\n\n[ 68.760756] \u003c/TASK\u003e\n[ 68.760756]\n[ 68.760756] Allocated by task 279:\n[ 68.760756] kasan_save_stack+0x1e/0x40\n[\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:52.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8e03bcad52dc9afabf650fdbad84f739cec9efa"
},
{
"url": "https://git.kernel.org/stable/c/f81270125b50532624400063281e6611ecd61ddf"
},
{
"url": "https://git.kernel.org/stable/c/6abfaca8711803d0d7cc8c0fac1070a88509d463"
},
{
"url": "https://git.kernel.org/stable/c/fbf9c4c714d3cdeb98b6a18e4d057f931cad1d81"
},
{
"url": "https://git.kernel.org/stable/c/2a1b5110c95e4d49c8c3906270dfcde680a5a7be"
},
{
"url": "https://git.kernel.org/stable/c/1632be63862f183cd5cf1cc094e698e6ec005dfd"
},
{
"url": "https://git.kernel.org/stable/c/4a68938f43b7c2663e4c90bb9bbe29ac8b9a42a0"
},
{
"url": "https://git.kernel.org/stable/c/4f5d71930f41be78557f9714393179025baacd65"
},
{
"url": "https://git.kernel.org/stable/c/1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9"
}
],
"title": "NFC: NULL out the dev-\u003erfkill to prevent UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49505",
"datePublished": "2025-02-26T02:13:37.496Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-05-04T12:44:52.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49707 (GCVE-0-2022-49707)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: add reserved GDT blocks check
We capture a NULL pointer issue when resizing a corrupt ext4 image which
is freshly clear resize_inode feature (not run e2fsck). It could be
simply reproduced by following steps. The problem is because of the
resize_inode feature was cleared, and it will convert the filesystem to
meta_bg mode in ext4_resize_fs(), but the es->s_reserved_gdt_blocks was
not reduced to zero, so could we mistakenly call reserve_backup_gdb()
and passing an uninitialized resize_inode to it when adding new group
descriptors.
mkfs.ext4 /dev/sda 3G
tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck
mount /dev/sda /mnt
resize2fs /dev/sda 8G
========
BUG: kernel NULL pointer dereference, address: 0000000000000028
CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748
...
RIP: 0010:ext4_flex_group_add+0xe08/0x2570
...
Call Trace:
<TASK>
ext4_resize_fs+0xbec/0x1660
__ext4_ioctl+0x1749/0x24e0
ext4_ioctl+0x12/0x20
__x64_sys_ioctl+0xa6/0x110
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2dd739617b
========
The fix is simple, add a check in ext4_resize_begin() to make sure that
the es->s_reserved_gdt_blocks is zero when the resize_inode feature is
disabled.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:29.329505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:45.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0dc2fca8e4f9ac4a40e8424a10163369cca0cc06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c921328ac760bba780bdace41f4cd045f7f1405",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9747263b13e5290ac4d63bec47e38f701303cad",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fba54289176702a7caac0b64738406775817f451",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bfd004a1d3a062aac300523d406ac1f3e5f1a82c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33b1bba31f4c784d33d2c2517964bdccdc9204cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af75c481a2e45e70f62f5942c93695e95bf7bd21",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b55c3cd102a6f48b90e61c44f7f3dda8c290c694",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.320",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add reserved GDT blocks check\n\nWe capture a NULL pointer issue when resizing a corrupt ext4 image which\nis freshly clear resize_inode feature (not run e2fsck). It could be\nsimply reproduced by following steps. The problem is because of the\nresize_inode feature was cleared, and it will convert the filesystem to\nmeta_bg mode in ext4_resize_fs(), but the es-\u003es_reserved_gdt_blocks was\nnot reduced to zero, so could we mistakenly call reserve_backup_gdb()\nand passing an uninitialized resize_inode to it when adding new group\ndescriptors.\n\n mkfs.ext4 /dev/sda 3G\n tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck\n mount /dev/sda /mnt\n resize2fs /dev/sda 8G\n\n ========\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748\n ...\n RIP: 0010:ext4_flex_group_add+0xe08/0x2570\n ...\n Call Trace:\n \u003cTASK\u003e\n ext4_resize_fs+0xbec/0x1660\n __ext4_ioctl+0x1749/0x24e0\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xa6/0x110\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f2dd739617b\n ========\n\nThe fix is simple, add a check in ext4_resize_begin() to make sure that\nthe es-\u003es_reserved_gdt_blocks is zero when the resize_inode feature is\ndisabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:46.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0dc2fca8e4f9ac4a40e8424a10163369cca0cc06"
},
{
"url": "https://git.kernel.org/stable/c/7c921328ac760bba780bdace41f4cd045f7f1405"
},
{
"url": "https://git.kernel.org/stable/c/b9747263b13e5290ac4d63bec47e38f701303cad"
},
{
"url": "https://git.kernel.org/stable/c/fba54289176702a7caac0b64738406775817f451"
},
{
"url": "https://git.kernel.org/stable/c/bfd004a1d3a062aac300523d406ac1f3e5f1a82c"
},
{
"url": "https://git.kernel.org/stable/c/33b1bba31f4c784d33d2c2517964bdccdc9204cd"
},
{
"url": "https://git.kernel.org/stable/c/af75c481a2e45e70f62f5942c93695e95bf7bd21"
},
{
"url": "https://git.kernel.org/stable/c/b55c3cd102a6f48b90e61c44f7f3dda8c290c694"
}
],
"title": "ext4: add reserved GDT blocks check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49707",
"datePublished": "2025-02-26T02:24:25.441Z",
"dateReserved": "2025-02-26T02:21:30.444Z",
"dateUpdated": "2025-10-01T19:36:45.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49253 (GCVE-0-2022-49253)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: usb: go7007: s2250-board: fix leak in probe()
Call i2c_unregister_device(audio) on this error path.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 Version: d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/go7007/s2250-board.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bbdd0e15738336e6b1208304ae98525117877bbd",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "a97130cd5b0c00eec169b10a16d922b9ea67324a",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "b7dd177225355da55f8d80d8e568928e0eec3608",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "14cd5a8e61c654828a1f1056d56f0b0a524d2c69",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "44973633b0064c46083833b55dd0a45e6235f8ca",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "895364fa97e60749855f789bc4568883fc7a8b39",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "b5470f3efa530b10296257bb578ce4b1769e9a04",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "948ad5e5624487079c24cb5c81c74ddd02832440",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
},
{
"lessThan": "67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d",
"status": "affected",
"version": "d3b2ccd9e307eae80b4b4eeb0ede46cb02212df2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/go7007/s2250-board.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usb: go7007: s2250-board: fix leak in probe()\n\nCall i2c_unregister_device(audio) on this error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:26.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bbdd0e15738336e6b1208304ae98525117877bbd"
},
{
"url": "https://git.kernel.org/stable/c/a97130cd5b0c00eec169b10a16d922b9ea67324a"
},
{
"url": "https://git.kernel.org/stable/c/b7dd177225355da55f8d80d8e568928e0eec3608"
},
{
"url": "https://git.kernel.org/stable/c/14cd5a8e61c654828a1f1056d56f0b0a524d2c69"
},
{
"url": "https://git.kernel.org/stable/c/44973633b0064c46083833b55dd0a45e6235f8ca"
},
{
"url": "https://git.kernel.org/stable/c/895364fa97e60749855f789bc4568883fc7a8b39"
},
{
"url": "https://git.kernel.org/stable/c/b5470f3efa530b10296257bb578ce4b1769e9a04"
},
{
"url": "https://git.kernel.org/stable/c/948ad5e5624487079c24cb5c81c74ddd02832440"
},
{
"url": "https://git.kernel.org/stable/c/67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d"
}
],
"title": "media: usb: go7007: s2250-board: fix leak in probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49253",
"datePublished": "2025-02-26T01:56:09.146Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:26.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53140 (GCVE-0-2024-53140)
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2025-11-03 22:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: terminate outstanding dump on socket close
Netlink supports iterative dumping of data. It provides the families
the following ops:
- start - (optional) kicks off the dumping process
- dump - actual dump helper, keeps getting called until it returns 0
- done - (optional) pairs with .start, can be used for cleanup
The whole process is asynchronous and the repeated calls to .dump
don't actually happen in a tight loop, but rather are triggered
in response to recvmsg() on the socket.
This gives the user full control over the dump, but also means that
the user can close the socket without getting to the end of the dump.
To make sure .start is always paired with .done we check if there
is an ongoing dump before freeing the socket, and if so call .done.
The complication is that sockets can get freed from BH and .done
is allowed to sleep. So we use a workqueue to defer the call, when
needed.
Unfortunately this does not work correctly. What we defer is not
the cleanup but rather releasing a reference on the socket.
We have no guarantee that we own the last reference, if someone
else holds the socket they may release it in BH and we're back
to square one.
The whole dance, however, appears to be unnecessary. Only the user
can interact with dumps, so we can clean up when socket is closed.
And close always happens in process context. Some async code may
still access the socket after close, queue notification skbs to it etc.
but no dumps can start, end or otherwise make progress.
Delete the workqueue and flush the dump state directly from the release
handler. Note that further cleanup is possible in -next, for instance
we now always call .done before releasing the main module reference,
so dump doesn't have to take a reference of its own.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: baaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18df Version: 25d9b4bb64ea964769087fc5ae09aee9c838d759 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:29:42.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c",
"net/netlink/af_netlink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "114a61d8d94ae3a43b82446cf737fd757021b834",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"lessThan": "598c956b62699c3753929602560d8df322e60559",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"lessThan": "6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"lessThan": "d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"lessThan": "4e87a52133284afbd40fb522dbf96e258af52a98",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"lessThan": "bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"lessThan": "176c41b3ca9281a9736b67c6121b03dbf0c8c08f",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"lessThan": "1904fb9ebf911441f90a68e96b22aa73e4410505",
"status": "affected",
"version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e",
"versionType": "git"
},
{
"status": "affected",
"version": "baaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18df",
"versionType": "git"
},
{
"status": "affected",
"version": "25d9b4bb64ea964769087fc5ae09aee9c838d759",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c",
"net/netlink/af_netlink.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.325",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.119",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.63",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump - actual dump helper, keeps getting called until it returns 0\n - done - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon\u0027t actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we\u0027re back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn\u0027t have to take a reference of its own."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:00:35.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834"
},
{
"url": "https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559"
},
{
"url": "https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4"
},
{
"url": "https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603"
},
{
"url": "https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98"
},
{
"url": "https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca"
},
{
"url": "https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f"
},
{
"url": "https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505"
}
],
"title": "netlink: terminate outstanding dump on socket close",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53140",
"datePublished": "2024-12-04T14:20:44.914Z",
"dateReserved": "2024-11-19T17:17:24.997Z",
"dateUpdated": "2025-11-03T22:29:42.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49236 (GCVE-0-2022-49236)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix UAF due to race between btf_try_get_module and load_module
While working on code to populate kfunc BTF ID sets for module BTF from
its initcall, I noticed that by the time the initcall is invoked, the
module BTF can already be seen by userspace (and the BPF verifier). The
existing btf_try_get_module calls try_module_get which only fails if
mod->state == MODULE_STATE_GOING, i.e. it can increment module reference
when module initcall is happening in parallel.
Currently, BTF parsing happens from MODULE_STATE_COMING notifier
callback. At this point, the module initcalls have not been invoked.
The notifier callback parses and prepares the module BTF, allocates an
ID, which publishes it to userspace, and then adds it to the btf_modules
list allowing the kernel to invoke btf_try_get_module for the BTF.
However, at this point, the module has not been fully initialized (i.e.
its initcalls have not finished). The code in module.c can still fail
and free the module, without caring for other users. However, nothing
stops btf_try_get_module from succeeding between the state transition
from MODULE_STATE_COMING to MODULE_STATE_LIVE.
This leads to a use-after-free issue when BPF program loads
successfully in the state transition, load_module's do_init_module call
fails and frees the module, and BPF program fd on close calls module_put
for the freed module. Future patch has test case to verify we don't
regress in this area in future.
There are multiple points after prepare_coming_module (in load_module)
where failure can occur and module loading can return error. We
illustrate and test for the race using the last point where it can
practically occur (in module __init function).
An illustration of the race:
CPU 0 CPU 1
load_module
notifier_call(MODULE_STATE_COMING)
btf_parse_module
btf_alloc_id // Published to userspace
list_add(&btf_mod->list, btf_modules)
mod->init(...)
... ^
bpf_check |
check_pseudo_btf_id |
btf_try_get_module |
returns true | ...
... | module __init in progress
return prog_fd | ...
... V
if (ret < 0)
free_module(mod)
...
close(prog_fd)
...
bpf_prog_free_deferred
module_put(used_btf.mod) // use-after-free
We fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier
callback when MODULE_STATE_LIVE state is reached for the module, so that
we return NULL from btf_try_get_module for modules that are not fully
formed. Since try_module_get already checks that module is not in
MODULE_STATE_GOING state, and that is the only transition a live module
can make before being removed from btf_modules list, this is enough to
close the race and prevent the bug.
A later selftest patch crafts the race condition artifically to verify
that it has been fixed, and that verifier fails to load program (with
ENXIO).
Lastly, a couple of comments:
1. Even if this race didn't exist, it seems more appropriate to only
access resources (ksyms and kfuncs) of a fully formed module which
has been initialized completely.
2. This patch was born out of need for synchronization against module
initcall for the next patch, so it is needed for correctness even
without the aforementioned race condition. The BTF resources
initialized by module initcall are set up once and then only looked
up, so just waiting until the initcall has finished ensures correct
behavior.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:59.008541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51b82141fffa454abf937a8ff0b8af89e4fd0c8f",
"status": "affected",
"version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c",
"versionType": "git"
},
{
"lessThan": "d7fccf264b1a785525b366a5b7f8113c756187ad",
"status": "affected",
"version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c",
"versionType": "git"
},
{
"lessThan": "0481baa2318cb1ab13277715da6cdbb657807b3f",
"status": "affected",
"version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c",
"versionType": "git"
},
{
"lessThan": "18688de203b47e5d8d9d0953385bf30b5949324f",
"status": "affected",
"version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix UAF due to race between btf_try_get_module and load_module\n\nWhile working on code to populate kfunc BTF ID sets for module BTF from\nits initcall, I noticed that by the time the initcall is invoked, the\nmodule BTF can already be seen by userspace (and the BPF verifier). The\nexisting btf_try_get_module calls try_module_get which only fails if\nmod-\u003estate == MODULE_STATE_GOING, i.e. it can increment module reference\nwhen module initcall is happening in parallel.\n\nCurrently, BTF parsing happens from MODULE_STATE_COMING notifier\ncallback. At this point, the module initcalls have not been invoked.\nThe notifier callback parses and prepares the module BTF, allocates an\nID, which publishes it to userspace, and then adds it to the btf_modules\nlist allowing the kernel to invoke btf_try_get_module for the BTF.\n\nHowever, at this point, the module has not been fully initialized (i.e.\nits initcalls have not finished). The code in module.c can still fail\nand free the module, without caring for other users. However, nothing\nstops btf_try_get_module from succeeding between the state transition\nfrom MODULE_STATE_COMING to MODULE_STATE_LIVE.\n\nThis leads to a use-after-free issue when BPF program loads\nsuccessfully in the state transition, load_module\u0027s do_init_module call\nfails and frees the module, and BPF program fd on close calls module_put\nfor the freed module. Future patch has test case to verify we don\u0027t\nregress in this area in future.\n\nThere are multiple points after prepare_coming_module (in load_module)\nwhere failure can occur and module loading can return error. We\nillustrate and test for the race using the last point where it can\npractically occur (in module __init function).\n\nAn illustration of the race:\n\nCPU 0 CPU 1\n\t\t\t load_module\n\t\t\t notifier_call(MODULE_STATE_COMING)\n\t\t\t btf_parse_module\n\t\t\t btf_alloc_id\t// Published to userspace\n\t\t\t list_add(\u0026btf_mod-\u003elist, btf_modules)\n\t\t\t mod-\u003einit(...)\n...\t\t\t\t^\nbpf_check\t\t |\ncheck_pseudo_btf_id |\n btf_try_get_module |\n returns true | ...\n... | module __init in progress\nreturn prog_fd | ...\n... V\n\t\t\t if (ret \u003c 0)\n\t\t\t free_module(mod)\n\t\t\t ...\nclose(prog_fd)\n ...\n bpf_prog_free_deferred\n module_put(used_btf.mod) // use-after-free\n\nWe fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier\ncallback when MODULE_STATE_LIVE state is reached for the module, so that\nwe return NULL from btf_try_get_module for modules that are not fully\nformed. Since try_module_get already checks that module is not in\nMODULE_STATE_GOING state, and that is the only transition a live module\ncan make before being removed from btf_modules list, this is enough to\nclose the race and prevent the bug.\n\nA later selftest patch crafts the race condition artifically to verify\nthat it has been fixed, and that verifier fails to load program (with\nENXIO).\n\nLastly, a couple of comments:\n\n 1. Even if this race didn\u0027t exist, it seems more appropriate to only\n access resources (ksyms and kfuncs) of a fully formed module which\n has been initialized completely.\n\n 2. This patch was born out of need for synchronization against module\n initcall for the next patch, so it is needed for correctness even\n without the aforementioned race condition. The BTF resources\n initialized by module initcall are set up once and then only looked\n up, so just waiting until the initcall has finished ensures correct\n behavior."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:04.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51b82141fffa454abf937a8ff0b8af89e4fd0c8f"
},
{
"url": "https://git.kernel.org/stable/c/d7fccf264b1a785525b366a5b7f8113c756187ad"
},
{
"url": "https://git.kernel.org/stable/c/0481baa2318cb1ab13277715da6cdbb657807b3f"
},
{
"url": "https://git.kernel.org/stable/c/18688de203b47e5d8d9d0953385bf30b5949324f"
}
],
"title": "bpf: Fix UAF due to race between btf_try_get_module and load_module",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49236",
"datePublished": "2025-02-26T01:56:00.689Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-05-04T08:33:04.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49237 (GCVE-0-2022-49237)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: add missing of_node_put() to avoid leak
The node pointer is returned by of_find_node_by_type()
or of_parse_phandle() with refcount incremented. Calling
of_node_put() to aovid the refcount leak.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:56.424434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:02.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mhi.c",
"drivers/net/wireless/ath/ath11k/qmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d51cb010b20d70b16dc6e4341bf29d6c5b32564",
"status": "affected",
"version": "6ac04bdc5edb418787ab2040b1f922c23464c750",
"versionType": "git"
},
{
"lessThan": "3d38faef0de1756994b3d95e47b2302842f729e2",
"status": "affected",
"version": "6ac04bdc5edb418787ab2040b1f922c23464c750",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mhi.c",
"drivers/net/wireless/ath/ath11k/qmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: add missing of_node_put() to avoid leak\n\nThe node pointer is returned by of_find_node_by_type()\nor of_parse_phandle() with refcount incremented. Calling\nof_node_put() to aovid the refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:05.181Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d51cb010b20d70b16dc6e4341bf29d6c5b32564"
},
{
"url": "https://git.kernel.org/stable/c/3d38faef0de1756994b3d95e47b2302842f729e2"
}
],
"title": "ath11k: add missing of_node_put() to avoid leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49237",
"datePublished": "2025-02-26T01:56:01.158Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-10-01T19:47:02.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21846 (GCVE-0-2025-21846)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
acct: perform last write from workqueue
In [1] it was reported that the acct(2) system call can be used to
trigger NULL deref in cases where it is set to write to a file that
triggers an internal lookup. This can e.g., happen when pointing acc(2)
to /sys/power/resume. At the point the where the write to this file
happens the calling task has already exited and called exit_fs(). A
lookup will thus trigger a NULL-deref when accessing current->fs.
Reorganize the code so that the the final write happens from the
workqueue but with the caller's credentials. This preserves the
(strange) permission model and has almost no regression risk.
This api should stop to exist though.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:26:33.271867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:34.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:03.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/acct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8acbf4a88c6a98c8ed00afd1a7d1abcca9b4735e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b03782ae707cc45e65242c7cddd8e28f1c22cde5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d5b936cfa4b0d5670ca7420ef165a074bc008eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ee8da9bea70dda492d61f075658939af33d8410",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5c928e14a2ccd99462f2351ead627b58075bb736",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5a59ced8ffc71973d42c82484a719c8f6ac8f7f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8136afca090412a36429cb6c2543c714d9c0f84",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "56d5f3eba3f5de0efdd556de4ef381e109b973a9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/acct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nacct: perform last write from workqueue\n\nIn [1] it was reported that the acct(2) system call can be used to\ntrigger NULL deref in cases where it is set to write to a file that\ntriggers an internal lookup. This can e.g., happen when pointing acc(2)\nto /sys/power/resume. At the point the where the write to this file\nhappens the calling task has already exited and called exit_fs(). A\nlookup will thus trigger a NULL-deref when accessing current-\u003efs.\n\nReorganize the code so that the the final write happens from the\nworkqueue but with the caller\u0027s credentials. This preserves the\n(strange) permission model and has almost no regression risk.\n\nThis api should stop to exist though."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:26.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8acbf4a88c6a98c8ed00afd1a7d1abcca9b4735e"
},
{
"url": "https://git.kernel.org/stable/c/b03782ae707cc45e65242c7cddd8e28f1c22cde5"
},
{
"url": "https://git.kernel.org/stable/c/5d5b936cfa4b0d5670ca7420ef165a074bc008eb"
},
{
"url": "https://git.kernel.org/stable/c/5ee8da9bea70dda492d61f075658939af33d8410"
},
{
"url": "https://git.kernel.org/stable/c/5c928e14a2ccd99462f2351ead627b58075bb736"
},
{
"url": "https://git.kernel.org/stable/c/5a59ced8ffc71973d42c82484a719c8f6ac8f7f7"
},
{
"url": "https://git.kernel.org/stable/c/a8136afca090412a36429cb6c2543c714d9c0f84"
},
{
"url": "https://git.kernel.org/stable/c/56d5f3eba3f5de0efdd556de4ef381e109b973a9"
}
],
"title": "acct: perform last write from workqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21846",
"datePublished": "2025-03-12T09:42:02.635Z",
"dateReserved": "2024-12-29T08:45:45.778Z",
"dateUpdated": "2025-11-03T19:38:03.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49755 (GCVE-0-2022-49755)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
While performing fast composition switch, there is a possibility that the
process of ffs_ep0_write/ffs_ep0_read get into a race condition
due to ep0req being freed up from functionfs_unbind.
Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't
bounded so it can go ahead and mark the ep0req to NULL, and since there
is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.
Fix this by making a serialized execution between the two functions using
a mutex_lock(ffs->mutex).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:31.876200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "facf353c9e8d7885b686d9a4b173d4e0af6441d2",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "a8d40942df074f4ebcb9bd3413596d92f323b064",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "6dd9ea05534f323668db94fcc2726c7a84547e78",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "ae8e136bcaae96163b5821984de1036efc9abb1a",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "6aee197b7fbcd61596a78b47d553f2f99111f217",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "6a19da111057f69214b97c62fb0ac59023970850",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait\n\nWhile performing fast composition switch, there is a possibility that the\nprocess of ffs_ep0_write/ffs_ep0_read get into a race condition\ndue to ep0req being freed up from functionfs_unbind.\n\nConsider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait\nby taking a lock \u0026ffs-\u003eev.waitq.lock. However, the functionfs_unbind isn\u0027t\nbounded so it can go ahead and mark the ep0req to NULL, and since there\nis no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.\n\nFix this by making a serialized execution between the two functions using\na mutex_lock(ffs-\u003emutex)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:41.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2"
},
{
"url": "https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4"
},
{
"url": "https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064"
},
{
"url": "https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78"
},
{
"url": "https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a"
},
{
"url": "https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217"
},
{
"url": "https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850"
}
],
"title": "usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49755",
"datePublished": "2025-03-27T16:43:02.950Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:41.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21739 (GCVE-0-2025-21739)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 07:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix use-after free in init error and remove paths
devm_blk_crypto_profile_init() registers a cleanup handler to run when
the associated (platform-) device is being released. For UFS, the
crypto private data and pointers are stored as part of the ufs_hba's
data structure 'struct ufs_hba::crypto_profile'. This structure is
allocated as part of the underlying ufshcd and therefore Scsi_host
allocation.
During driver release or during error handling in ufshcd_pltfrm_init(),
this structure is released as part of ufshcd_dealloc_host() before the
(platform-) device associated with the crypto call above is released.
Once this device is released, the crypto cleanup code will run, using
the just-released 'struct ufs_hba::crypto_profile'. This causes a
use-after-free situation:
Call trace:
kfree+0x60/0x2d8 (P)
kvfree+0x44/0x60
blk_crypto_profile_destroy_callback+0x28/0x70
devm_action_release+0x1c/0x30
release_nodes+0x6c/0x108
devres_release_all+0x98/0x100
device_unbind_cleanup+0x20/0x70
really_probe+0x218/0x2d0
In other words, the initialisation code flow is:
platform-device probe
ufshcd_pltfrm_init()
ufshcd_alloc_host()
scsi_host_alloc()
allocation of struct ufs_hba
creation of scsi-host devices
devm_blk_crypto_profile_init()
devm registration of cleanup handler using platform-device
and during error handling of ufshcd_pltfrm_init() or during driver
removal:
ufshcd_dealloc_host()
scsi_host_put()
put_device(scsi-host)
release of struct ufs_hba
put_device(platform-device)
crypto cleanup handler
To fix this use-after free, change ufshcd_alloc_host() to register a
devres action to automatically cleanup the underlying SCSI device on
ufshcd destruction, without requiring explicit calls to
ufshcd_dealloc_host(). This way:
* the crypto profile and all other ufs_hba-owned resources are
destroyed before SCSI (as they've been registered after)
* a memleak is plugged in tc-dwc-g210-pci.c remove() as a
side-effect
* EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as
it's not needed anymore
* no future drivers using ufshcd_alloc_host() could ever forget
adding the cleanup
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:14:30.354249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:29.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c",
"drivers/ufs/host/ufshcd-pci.c",
"drivers/ufs/host/ufshcd-pltfrm.c",
"include/ufs/ufshcd.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c77c0d754fe83cb154715fcfec6c3faef94f207",
"status": "affected",
"version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
"versionType": "git"
},
{
"lessThan": "9c185beae09a3eb85f54777edafa227f7e03075d",
"status": "affected",
"version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
"versionType": "git"
},
{
"lessThan": "f8fb2403ddebb5eea0033d90d9daae4c88749ada",
"status": "affected",
"version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c",
"drivers/ufs/host/ufshcd-pci.c",
"drivers/ufs/host/ufshcd-pltfrm.c",
"include/ufs/ufshcd.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix use-after free in init error and remove paths\n\ndevm_blk_crypto_profile_init() registers a cleanup handler to run when\nthe associated (platform-) device is being released. For UFS, the\ncrypto private data and pointers are stored as part of the ufs_hba\u0027s\ndata structure \u0027struct ufs_hba::crypto_profile\u0027. This structure is\nallocated as part of the underlying ufshcd and therefore Scsi_host\nallocation.\n\nDuring driver release or during error handling in ufshcd_pltfrm_init(),\nthis structure is released as part of ufshcd_dealloc_host() before the\n(platform-) device associated with the crypto call above is released.\nOnce this device is released, the crypto cleanup code will run, using\nthe just-released \u0027struct ufs_hba::crypto_profile\u0027. This causes a\nuse-after-free situation:\n\n Call trace:\n kfree+0x60/0x2d8 (P)\n kvfree+0x44/0x60\n blk_crypto_profile_destroy_callback+0x28/0x70\n devm_action_release+0x1c/0x30\n release_nodes+0x6c/0x108\n devres_release_all+0x98/0x100\n device_unbind_cleanup+0x20/0x70\n really_probe+0x218/0x2d0\n\nIn other words, the initialisation code flow is:\n\n platform-device probe\n ufshcd_pltfrm_init()\n ufshcd_alloc_host()\n scsi_host_alloc()\n allocation of struct ufs_hba\n creation of scsi-host devices\n devm_blk_crypto_profile_init()\n devm registration of cleanup handler using platform-device\n\nand during error handling of ufshcd_pltfrm_init() or during driver\nremoval:\n\n ufshcd_dealloc_host()\n scsi_host_put()\n put_device(scsi-host)\n release of struct ufs_hba\n put_device(platform-device)\n crypto cleanup handler\n\nTo fix this use-after free, change ufshcd_alloc_host() to register a\ndevres action to automatically cleanup the underlying SCSI device on\nufshcd destruction, without requiring explicit calls to\nufshcd_dealloc_host(). This way:\n\n * the crypto profile and all other ufs_hba-owned resources are\n destroyed before SCSI (as they\u0027ve been registered after)\n * a memleak is plugged in tc-dwc-g210-pci.c remove() as a\n side-effect\n * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as\n it\u0027s not needed anymore\n * no future drivers using ufshcd_alloc_host() could ever forget\n adding the cleanup"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:07.040Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207"
},
{
"url": "https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d"
},
{
"url": "https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada"
}
],
"title": "scsi: ufs: core: Fix use-after free in init error and remove paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21739",
"datePublished": "2025-02-27T02:12:14.581Z",
"dateReserved": "2024-12-29T08:45:45.757Z",
"dateUpdated": "2025-05-04T07:20:07.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49610 (GCVE-0-2022-49610)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: VMX: Prevent RSB underflow before vmenter
On VMX, there are some balanced returns between the time the guest's
SPEC_CTRL value is written, and the vmenter.
Balanced returns (matched by a preceding call) are usually ok, but it's
at least theoretically possible an NMI with a deep call stack could
empty the RSB before one of the returns.
For maximum paranoia, don't allow *any* returns (balanced or otherwise)
between the SPEC_CTRL write and the vmenter.
[ bp: Fix 32-bit build. ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/asm-offsets.c",
"arch/x86/kernel/cpu/bugs.c",
"arch/x86/kvm/vmx/capabilities.h",
"arch/x86/kvm/vmx/vmenter.S",
"arch/x86/kvm/vmx/vmx.c",
"arch/x86/kvm/vmx/vmx.h",
"arch/x86/kvm/vmx/vmx_ops.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "afd743f6dde87296c6f3414706964c491bb85862",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07853adc29a058c5fd143c14e5ac528448a72ed9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/asm-offsets.c",
"arch/x86/kernel/cpu/bugs.c",
"arch/x86/kvm/vmx/capabilities.h",
"arch/x86/kvm/vmx/vmenter.S",
"arch/x86/kvm/vmx/vmx.c",
"arch/x86/kvm/vmx/vmx.h",
"arch/x86/kvm/vmx/vmx_ops.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Prevent RSB underflow before vmenter\n\nOn VMX, there are some balanced returns between the time the guest\u0027s\nSPEC_CTRL value is written, and the vmenter.\n\nBalanced returns (matched by a preceding call) are usually ok, but it\u0027s\nat least theoretically possible an NMI with a deep call stack could\nempty the RSB before one of the returns.\n\nFor maximum paranoia, don\u0027t allow *any* returns (balanced or otherwise)\nbetween the SPEC_CTRL write and the vmenter.\n\n [ bp: Fix 32-bit build. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:44.644Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/afd743f6dde87296c6f3414706964c491bb85862"
},
{
"url": "https://git.kernel.org/stable/c/07853adc29a058c5fd143c14e5ac528448a72ed9"
}
],
"title": "KVM: VMX: Prevent RSB underflow before vmenter",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49610",
"datePublished": "2025-02-26T02:23:33.299Z",
"dateReserved": "2025-02-26T02:21:30.417Z",
"dateUpdated": "2025-05-04T08:41:44.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49235 (GCVE-0-2022-49235)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath9k_htc: fix uninit value bugs
Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing
field initialization.
In htc_connect_service() svc_meta_len and pad are not initialized. Based
on code it looks like in current skb there is no service data, so simply
initialize svc_meta_len to 0.
htc_issue_send() does not initialize htc_frame_hdr::control array. Based
on firmware code, it will initialize it by itself, so simply zero whole
array to make KMSAN happy
Fail logs:
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
...
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
...
Bytes 4-7 of 18 are uninitialized
Memory access of size 18 starts at ffff888027377e00
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
...
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
...
Bytes 16-17 of 18 are uninitialized
Memory access of size 18 starts at ffff888027377e00
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 Version: fb9987d0f748c983bb795a86f47522313f701a08 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49235",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:00.525917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:03.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "e352acdd378e9263cc4c6018e588f2dac7161d07",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "ee4222052a76559c20e821bc3519cefb58b6d3e9",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "4d244b731188e0b63fc40a9d2dec72e9181fb37c",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "11f11ac281f0c0b363d2940204f28bae0422ed71",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "0b700f7d06492de34964b6f414120043364f8191",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "7da6169b6ebb75816b57be3beb829afa74f3b4b6",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "5abf2b761b998063f5e2bae93fd4ab10e2a80f10",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "d1e0df1c57bd30871dd1c855742a7c346dbca853",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath9k_htc: fix uninit value bugs\n\nSyzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing\nfield initialization.\n\nIn htc_connect_service() svc_meta_len and pad are not initialized. Based\non code it looks like in current skb there is no service data, so simply\ninitialize svc_meta_len to 0.\n\nhtc_issue_send() does not initialize htc_frame_hdr::control array. Based\non firmware code, it will initialize it by itself, so simply zero whole\narray to make KMSAN happy\n\nFail logs:\n\nBUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]\n hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479\n htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]\n htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275\n...\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1126 [inline]\n htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258\n...\n\nBytes 4-7 of 18 are uninitialized\nMemory access of size 18 starts at ffff888027377e00\n\nBUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]\n hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479\n htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]\n htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275\n...\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1126 [inline]\n htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258\n...\n\nBytes 16-17 of 18 are uninitialized\nMemory access of size 18 starts at ffff888027377e00"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:02.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c2a6a8daa17a3f65b38b9a5574bb362c13fa1d9"
},
{
"url": "https://git.kernel.org/stable/c/e352acdd378e9263cc4c6018e588f2dac7161d07"
},
{
"url": "https://git.kernel.org/stable/c/ee4222052a76559c20e821bc3519cefb58b6d3e9"
},
{
"url": "https://git.kernel.org/stable/c/4d244b731188e0b63fc40a9d2dec72e9181fb37c"
},
{
"url": "https://git.kernel.org/stable/c/11f11ac281f0c0b363d2940204f28bae0422ed71"
},
{
"url": "https://git.kernel.org/stable/c/0b700f7d06492de34964b6f414120043364f8191"
},
{
"url": "https://git.kernel.org/stable/c/7da6169b6ebb75816b57be3beb829afa74f3b4b6"
},
{
"url": "https://git.kernel.org/stable/c/5abf2b761b998063f5e2bae93fd4ab10e2a80f10"
},
{
"url": "https://git.kernel.org/stable/c/d1e0df1c57bd30871dd1c855742a7c346dbca853"
}
],
"title": "ath9k_htc: fix uninit value bugs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49235",
"datePublished": "2025-02-26T01:56:00.212Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-10-01T19:47:03.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49499 (GCVE-0-2022-49499)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: Fix null pointer dereferences without iommu
Check if 'aspace' is set before using it as it will stay null without
IOMMU, such as on msm8974.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:36.001150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:43.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/adreno_gpu.c",
"drivers/gpu/drm/msm/msm_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f09937e80f9bc792965476c9a528f26c8fdc9179",
"status": "affected",
"version": "bc2112583a0b473f5c4ba87c00da84abd5d0b3fd",
"versionType": "git"
},
{
"lessThan": "36a1d1bda77e1851bddfa9cf4e8ada94476dbaff",
"status": "affected",
"version": "bc2112583a0b473f5c4ba87c00da84abd5d0b3fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/adreno_gpu.c",
"drivers/gpu/drm/msm/msm_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix null pointer dereferences without iommu\n\nCheck if \u0027aspace\u0027 is set before using it as it will stay null without\nIOMMU, such as on msm8974."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:14.597Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f09937e80f9bc792965476c9a528f26c8fdc9179"
},
{
"url": "https://git.kernel.org/stable/c/36a1d1bda77e1851bddfa9cf4e8ada94476dbaff"
}
],
"title": "drm/msm: Fix null pointer dereferences without iommu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49499",
"datePublished": "2025-02-26T02:13:33.569Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-10-01T19:46:43.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49536 (GCVE-0-2022-49536)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix SCSI I/O completion and abort handler deadlock
During stress I/O tests with 500+ vports, hard LOCKUP call traces are
observed.
CPU A:
native_queued_spin_lock_slowpath+0x192
_raw_spin_lock_irqsave+0x32
lpfc_handle_fcp_err+0x4c6
lpfc_fcp_io_cmd_wqe_cmpl+0x964
lpfc_sli4_fp_handle_cqe+0x266
__lpfc_sli4_process_cq+0x105
__lpfc_sli4_hba_process_cq+0x3c
lpfc_cq_poll_hdler+0x16
irq_poll_softirq+0x76
__softirqentry_text_start+0xe4
irq_exit+0xf7
do_IRQ+0x7f
CPU B:
native_queued_spin_lock_slowpath+0x5b
_raw_spin_lock+0x1c
lpfc_abort_handler+0x13e
scmd_eh_abort_handler+0x85
process_one_work+0x1a7
worker_thread+0x30
kthread+0x112
ret_from_fork+0x1f
Diagram of lockup:
CPUA CPUB
---- ----
lpfc_cmd->buf_lock
phba->hbalock
lpfc_cmd->buf_lock
phba->hbalock
Fix by reordering the taking of the lpfc_cmd->buf_lock and phba->hbalock in
lpfc_abort_handler routine so that it tries to take the lpfc_cmd->buf_lock
first before phba->hbalock.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49536",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:45.898747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:40.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7625e81de2164a082810e1f27547d388406da610",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "21c0d469349957b5dc811c41200a2a998996ca8d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c4eed901285b9cae36a622f32bea3e92490da6c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "03cbbd7c2f5ee288f648f4aeedc765a181188553",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix SCSI I/O completion and abort handler deadlock\n\nDuring stress I/O tests with 500+ vports, hard LOCKUP call traces are\nobserved.\n\nCPU A:\n native_queued_spin_lock_slowpath+0x192\n _raw_spin_lock_irqsave+0x32\n lpfc_handle_fcp_err+0x4c6\n lpfc_fcp_io_cmd_wqe_cmpl+0x964\n lpfc_sli4_fp_handle_cqe+0x266\n __lpfc_sli4_process_cq+0x105\n __lpfc_sli4_hba_process_cq+0x3c\n lpfc_cq_poll_hdler+0x16\n irq_poll_softirq+0x76\n __softirqentry_text_start+0xe4\n irq_exit+0xf7\n do_IRQ+0x7f\n\nCPU B:\n native_queued_spin_lock_slowpath+0x5b\n _raw_spin_lock+0x1c\n lpfc_abort_handler+0x13e\n scmd_eh_abort_handler+0x85\n process_one_work+0x1a7\n worker_thread+0x30\n kthread+0x112\n ret_from_fork+0x1f\n\nDiagram of lockup:\n\nCPUA CPUB\n---- ----\nlpfc_cmd-\u003ebuf_lock\n phba-\u003ehbalock\n lpfc_cmd-\u003ebuf_lock\nphba-\u003ehbalock\n\nFix by reordering the taking of the lpfc_cmd-\u003ebuf_lock and phba-\u003ehbalock in\nlpfc_abort_handler routine so that it tries to take the lpfc_cmd-\u003ebuf_lock\nfirst before phba-\u003ehbalock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:02.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7625e81de2164a082810e1f27547d388406da610"
},
{
"url": "https://git.kernel.org/stable/c/21c0d469349957b5dc811c41200a2a998996ca8d"
},
{
"url": "https://git.kernel.org/stable/c/0c4eed901285b9cae36a622f32bea3e92490da6c"
},
{
"url": "https://git.kernel.org/stable/c/03cbbd7c2f5ee288f648f4aeedc765a181188553"
}
],
"title": "scsi: lpfc: Fix SCSI I/O completion and abort handler deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49536",
"datePublished": "2025-02-26T02:13:54.014Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-10-01T19:46:40.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58079 (GCVE-0-2024-58079)
Vulnerability from cvelistv5
Published
2025-03-06 16:13
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix crash during unbind if gpio unit is in use
We used the wrong device for the device managed functions. We used the
usb device, when we should be using the interface device.
If we unbind the driver from the usb interface, the cleanup functions
are never called. In our case, the IRQ is never disabled.
If an IRQ is triggered, it will try to access memory sections that are
already free, causing an OOPS.
We cannot use the function devm_request_threaded_irq here. The devm_*
clean functions may be called after the main structure is released by
uvc_delete.
Luckily this bug has small impact, as it is only affected by devices
with gpio units and the user has to unbind the device, a disconnect will
not trigger this error.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 Version: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:12.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fdd7cc593385e46e92e180b71e264fc9c195298",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "3c00e94d00ca079bef7906d6f39d1091bccfedd3",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "0b5e0445bc8384c18bd35cb9fe87f6258c6271d9",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "d2eac8b14ac690aa73052aa6d4ba69005715367e",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix crash during unbind if gpio unit is in use\n\nWe used the wrong device for the device managed functions. We used the\nusb device, when we should be using the interface device.\n\nIf we unbind the driver from the usb interface, the cleanup functions\nare never called. In our case, the IRQ is never disabled.\n\nIf an IRQ is triggered, it will try to access memory sections that are\nalready free, causing an OOPS.\n\nWe cannot use the function devm_request_threaded_irq here. The devm_*\nclean functions may be called after the main structure is released by\nuvc_delete.\n\nLuckily this bug has small impact, as it is only affected by devices\nwith gpio units and the user has to unbind the device, a disconnect will\nnot trigger this error."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:30.587Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fdd7cc593385e46e92e180b71e264fc9c195298"
},
{
"url": "https://git.kernel.org/stable/c/3c00e94d00ca079bef7906d6f39d1091bccfedd3"
},
{
"url": "https://git.kernel.org/stable/c/0b5e0445bc8384c18bd35cb9fe87f6258c6271d9"
},
{
"url": "https://git.kernel.org/stable/c/d2eac8b14ac690aa73052aa6d4ba69005715367e"
},
{
"url": "https://git.kernel.org/stable/c/5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d"
},
{
"url": "https://git.kernel.org/stable/c/a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5"
}
],
"title": "media: uvcvideo: Fix crash during unbind if gpio unit is in use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58079",
"datePublished": "2025-03-06T16:13:42.640Z",
"dateReserved": "2025-03-06T15:52:09.183Z",
"dateUpdated": "2025-11-03T19:34:12.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21878 (GCVE-0-2025-21878)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: npcm: disable interrupt enable bit before devm_request_irq
The customer reports that there is a soft lockup issue related to
the i2c driver. After checking, the i2c module was doing a tx transfer
and the bmc machine reboots in the middle of the i2c transaction, the i2c
module keeps the status without being reset.
Due to such an i2c module status, the i2c irq handler keeps getting
triggered since the i2c irq handler is registered in the kernel booting
process after the bmc machine is doing a warm rebooting.
The continuous triggering is stopped by the soft lockup watchdog timer.
Disable the interrupt enable bit in the i2c module before calling
devm_request_irq to fix this issue since the i2c relative status bit
is read-only.
Here is the soft lockup log.
[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]
[ 28.183351] Modules linked in:
[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1
[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 28.208128] pc : __do_softirq+0xb0/0x368
[ 28.212055] lr : __do_softirq+0x70/0x368
[ 28.215972] sp : ffffff8035ebca00
[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780
[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0
[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b
[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff
[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000
[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2
[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250
[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434
[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198
[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40
[ 28.290611] Call trace:
[ 28.293052] __do_softirq+0xb0/0x368
[ 28.296625] __irq_exit_rcu+0xe0/0x100
[ 28.300374] irq_exit+0x14/0x20
[ 28.303513] handle_domain_irq+0x68/0x90
[ 28.307440] gic_handle_irq+0x78/0xb0
[ 28.311098] call_on_irq_stack+0x20/0x38
[ 28.315019] do_interrupt_handler+0x54/0x5c
[ 28.319199] el1_interrupt+0x2c/0x4c
[ 28.322777] el1h_64_irq_handler+0x14/0x20
[ 28.326872] el1h_64_irq+0x74/0x78
[ 28.330269] __setup_irq+0x454/0x780
[ 28.333841] request_threaded_irq+0xd0/0x1b4
[ 28.338107] devm_request_threaded_irq+0x84/0x100
[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0
[ 28.346990] platform_probe+0x6c/0xc4
[ 28.350653] really_probe+0xcc/0x45c
[ 28.354227] __driver_probe_device+0x8c/0x160
[ 28.358578] driver_probe_device+0x44/0xe0
[ 28.362670] __driver_attach+0x124/0x1d0
[ 28.366589] bus_for_each_dev+0x7c/0xe0
[ 28.370426] driver_attach+0x28/0x30
[ 28.373997] bus_add_driver+0x124/0x240
[ 28.377830] driver_register+0x7c/0x124
[ 28.381662] __platform_driver_register+0x2c/0x34
[ 28.386362] npcm_i2c_init+0x3c/0x5c
[ 28.389937] do_one_initcall+0x74/0x230
[ 28.393768] kernel_init_freeable+0x24c/0x2b4
[ 28.398126] kernel_init+0x28/0x130
[ 28.401614] ret_from_fork+0x10/0x20
[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks
[ 28.411011] SMP: stopping secondary CPUs
[ 28.414933] Kernel Offset: disabled
[ 28.418412] CPU features: 0x00000000,00000802
[ 28.427644] Rebooting in 20 seconds..
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:37.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-npcm7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f32d7b4dc6e791523c70e83049645dcba2a2aa33",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "e3aea1dba97d31eceed7b622000af0406988b9c8",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "545b563eb00d0576775da4011b3f7ffefc9e8c60",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "12d0e39916705b68d2d8ba20a8e35d1d27afc260",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "846e371631c57365eeb89e5db1ab0f344169af93",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "dd1998e243f5fa25d348a384ba0b6c84d980f2b2",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-npcm7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: npcm: disable interrupt enable bit before devm_request_irq\n\nThe customer reports that there is a soft lockup issue related to\nthe i2c driver. After checking, the i2c module was doing a tx transfer\nand the bmc machine reboots in the middle of the i2c transaction, the i2c\nmodule keeps the status without being reset.\n\nDue to such an i2c module status, the i2c irq handler keeps getting\ntriggered since the i2c irq handler is registered in the kernel booting\nprocess after the bmc machine is doing a warm rebooting.\nThe continuous triggering is stopped by the soft lockup watchdog timer.\n\nDisable the interrupt enable bit in the i2c module before calling\ndevm_request_irq to fix this issue since the i2c relative status bit\nis read-only.\n\nHere is the soft lockup log.\n[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]\n[ 28.183351] Modules linked in:\n[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1\n[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 28.208128] pc : __do_softirq+0xb0/0x368\n[ 28.212055] lr : __do_softirq+0x70/0x368\n[ 28.215972] sp : ffffff8035ebca00\n[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780\n[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0\n[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b\n[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff\n[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000\n[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2\n[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250\n[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434\n[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198\n[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40\n[ 28.290611] Call trace:\n[ 28.293052] __do_softirq+0xb0/0x368\n[ 28.296625] __irq_exit_rcu+0xe0/0x100\n[ 28.300374] irq_exit+0x14/0x20\n[ 28.303513] handle_domain_irq+0x68/0x90\n[ 28.307440] gic_handle_irq+0x78/0xb0\n[ 28.311098] call_on_irq_stack+0x20/0x38\n[ 28.315019] do_interrupt_handler+0x54/0x5c\n[ 28.319199] el1_interrupt+0x2c/0x4c\n[ 28.322777] el1h_64_irq_handler+0x14/0x20\n[ 28.326872] el1h_64_irq+0x74/0x78\n[ 28.330269] __setup_irq+0x454/0x780\n[ 28.333841] request_threaded_irq+0xd0/0x1b4\n[ 28.338107] devm_request_threaded_irq+0x84/0x100\n[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0\n[ 28.346990] platform_probe+0x6c/0xc4\n[ 28.350653] really_probe+0xcc/0x45c\n[ 28.354227] __driver_probe_device+0x8c/0x160\n[ 28.358578] driver_probe_device+0x44/0xe0\n[ 28.362670] __driver_attach+0x124/0x1d0\n[ 28.366589] bus_for_each_dev+0x7c/0xe0\n[ 28.370426] driver_attach+0x28/0x30\n[ 28.373997] bus_add_driver+0x124/0x240\n[ 28.377830] driver_register+0x7c/0x124\n[ 28.381662] __platform_driver_register+0x2c/0x34\n[ 28.386362] npcm_i2c_init+0x3c/0x5c\n[ 28.389937] do_one_initcall+0x74/0x230\n[ 28.393768] kernel_init_freeable+0x24c/0x2b4\n[ 28.398126] kernel_init+0x28/0x130\n[ 28.401614] ret_from_fork+0x10/0x20\n[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks\n[ 28.411011] SMP: stopping secondary CPUs\n[ 28.414933] Kernel Offset: disabled\n[ 28.418412] CPU features: 0x00000000,00000802\n[ 28.427644] Rebooting in 20 seconds.."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:10.371Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f32d7b4dc6e791523c70e83049645dcba2a2aa33"
},
{
"url": "https://git.kernel.org/stable/c/e3aea1dba97d31eceed7b622000af0406988b9c8"
},
{
"url": "https://git.kernel.org/stable/c/545b563eb00d0576775da4011b3f7ffefc9e8c60"
},
{
"url": "https://git.kernel.org/stable/c/1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9"
},
{
"url": "https://git.kernel.org/stable/c/12d0e39916705b68d2d8ba20a8e35d1d27afc260"
},
{
"url": "https://git.kernel.org/stable/c/846e371631c57365eeb89e5db1ab0f344169af93"
},
{
"url": "https://git.kernel.org/stable/c/dd1998e243f5fa25d348a384ba0b6c84d980f2b2"
}
],
"title": "i2c: npcm: disable interrupt enable bit before devm_request_irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21878",
"datePublished": "2025-03-27T14:57:08.155Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-11-03T19:38:37.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49182 (GCVE-0-2022-49182)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: add vlan list lock to protect vlan list
When adding port base VLAN, vf VLAN need to remove from HW and modify
the vlan state in vf VLAN list as false. If the periodicity task is
freeing the same node, it may cause "use after free" error.
This patch adds a vlan list lock to protect the vlan list.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T18:04:19.985508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T18:07:17.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c",
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30f0ff7176efe8ac6c55f85bce26ed58bb608758",
"status": "affected",
"version": "c6075b193462d9a3930fb41f587f94720658752a",
"versionType": "git"
},
{
"lessThan": "09e383ca97e798f9954189b741af54b5c51e7a97",
"status": "affected",
"version": "c6075b193462d9a3930fb41f587f94720658752a",
"versionType": "git"
},
{
"lessThan": "f58af41deeab0f45c9c80adf5f2de489ebbac3dd",
"status": "affected",
"version": "c6075b193462d9a3930fb41f587f94720658752a",
"versionType": "git"
},
{
"lessThan": "1932a624ab88ff407d1a1d567fe581faa15dc725",
"status": "affected",
"version": "c6075b193462d9a3930fb41f587f94720658752a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c",
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add vlan list lock to protect vlan list\n\nWhen adding port base VLAN, vf VLAN need to remove from HW and modify\nthe vlan state in vf VLAN list as false. If the periodicity task is\nfreeing the same node, it may cause \"use after free\" error.\nThis patch adds a vlan list lock to protect the vlan list."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:45.489Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30f0ff7176efe8ac6c55f85bce26ed58bb608758"
},
{
"url": "https://git.kernel.org/stable/c/09e383ca97e798f9954189b741af54b5c51e7a97"
},
{
"url": "https://git.kernel.org/stable/c/f58af41deeab0f45c9c80adf5f2de489ebbac3dd"
},
{
"url": "https://git.kernel.org/stable/c/1932a624ab88ff407d1a1d567fe581faa15dc725"
}
],
"title": "net: hns3: add vlan list lock to protect vlan list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49182",
"datePublished": "2025-02-26T01:55:33.574Z",
"dateReserved": "2025-02-26T01:49:39.283Z",
"dateUpdated": "2025-05-04T08:31:45.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49583 (GCVE-0-2022-49583)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Fix handling of dummy receive descriptors
Fix memory leak caused by not handling dummy receive descriptor properly.
iavf_get_rx_buffer now sets the rx_buffer return value for dummy receive
descriptors. Without this patch, when the hardware writes a dummy
descriptor, iavf would not free the page allocated for the previous receive
buffer. This is an unlikely event but can still happen.
[Jesse: massaged commit message]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: efa14c3985828da3163f5372137cb64d992b0f79 Version: efa14c3985828da3163f5372137cb64d992b0f79 Version: efa14c3985828da3163f5372137cb64d992b0f79 Version: efa14c3985828da3163f5372137cb64d992b0f79 Version: efa14c3985828da3163f5372137cb64d992b0f79 Version: 2a51e334a0ade539e5b0fcfdbd8b43acb9c7547d Version: 833577ecf3451c7306abb48f221d365c2ee4cc1b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:36:11.477451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:54.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d88d59faf4e6f9cc4767664206afdb999b10ec77",
"status": "affected",
"version": "efa14c3985828da3163f5372137cb64d992b0f79",
"versionType": "git"
},
{
"lessThan": "c6af94324911ef0846af1a5ce5e049ca736db34b",
"status": "affected",
"version": "efa14c3985828da3163f5372137cb64d992b0f79",
"versionType": "git"
},
{
"lessThan": "2918419c06088f6709ceb543feb01752779ade4c",
"status": "affected",
"version": "efa14c3985828da3163f5372137cb64d992b0f79",
"versionType": "git"
},
{
"lessThan": "6edb818732fc05fda495f5b3a749bd1cee01398b",
"status": "affected",
"version": "efa14c3985828da3163f5372137cb64d992b0f79",
"versionType": "git"
},
{
"lessThan": "a9f49e0060301a9bfebeca76739158d0cf91cdf6",
"status": "affected",
"version": "efa14c3985828da3163f5372137cb64d992b0f79",
"versionType": "git"
},
{
"status": "affected",
"version": "2a51e334a0ade539e5b0fcfdbd8b43acb9c7547d",
"versionType": "git"
},
{
"status": "affected",
"version": "833577ecf3451c7306abb48f221d365c2ee4cc1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.1.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix handling of dummy receive descriptors\n\nFix memory leak caused by not handling dummy receive descriptor properly.\niavf_get_rx_buffer now sets the rx_buffer return value for dummy receive\ndescriptors. Without this patch, when the hardware writes a dummy\ndescriptor, iavf would not free the page allocated for the previous receive\nbuffer. This is an unlikely event but can still happen.\n\n[Jesse: massaged commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:54.823Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d88d59faf4e6f9cc4767664206afdb999b10ec77"
},
{
"url": "https://git.kernel.org/stable/c/c6af94324911ef0846af1a5ce5e049ca736db34b"
},
{
"url": "https://git.kernel.org/stable/c/2918419c06088f6709ceb543feb01752779ade4c"
},
{
"url": "https://git.kernel.org/stable/c/6edb818732fc05fda495f5b3a749bd1cee01398b"
},
{
"url": "https://git.kernel.org/stable/c/a9f49e0060301a9bfebeca76739158d0cf91cdf6"
}
],
"title": "iavf: Fix handling of dummy receive descriptors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49583",
"datePublished": "2025-02-26T02:23:20.108Z",
"dateReserved": "2025-02-26T02:21:30.412Z",
"dateUpdated": "2025-10-01T19:36:54.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49398 (GCVE-0-2022-49398)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback
The list_for_each_entry_safe() macro saves the current item (n) and
the item after (n+1), so that n can be safely removed without
corrupting the list. However, when traversing the list and removing
items using gadget giveback, the DWC3 lock is briefly released,
allowing other routines to execute. There is a situation where, while
items are being removed from the cancelled_list using
dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable
routine is running in parallel (due to UDC unbind). As the cleanup
routine removes n, and the pullup disable removes n+1, once the
cleanup retakes the DWC3 lock, it references a request who was already
removed/handled. With list debug enabled, this leads to a panic.
Ensure all instances of the macro are replaced where gadget giveback
is used.
Example call stack:
Thread#1:
__dwc3_gadget_ep_set_halt() - CLEAR HALT
-> dwc3_gadget_ep_cleanup_cancelled_requests()
->list_for_each_entry_safe()
->dwc3_gadget_giveback(n)
->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]
->spin_unlock
->Thread#2 executes
...
->dwc3_gadget_giveback(n+1)
->Already removed!
Thread#2:
dwc3_gadget_pullup()
->waiting for dwc3 spin_lock
...
->Thread#1 released lock
->dwc3_stop_active_transfers()
->dwc3_remove_requests()
->fetches n+1 item from cancelled_list (n removed by Thread#1)
->dwc3_gadget_giveback()
->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]
->spin_unlock
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a",
"status": "affected",
"version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
"versionType": "git"
},
{
"lessThan": "2424307cdf421ac72075a1384eae4e4199ab6457",
"status": "affected",
"version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
"versionType": "git"
},
{
"lessThan": "26a7e6832afe9d9a991cfd9015177f083cf959cc",
"status": "affected",
"version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
"versionType": "git"
},
{
"lessThan": "bf594d1d0c1d7b895954018043536ffd327844f9",
"status": "affected",
"version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
"versionType": "git"
},
{
"status": "affected",
"version": "d7ff2e3ff0e09d57b43014fe26b13bb3c9677254",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.57",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback\n\nThe list_for_each_entry_safe() macro saves the current item (n) and\nthe item after (n+1), so that n can be safely removed without\ncorrupting the list. However, when traversing the list and removing\nitems using gadget giveback, the DWC3 lock is briefly released,\nallowing other routines to execute. There is a situation where, while\nitems are being removed from the cancelled_list using\ndwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable\nroutine is running in parallel (due to UDC unbind). As the cleanup\nroutine removes n, and the pullup disable removes n+1, once the\ncleanup retakes the DWC3 lock, it references a request who was already\nremoved/handled. With list debug enabled, this leads to a panic.\nEnsure all instances of the macro are replaced where gadget giveback\nis used.\n\nExample call stack:\n\nThread#1:\n__dwc3_gadget_ep_set_halt() - CLEAR HALT\n -\u003e dwc3_gadget_ep_cleanup_cancelled_requests()\n -\u003elist_for_each_entry_safe()\n -\u003edwc3_gadget_giveback(n)\n -\u003edwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]\n -\u003espin_unlock\n -\u003eThread#2 executes\n ...\n -\u003edwc3_gadget_giveback(n+1)\n -\u003eAlready removed!\n\nThread#2:\ndwc3_gadget_pullup()\n -\u003ewaiting for dwc3 spin_lock\n ...\n -\u003eThread#1 released lock\n -\u003edwc3_stop_active_transfers()\n -\u003edwc3_remove_requests()\n -\u003efetches n+1 item from cancelled_list (n removed by Thread#1)\n -\u003edwc3_gadget_giveback()\n -\u003edwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]\n -\u003espin_unlock"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:36.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a"
},
{
"url": "https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457"
},
{
"url": "https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc"
},
{
"url": "https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9"
}
],
"title": "usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49398",
"datePublished": "2025-02-26T02:12:27.141Z",
"dateReserved": "2025-02-26T02:08:31.563Z",
"dateUpdated": "2025-05-04T12:44:36.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49295 (GCVE-0-2022-49295)
Vulnerability from cvelistv5
Published
2025-02-26 02:01
Modified
2025-10-29 10:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: call genl_unregister_family() first in nbd_cleanup()
Otherwise there may be race between module removal and the handling of
netlink command, which can lead to the oops as shown below:
BUG: kernel NULL pointer dereference, address: 0000000000000098
Oops: 0002 [#1] SMP PTI
CPU: 1 PID: 31299 Comm: nbd-client Tainted: G E 5.14.0-rc4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:down_write+0x1a/0x50
Call Trace:
start_creating+0x89/0x130
debugfs_create_dir+0x1b/0x130
nbd_start_device+0x13d/0x390 [nbd]
nbd_genl_connect+0x42f/0x748 [nbd]
genl_family_rcv_msg_doit.isra.0+0xec/0x150
genl_rcv_msg+0xe5/0x1e0
netlink_rcv_skb+0x55/0x100
genl_rcv+0x29/0x40
netlink_unicast+0x1a8/0x250
netlink_sendmsg+0x21b/0x430
____sys_sendmsg+0x2a4/0x2d0
___sys_sendmsg+0x81/0xc0
__sys_sendmsg+0x62/0xb0
__x64_sys_sendmsg+0x1f/0x30
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
Modules linked in: nbd(E-)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:04.172443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:59.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a1435c862ea09b06be7acda325128dc08458e25",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "013a79f1b5c89290e2e97f1ebf14b14e0cf5fe5c",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "1be608e1ee1f222464b2856bda9b85ab5184a33e",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "c0868f6e728c3c28bef0e8bee89d2daf86a8bbca",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "cbeafa7a79d08ecdb55f8f1d41a11323d0f709db",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "6f505bbb8063fd3a238a4239d2d8c165e5279f6f",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "3d5da1ffba3388c2ae2e6c598855a4d887d3bf79",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
},
{
"lessThan": "06c4da89c24e7023ea448cadf8e9daf06a0aae6e",
"status": "affected",
"version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: call genl_unregister_family() first in nbd_cleanup()\n\nOtherwise there may be race between module removal and the handling of\nnetlink command, which can lead to the oops as shown below:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000098\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 31299 Comm: nbd-client Tainted: G E 5.14.0-rc4\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:down_write+0x1a/0x50\n Call Trace:\n start_creating+0x89/0x130\n debugfs_create_dir+0x1b/0x130\n nbd_start_device+0x13d/0x390 [nbd]\n nbd_genl_connect+0x42f/0x748 [nbd]\n genl_family_rcv_msg_doit.isra.0+0xec/0x150\n genl_rcv_msg+0xe5/0x1e0\n netlink_rcv_skb+0x55/0x100\n genl_rcv+0x29/0x40\n netlink_unicast+0x1a8/0x250\n netlink_sendmsg+0x21b/0x430\n ____sys_sendmsg+0x2a4/0x2d0\n ___sys_sendmsg+0x81/0xc0\n __sys_sendmsg+0x62/0xb0\n __x64_sys_sendmsg+0x1f/0x30\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n Modules linked in: nbd(E-)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:49:58.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a1435c862ea09b06be7acda325128dc08458e25"
},
{
"url": "https://git.kernel.org/stable/c/013a79f1b5c89290e2e97f1ebf14b14e0cf5fe5c"
},
{
"url": "https://git.kernel.org/stable/c/1be608e1ee1f222464b2856bda9b85ab5184a33e"
},
{
"url": "https://git.kernel.org/stable/c/c0868f6e728c3c28bef0e8bee89d2daf86a8bbca"
},
{
"url": "https://git.kernel.org/stable/c/cbeafa7a79d08ecdb55f8f1d41a11323d0f709db"
},
{
"url": "https://git.kernel.org/stable/c/6f505bbb8063fd3a238a4239d2d8c165e5279f6f"
},
{
"url": "https://git.kernel.org/stable/c/3d5da1ffba3388c2ae2e6c598855a4d887d3bf79"
},
{
"url": "https://git.kernel.org/stable/c/06c4da89c24e7023ea448cadf8e9daf06a0aae6e"
}
],
"title": "nbd: call genl_unregister_family() first in nbd_cleanup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49295",
"datePublished": "2025-02-26T02:01:25.659Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-10-29T10:49:58.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49504 (GCVE-0-2022-49504)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Inhibit aborts if external loopback plug is inserted
After running a short external loopback test, when the external loopback is
removed and a normal cable inserted that is directly connected to a target
device, the system oops in the llpfc_set_rrq_active() routine.
When the loopback was inserted an FLOGI was transmit. As we're looped back,
we receive the FLOGI request. The FLOGI is ABTS'd as we recognize the same
wppn thus understand it's a loopback. However, as the ABTS sends address
information the port is not set to (fffffe), the ABTS is dropped on the
wire. A short 1 frame loopback test is run and completes before the ABTS
times out. The looback is unplugged and the new cable plugged in, and the
an FLOGI to the new device occurs and completes. Due to a mixup in ref
counting the completion of the new FLOGI releases the fabric ndlp. Then the
original ABTS completes and references the released ndlp generating the
oops.
Correct by no-op'ing the ABTS when in loopback mode (it will be dropped
anyway). Added a flag to track the mode to recognize when it should be
no-op'd.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc.h",
"drivers/scsi/lpfc/lpfc_els.c",
"drivers/scsi/lpfc/lpfc_hbadisc.c",
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a1516930cb605caee3bc7b4f3b7994b88c0b8505",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ead76d4c09b89f4c8d632648026a476a5a34fde8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc.h",
"drivers/scsi/lpfc/lpfc_els.c",
"drivers/scsi/lpfc/lpfc_hbadisc.c",
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Inhibit aborts if external loopback plug is inserted\n\nAfter running a short external loopback test, when the external loopback is\nremoved and a normal cable inserted that is directly connected to a target\ndevice, the system oops in the llpfc_set_rrq_active() routine.\n\nWhen the loopback was inserted an FLOGI was transmit. As we\u0027re looped back,\nwe receive the FLOGI request. The FLOGI is ABTS\u0027d as we recognize the same\nwppn thus understand it\u0027s a loopback. However, as the ABTS sends address\ninformation the port is not set to (fffffe), the ABTS is dropped on the\nwire. A short 1 frame loopback test is run and completes before the ABTS\ntimes out. The looback is unplugged and the new cable plugged in, and the\nan FLOGI to the new device occurs and completes. Due to a mixup in ref\ncounting the completion of the new FLOGI releases the fabric ndlp. Then the\noriginal ABTS completes and references the released ndlp generating the\noops.\n\nCorrect by no-op\u0027ing the ABTS when in loopback mode (it will be dropped\nanyway). Added a flag to track the mode to recognize when it should be\nno-op\u0027d."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:21.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a1516930cb605caee3bc7b4f3b7994b88c0b8505"
},
{
"url": "https://git.kernel.org/stable/c/ead76d4c09b89f4c8d632648026a476a5a34fde8"
}
],
"title": "scsi: lpfc: Inhibit aborts if external loopback plug is inserted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49504",
"datePublished": "2025-02-26T02:13:36.829Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-05-04T08:39:21.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58086 (GCVE-0-2024-58086)
Vulnerability from cvelistv5
Published
2025-03-06 16:28
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Stop active perfmon if it is being destroyed
If the active performance monitor (`v3d->active_perfmon`) is being
destroyed, stop it first. Currently, the active perfmon is not
stopped during destruction, leaving the `v3d->active_perfmon` pointer
stale. This can lead to undefined behavior and instability.
This patch ensures that the active perfmon is stopped before being
destroyed, aligning with the behavior introduced in commit
7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed").
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:21.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_perfmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22e19c8c5f6b709f4ae40227392a30d57bac187d",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "95036d4c01167568166108d42c2b0e9f8dbd7d2b",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "eb0e0eca0eab93f310c6c37b8564049366704691",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "1c5673a2c8926adbb61f340c779b28e18188a8cd",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "f8805b12f477bd964e2820a87921c7b58cc2dee3",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "21f1435b1e6b012a07c42f36b206d2b66fc8f13b",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_perfmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Stop active perfmon if it is being destroyed\n\nIf the active performance monitor (`v3d-\u003eactive_perfmon`) is being\ndestroyed, stop it first. Currently, the active perfmon is not\nstopped during destruction, leaving the `v3d-\u003eactive_perfmon` pointer\nstale. This can lead to undefined behavior and instability.\n\nThis patch ensures that the active perfmon is stopped before being\ndestroyed, aligning with the behavior introduced in commit\n7d1fd3638ee3 (\"drm/v3d: Stop the active perfmon before being destroyed\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:45.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22e19c8c5f6b709f4ae40227392a30d57bac187d"
},
{
"url": "https://git.kernel.org/stable/c/95036d4c01167568166108d42c2b0e9f8dbd7d2b"
},
{
"url": "https://git.kernel.org/stable/c/eb0e0eca0eab93f310c6c37b8564049366704691"
},
{
"url": "https://git.kernel.org/stable/c/1c5673a2c8926adbb61f340c779b28e18188a8cd"
},
{
"url": "https://git.kernel.org/stable/c/f8805b12f477bd964e2820a87921c7b58cc2dee3"
},
{
"url": "https://git.kernel.org/stable/c/21f1435b1e6b012a07c42f36b206d2b66fc8f13b"
}
],
"title": "drm/v3d: Stop active perfmon if it is being destroyed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58086",
"datePublished": "2025-03-06T16:28:23.042Z",
"dateReserved": "2025-03-06T15:52:09.184Z",
"dateUpdated": "2025-11-03T19:34:21.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21750 (GCVE-0-2025-21750)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Check the return value of of_property_read_string_index()
Somewhen between 6.10 and 6.11 the driver started to crash on my
MacBookPro14,3. The property doesn't exist and 'tmp' remains
uninitialized, so we pass a random pointer to devm_kstrdup().
The crash I am getting looks like this:
BUG: unable to handle page fault for address: 00007f033c669379
PF: supervisor read access in kernel mode
PF: error_code(0x0001) - permissions violation
PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025
Oops: Oops: 0001 [#1] SMP PTI
CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1
Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024
RIP: 0010:strlen+0x4/0x30
Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc
RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202
RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001
RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379
RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a
R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8
R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30
FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x149/0x4c0
? raw_spin_rq_lock_nested+0xe/0x20
? sched_balance_newidle+0x22b/0x3c0
? update_load_avg+0x78/0x770
? exc_page_fault+0x6f/0x150
? asm_exc_page_fault+0x26/0x30
? __pfx_pci_conf1_write+0x10/0x10
? strlen+0x4/0x30
devm_kstrdup+0x25/0x70
brcmf_of_probe+0x273/0x350 [brcmfmac]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:55.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af525a8b2ab85291617e79a5bb18bcdcb529e80c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9480e9f2d10135476101619bcbd1c49c15d595f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ef2ea1429684d5cef207519bdf6ce45e50e8ac5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bb8e35e33e79eb8e44396adbc8cb6c8c5f16b731",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "082d9e263af8de68f0c34f67b251818205160f6e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the return value of of_property_read_string_index()\n\nSomewhen between 6.10 and 6.11 the driver started to crash on my\nMacBookPro14,3. The property doesn\u0027t exist and \u0027tmp\u0027 remains\nuninitialized, so we pass a random pointer to devm_kstrdup().\n\nThe crash I am getting looks like this:\n\nBUG: unable to handle page fault for address: 00007f033c669379\nPF: supervisor read access in kernel mode\nPF: error_code(0x0001) - permissions violation\nPGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025\nOops: Oops: 0001 [#1] SMP PTI\nCPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1\nHardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024\nRIP: 0010:strlen+0x4/0x30\nCode: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa \u003c80\u003e 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc\nRSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202\nRAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001\nRDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379\nRBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a\nR10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8\nR13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30\nFS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x23/0x70\n ? page_fault_oops+0x149/0x4c0\n ? raw_spin_rq_lock_nested+0xe/0x20\n ? sched_balance_newidle+0x22b/0x3c0\n ? update_load_avg+0x78/0x770\n ? exc_page_fault+0x6f/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_pci_conf1_write+0x10/0x10\n ? strlen+0x4/0x30\n devm_kstrdup+0x25/0x70\n brcmf_of_probe+0x273/0x350 [brcmfmac]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:18.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af525a8b2ab85291617e79a5bb18bcdcb529e80c"
},
{
"url": "https://git.kernel.org/stable/c/c9480e9f2d10135476101619bcbd1c49c15d595f"
},
{
"url": "https://git.kernel.org/stable/c/7ef2ea1429684d5cef207519bdf6ce45e50e8ac5"
},
{
"url": "https://git.kernel.org/stable/c/bb8e35e33e79eb8e44396adbc8cb6c8c5f16b731"
},
{
"url": "https://git.kernel.org/stable/c/082d9e263af8de68f0c34f67b251818205160f6e"
}
],
"title": "wifi: brcmfmac: Check the return value of of_property_read_string_index()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21750",
"datePublished": "2025-02-27T02:12:21.155Z",
"dateReserved": "2024-12-29T08:45:45.758Z",
"dateUpdated": "2025-11-03T19:36:55.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21780 (GCVE-0-2025-21780)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
It malicious user provides a small pptable through sysfs and then
a bigger pptable, it may cause buffer overflow attack in function
smu_sys_set_pp_table().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:30:25.628048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:40.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:26.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3484ea33157bc7334f57e64826ec5a4bf992151a",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "e43a8b9c4d700ffec819c5043a48769b3e7d9cab",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "2498d2db1d35e88a2060ea191ae75dce853dd084",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "231075c5a8ea54f34b7c4794687baa980814e6de",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
},
{
"lessThan": "1abb2648698bf10783d2236a6b4a7ca5e8021699",
"status": "affected",
"version": "137d63abbf6a0859e79b662e81d21170ecb75e59",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()\n\nIt malicious user provides a small pptable through sysfs and then\na bigger pptable, it may cause buffer overflow attack in function\nsmu_sys_set_pp_table()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:06.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3484ea33157bc7334f57e64826ec5a4bf992151a"
},
{
"url": "https://git.kernel.org/stable/c/e43a8b9c4d700ffec819c5043a48769b3e7d9cab"
},
{
"url": "https://git.kernel.org/stable/c/2498d2db1d35e88a2060ea191ae75dce853dd084"
},
{
"url": "https://git.kernel.org/stable/c/231075c5a8ea54f34b7c4794687baa980814e6de"
},
{
"url": "https://git.kernel.org/stable/c/1abb2648698bf10783d2236a6b4a7ca5e8021699"
}
],
"title": "drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21780",
"datePublished": "2025-02-27T02:18:23.543Z",
"dateReserved": "2024-12-29T08:45:45.764Z",
"dateUpdated": "2025-11-03T20:59:26.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49106 (GCVE-0-2022-49106)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: vchiq_arm: Avoid NULL ptr deref in vchiq_dump_platform_instances
vchiq_get_state() can return a NULL pointer. So handle this cases and
avoid a NULL pointer derefence in vchiq_dump_platform_instances.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:08.108427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:04.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "176df12b38c70b0a45e6392a0ee5bc83489dfc29",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
},
{
"lessThan": "4627250cabaa80278d3ab01ad107893cea83799f",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
},
{
"lessThan": "51e5e5c34c22c0bfec0808d8c33e0b2fcf4c7c89",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
},
{
"lessThan": "aa899e686d442c63d50f4d369cc02dbbf0941cb0",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vchiq_arm: Avoid NULL ptr deref in vchiq_dump_platform_instances\n\nvchiq_get_state() can return a NULL pointer. So handle this cases and\navoid a NULL pointer derefence in vchiq_dump_platform_instances."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:59.296Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/176df12b38c70b0a45e6392a0ee5bc83489dfc29"
},
{
"url": "https://git.kernel.org/stable/c/4627250cabaa80278d3ab01ad107893cea83799f"
},
{
"url": "https://git.kernel.org/stable/c/51e5e5c34c22c0bfec0808d8c33e0b2fcf4c7c89"
},
{
"url": "https://git.kernel.org/stable/c/aa899e686d442c63d50f4d369cc02dbbf0941cb0"
}
],
"title": "staging: vchiq_arm: Avoid NULL ptr deref in vchiq_dump_platform_instances",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49106",
"datePublished": "2025-02-26T01:54:53.985Z",
"dateReserved": "2025-02-26T01:49:39.251Z",
"dateUpdated": "2025-10-01T19:57:04.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49436 (GCVE-0-2022-49436)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/papr_scm: Fix leaking nvdimm_events_map elements
Right now 'char *' elements allocated for individual 'stat_id' in
'papr_scm_priv.nvdimm_events_map[]' during papr_scm_pmu_check_events(), get
leaked in papr_scm_remove() and papr_scm_pmu_register(),
papr_scm_pmu_check_events() error paths.
Also individual 'stat_id' arent NULL terminated 'char *' instead they are fixed
8-byte sized identifiers. However papr_scm_pmu_register() assumes it to be a
NULL terminated 'char *' and at other places it assumes it to be a
'papr_scm_perf_stat.stat_id' sized string which is 8-byes in size.
Fix this by allocating the memory for papr_scm_priv.nvdimm_events_map to also
include space for 'stat_id' entries. This is possible since number of available
events/stat_ids are known upfront. This saves some memory and one extra level of
indirection from 'nvdimm_events_map' to 'stat_id'. Also rest of the code
can continue to call 'kfree(papr_scm_priv.nvdimm_events_map)' without needing to
iterate over the array and free up individual elements.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/papr_scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b073096df4dec70d0436321b7093bad27ae91f9e",
"status": "affected",
"version": "4c08d4bbc089a95f3f38389c2b79dbc6ab24f10b",
"versionType": "git"
},
{
"lessThan": "0e0946e22f3665d27325d389ff45ade6e93f3678",
"status": "affected",
"version": "4c08d4bbc089a95f3f38389c2b79dbc6ab24f10b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/papr_scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/papr_scm: Fix leaking nvdimm_events_map elements\n\nRight now \u0027char *\u0027 elements allocated for individual \u0027stat_id\u0027 in\n\u0027papr_scm_priv.nvdimm_events_map[]\u0027 during papr_scm_pmu_check_events(), get\nleaked in papr_scm_remove() and papr_scm_pmu_register(),\npapr_scm_pmu_check_events() error paths.\n\nAlso individual \u0027stat_id\u0027 arent NULL terminated \u0027char *\u0027 instead they are fixed\n8-byte sized identifiers. However papr_scm_pmu_register() assumes it to be a\nNULL terminated \u0027char *\u0027 and at other places it assumes it to be a\n\u0027papr_scm_perf_stat.stat_id\u0027 sized string which is 8-byes in size.\n\nFix this by allocating the memory for papr_scm_priv.nvdimm_events_map to also\ninclude space for \u0027stat_id\u0027 entries. This is possible since number of available\nevents/stat_ids are known upfront. This saves some memory and one extra level of\nindirection from \u0027nvdimm_events_map\u0027 to \u0027stat_id\u0027. Also rest of the code\ncan continue to call \u0027kfree(papr_scm_priv.nvdimm_events_map)\u0027 without needing to\niterate over the array and free up individual elements."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:37.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b073096df4dec70d0436321b7093bad27ae91f9e"
},
{
"url": "https://git.kernel.org/stable/c/0e0946e22f3665d27325d389ff45ade6e93f3678"
}
],
"title": "powerpc/papr_scm: Fix leaking nvdimm_events_map elements",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49436",
"datePublished": "2025-02-26T02:12:52.044Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-05-04T08:37:37.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49346 (GCVE-0-2022-49346)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list
Every iteration of for_each_available_child_of_node() decrements
the reference count of the previous node.
when breaking early from a for_each_available_child_of_node() loop,
we need to explicitly call of_node_put() on the gphy_fw_np.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 14fceff4771e51b23b4485b575cf9e5b3414b89b Version: 14fceff4771e51b23b4485b575cf9e5b3414b89b Version: 14fceff4771e51b23b4485b575cf9e5b3414b89b Version: 14fceff4771e51b23b4485b575cf9e5b3414b89b Version: 14fceff4771e51b23b4485b575cf9e5b3414b89b Version: 14fceff4771e51b23b4485b575cf9e5b3414b89b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:55.975462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:54.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/lantiq_gswip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c8df6fad43d9d5d77f281f794b2a93cd02fd1a9",
"status": "affected",
"version": "14fceff4771e51b23b4485b575cf9e5b3414b89b",
"versionType": "git"
},
{
"lessThan": "c2ae49a113a5344232f1ebb93bcf18bbd11e9c39",
"status": "affected",
"version": "14fceff4771e51b23b4485b575cf9e5b3414b89b",
"versionType": "git"
},
{
"lessThan": "54d6802c4d83fa8de7696cfec06f475d5fd92d27",
"status": "affected",
"version": "14fceff4771e51b23b4485b575cf9e5b3414b89b",
"versionType": "git"
},
{
"lessThan": "32cd78c5610f02a929f63cac985e73692d05f33e",
"status": "affected",
"version": "14fceff4771e51b23b4485b575cf9e5b3414b89b",
"versionType": "git"
},
{
"lessThan": "2e007ac6fa7c9c94ad84da075c5c504afad690a0",
"status": "affected",
"version": "14fceff4771e51b23b4485b575cf9e5b3414b89b",
"versionType": "git"
},
{
"lessThan": "0737e018a05e2aa352828c52bdeed3b02cff2930",
"status": "affected",
"version": "14fceff4771e51b23b4485b575cf9e5b3414b89b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/lantiq_gswip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list\n\nEvery iteration of for_each_available_child_of_node() decrements\nthe reference count of the previous node.\nwhen breaking early from a for_each_available_child_of_node() loop,\nwe need to explicitly call of_node_put() on the gphy_fw_np.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:46.258Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c8df6fad43d9d5d77f281f794b2a93cd02fd1a9"
},
{
"url": "https://git.kernel.org/stable/c/c2ae49a113a5344232f1ebb93bcf18bbd11e9c39"
},
{
"url": "https://git.kernel.org/stable/c/54d6802c4d83fa8de7696cfec06f475d5fd92d27"
},
{
"url": "https://git.kernel.org/stable/c/32cd78c5610f02a929f63cac985e73692d05f33e"
},
{
"url": "https://git.kernel.org/stable/c/2e007ac6fa7c9c94ad84da075c5c504afad690a0"
},
{
"url": "https://git.kernel.org/stable/c/0737e018a05e2aa352828c52bdeed3b02cff2930"
}
],
"title": "net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49346",
"datePublished": "2025-02-26T02:11:01.485Z",
"dateReserved": "2025-02-26T02:08:31.543Z",
"dateUpdated": "2025-10-01T19:46:54.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47635 (GCVE-0-2021-47635)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix to add refcount once page is set private
MM defined the rule [1] very clearly that once page was set with PG_private
flag, we should increment the refcount in that page, also main flows like
pageout(), migrate_page() will assume there is one additional page
reference count if page_has_private() returns true. Otherwise, we may
get a BUG in page migration:
page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8
index:0xe2 pfn:0x14c12
aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:"f30e"
flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|
zone=1|lastcpupid=0x1fffff)
page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)
------------[ cut here ]------------
kernel BUG at include/linux/page_ref.h:184!
invalid opcode: 0000 [#1] SMP
CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5
RIP: 0010:migrate_page_move_mapping+0xac3/0xe70
Call Trace:
ubifs_migrate_page+0x22/0xc0 [ubifs]
move_to_new_page+0xb4/0x600
migrate_pages+0x1523/0x1cc0
compact_zone+0x8c5/0x14b0
kcompactd+0x2bc/0x560
kthread+0x18c/0x1e0
ret_from_fork+0x1f/0x30
Before the time, we should make clean a concept, what does refcount means
in page gotten from grab_cache_page_write_begin(). There are 2 situations:
Situation 1: refcount is 3, page is created by __page_cache_alloc.
TYPE_A - the write process is using this page
TYPE_B - page is assigned to one certain mapping by calling
__add_to_page_cache_locked()
TYPE_C - page is added into pagevec list corresponding current cpu by
calling lru_cache_add()
Situation 2: refcount is 2, page is gotten from the mapping's tree
TYPE_B - page has been assigned to one certain mapping
TYPE_A - the write process is using this page (by calling
page_cache_get_speculative())
Filesystem releases one refcount by calling put_page() in xxx_write_end(),
the released refcount corresponds to TYPE_A (write task is using it). If
there are any processes using a page, page migration process will skip the
page by judging whether expected_page_refs() equals to page refcount.
The BUG is caused by following process:
PA(cpu 0) kcompactd(cpu 1)
compact_zone
ubifs_write_begin
page_a = grab_cache_page_write_begin
add_to_page_cache_lru
lru_cache_add
pagevec_add // put page into cpu 0's pagevec
(refcnf = 3, for page creation process)
ubifs_write_end
SetPagePrivate(page_a) // doesn't increase page count !
unlock_page(page_a)
put_page(page_a) // refcnt = 2
[...]
PB(cpu 0)
filemap_read
filemap_get_pages
add_to_page_cache_lru
lru_cache_add
__pagevec_lru_add // traverse all pages in cpu 0's pagevec
__pagevec_lru_add_fn
SetPageLRU(page_a)
isolate_migratepages
isolate_migratepages_block
get_page_unless_zero(page_a)
// refcnt = 3
list_add(page_a, from_list)
migrate_pages(from_list)
__unmap_and_move
move_to_new_page
ubifs_migrate_page(page_a)
migrate_page_move_mapping
expected_page_refs get 3
(migration[1] + mapping[1] + private[1])
release_pages
put_page_testzero(page_a) // refcnt = 3
page_ref_freeze // refcnt = 0
page_ref_dec_and_test(0 - 1 = -1)
page_ref_unfreeze
VM_BUG_ON_PAGE(-1 != 0, page)
UBIFS doesn't increase the page refcount after setting private flag, which
leads to page migration task believes the page is not used by any other
processes, so the page is migrated. This causes concurrent accessing on
page refcount between put_page() called by other process(eg. read process
calls lru_cache_add) and page_ref_unfreeze() called by mi
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c34ae24a2590fee96a3a7735ba2fa6cc52306221",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "4f75bab98565afd4f905059c56ec4caba88a7eec",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "5aaa2c0f0052b02c4a982993d4c5bb68fb7cbe22",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "fbeb2139eed65e929ce806c6468e6601ade01b1b",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "3b67db8a6ca83e6ff90b756d3da0c966f61cd37b",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix to add refcount once page is set private\n\nMM defined the rule [1] very clearly that once page was set with PG_private\nflag, we should increment the refcount in that page, also main flows like\npageout(), migrate_page() will assume there is one additional page\nreference count if page_has_private() returns true. Otherwise, we may\nget a BUG in page migration:\n\n page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8\n index:0xe2 pfn:0x14c12\n aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:\"f30e\"\n flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|\n zone=1|lastcpupid=0x1fffff)\n page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)\n ------------[ cut here ]------------\n kernel BUG at include/linux/page_ref.h:184!\n invalid opcode: 0000 [#1] SMP\n CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5\n RIP: 0010:migrate_page_move_mapping+0xac3/0xe70\n Call Trace:\n ubifs_migrate_page+0x22/0xc0 [ubifs]\n move_to_new_page+0xb4/0x600\n migrate_pages+0x1523/0x1cc0\n compact_zone+0x8c5/0x14b0\n kcompactd+0x2bc/0x560\n kthread+0x18c/0x1e0\n ret_from_fork+0x1f/0x30\n\nBefore the time, we should make clean a concept, what does refcount means\nin page gotten from grab_cache_page_write_begin(). There are 2 situations:\nSituation 1: refcount is 3, page is created by __page_cache_alloc.\n TYPE_A - the write process is using this page\n TYPE_B - page is assigned to one certain mapping by calling\n\t __add_to_page_cache_locked()\n TYPE_C - page is added into pagevec list corresponding current cpu by\n\t calling lru_cache_add()\nSituation 2: refcount is 2, page is gotten from the mapping\u0027s tree\n TYPE_B - page has been assigned to one certain mapping\n TYPE_A - the write process is using this page (by calling\n\t page_cache_get_speculative())\nFilesystem releases one refcount by calling put_page() in xxx_write_end(),\nthe released refcount corresponds to TYPE_A (write task is using it). If\nthere are any processes using a page, page migration process will skip the\npage by judging whether expected_page_refs() equals to page refcount.\n\nThe BUG is caused by following process:\n PA(cpu 0) kcompactd(cpu 1)\n\t\t\t\tcompact_zone\nubifs_write_begin\n page_a = grab_cache_page_write_begin\n add_to_page_cache_lru\n lru_cache_add\n pagevec_add // put page into cpu 0\u0027s pagevec\n (refcnf = 3, for page creation process)\nubifs_write_end\n SetPagePrivate(page_a) // doesn\u0027t increase page count !\n unlock_page(page_a)\n put_page(page_a) // refcnt = 2\n\t\t\t\t[...]\n\n PB(cpu 0)\nfilemap_read\n filemap_get_pages\n add_to_page_cache_lru\n lru_cache_add\n __pagevec_lru_add // traverse all pages in cpu 0\u0027s pagevec\n\t __pagevec_lru_add_fn\n\t SetPageLRU(page_a)\n\t\t\t\tisolate_migratepages\n isolate_migratepages_block\n\t\t\t\t get_page_unless_zero(page_a)\n\t\t\t\t // refcnt = 3\n list_add(page_a, from_list)\n\t\t\t\tmigrate_pages(from_list)\n\t\t\t\t __unmap_and_move\n\t\t\t\t move_to_new_page\n\t\t\t\t ubifs_migrate_page(page_a)\n\t\t\t\t migrate_page_move_mapping\n\t\t\t\t\t expected_page_refs get 3\n (migration[1] + mapping[1] + private[1])\n\t release_pages\n\t put_page_testzero(page_a) // refcnt = 3\n page_ref_freeze // refcnt = 0\n\t page_ref_dec_and_test(0 - 1 = -1)\n page_ref_unfreeze\n VM_BUG_ON_PAGE(-1 != 0, page)\n\nUBIFS doesn\u0027t increase the page refcount after setting private flag, which\nleads to page migration task believes the page is not used by any other\nprocesses, so the page is migrated. This causes concurrent accessing on\npage refcount between put_page() called by other process(eg. read process\ncalls lru_cache_add) and page_ref_unfreeze() called by mi\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:14.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c34ae24a2590fee96a3a7735ba2fa6cc52306221"
},
{
"url": "https://git.kernel.org/stable/c/4f75bab98565afd4f905059c56ec4caba88a7eec"
},
{
"url": "https://git.kernel.org/stable/c/5aaa2c0f0052b02c4a982993d4c5bb68fb7cbe22"
},
{
"url": "https://git.kernel.org/stable/c/fbeb2139eed65e929ce806c6468e6601ade01b1b"
},
{
"url": "https://git.kernel.org/stable/c/3b67db8a6ca83e6ff90b756d3da0c966f61cd37b"
}
],
"title": "ubifs: Fix to add refcount once page is set private",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47635",
"datePublished": "2025-02-26T01:54:09.701Z",
"dateReserved": "2025-02-26T01:48:21.518Z",
"dateUpdated": "2025-05-04T07:15:14.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49667 (GCVE-0-2022-49667)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix use-after-free after 802.3ad slave unbind
commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"),
resolve case, when there is several aggregation groups in the same bond.
bond_3ad_unbind_slave will invalidate (clear) aggregator when
__agg_active_ports return zero. So, ad_clear_agg can be executed even, when
num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,
previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave
will not update slave ports list, because lag_ports==NULL. So, here we
got slave ports, pointing to freed aggregator memory.
Fix with checking actual number of ports in group (as was before
commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ),
before ad_clear_agg().
The KASAN logs are as follows:
[ 767.617392] ==================================================================
[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470
[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767
[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15
[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)
[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler
[ 767.666468] Call trace:
[ 767.668930] dump_backtrace+0x0/0x2d0
[ 767.672625] show_stack+0x24/0x30
[ 767.675965] dump_stack_lvl+0x68/0x84
[ 767.679659] print_address_description.constprop.0+0x74/0x2b8
[ 767.685451] kasan_report+0x1f0/0x260
[ 767.689148] __asan_load2+0x94/0xd0
[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0622cab0341cac6b30da177b0faa39fae0680e71 Version: 0622cab0341cac6b30da177b0faa39fae0680e71 Version: 0622cab0341cac6b30da177b0faa39fae0680e71 Version: 0622cab0341cac6b30da177b0faa39fae0680e71 Version: 0622cab0341cac6b30da177b0faa39fae0680e71 Version: 0622cab0341cac6b30da177b0faa39fae0680e71 Version: 0622cab0341cac6b30da177b0faa39fae0680e71 Version: 0622cab0341cac6b30da177b0faa39fae0680e71 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:14.271545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:31.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_3ad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "b90ac60303063a43e17dd4aec159067599d255e6",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "f162f7c348fa2a5555bafdb5cc890b89b221e69c",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "893825289ba840afd86bfffcb6f7f363c73efff8",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "63b2fe509f69b90168a75e04e14573dccf7984e6",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "ef0af7d08d26c5333ff4944a559279464edf6f15",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "2765749def4765c5052a4c66445cf4c96fcccdbc",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "050133e1aa2cb49bb17be847d48a4431598ef562",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_3ad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.322",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.287",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.251",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.204",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free after 802.3ad slave unbind\n\ncommit 0622cab0341c (\"bonding: fix 802.3ad aggregator reselection\"),\nresolve case, when there is several aggregation groups in the same bond.\nbond_3ad_unbind_slave will invalidate (clear) aggregator when\n__agg_active_ports return zero. So, ad_clear_agg can be executed even, when\nnum_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,\npreviously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave\nwill not update slave ports list, because lag_ports==NULL. So, here we\ngot slave ports, pointing to freed aggregator memory.\n\nFix with checking actual number of ports in group (as was before\ncommit 0622cab0341c (\"bonding: fix 802.3ad aggregator reselection\") ),\nbefore ad_clear_agg().\n\nThe KASAN logs are as follows:\n\n[ 767.617392] ==================================================================\n[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470\n[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767\n[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15\n[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler\n[ 767.666468] Call trace:\n[ 767.668930] dump_backtrace+0x0/0x2d0\n[ 767.672625] show_stack+0x24/0x30\n[ 767.675965] dump_stack_lvl+0x68/0x84\n[ 767.679659] print_address_description.constprop.0+0x74/0x2b8\n[ 767.685451] kasan_report+0x1f0/0x260\n[ 767.689148] __asan_load2+0x94/0xd0\n[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:54.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e"
},
{
"url": "https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6"
},
{
"url": "https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c"
},
{
"url": "https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8"
},
{
"url": "https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6"
},
{
"url": "https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15"
},
{
"url": "https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc"
},
{
"url": "https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562"
}
],
"title": "net: bonding: fix use-after-free after 802.3ad slave unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49667",
"datePublished": "2025-02-26T02:24:01.818Z",
"dateReserved": "2025-02-26T02:21:30.436Z",
"dateUpdated": "2025-05-04T08:42:54.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49396 (GCVE-0-2022-49396)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: qcom-qmp: fix reset-controller leak on probe errors
Make sure to release the lane reset controller in case of a late probe
error (e.g. probe deferral).
Note that due to the reset controller being defined in devicetree in
"lane" child nodes, devm_reset_control_get_exclusive() cannot be used
directly.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7b5fbcaac5355e2e695dc0c08a0fcf248250388",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "a39d9eccb333b8c07c43ebea1c6dfda122378a0f",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "7ac21b24af859c097eb4034e93430056068f8f31",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "2156dc390402043ba5982489c6625adcb0b0975c",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "ba173a6f8d8dffed64bb13ab23081bdddfb464f0",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "feb05b10b3ed3ae21b851520a0d0b71685439517",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "8c03eb0c8982677b4e17174073a011788891304d",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "4d2900f20edfe541f75756a00deeb2ffe7c66bc1",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp: fix reset-controller leak on probe errors\n\nMake sure to release the lane reset controller in case of a late probe\nerror (e.g. probe deferral).\n\nNote that due to the reset controller being defined in devicetree in\n\"lane\" child nodes, devm_reset_control_get_exclusive() cannot be used\ndirectly."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:47.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7b5fbcaac5355e2e695dc0c08a0fcf248250388"
},
{
"url": "https://git.kernel.org/stable/c/a39d9eccb333b8c07c43ebea1c6dfda122378a0f"
},
{
"url": "https://git.kernel.org/stable/c/7ac21b24af859c097eb4034e93430056068f8f31"
},
{
"url": "https://git.kernel.org/stable/c/2156dc390402043ba5982489c6625adcb0b0975c"
},
{
"url": "https://git.kernel.org/stable/c/ba173a6f8d8dffed64bb13ab23081bdddfb464f0"
},
{
"url": "https://git.kernel.org/stable/c/feb05b10b3ed3ae21b851520a0d0b71685439517"
},
{
"url": "https://git.kernel.org/stable/c/8c03eb0c8982677b4e17174073a011788891304d"
},
{
"url": "https://git.kernel.org/stable/c/4d2900f20edfe541f75756a00deeb2ffe7c66bc1"
}
],
"title": "phy: qcom-qmp: fix reset-controller leak on probe errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49396",
"datePublished": "2025-02-26T02:11:26.145Z",
"dateReserved": "2025-02-26T02:08:31.563Z",
"dateUpdated": "2025-05-04T08:36:47.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35910 (GCVE-0-2024-35910)
Vulnerability from cvelistv5
Published
2024-05-19 08:35
Modified
2025-05-04 09:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: properly terminate timers for kernel sockets
We had various syzbot reports about tcp timers firing after
the corresponding netns has been dismantled.
Fortunately Josef Bacik could trigger the issue more often,
and could test a patch I wrote two years ago.
When TCP sockets are closed, we call inet_csk_clear_xmit_timers()
to 'stop' the timers.
inet_csk_clear_xmit_timers() can be called from any context,
including when socket lock is held.
This is the reason it uses sk_stop_timer(), aka del_timer().
This means that ongoing timers might finish much later.
For user sockets, this is fine because each running timer
holds a reference on the socket, and the user socket holds
a reference on the netns.
For kernel sockets, we risk that the netns is freed before
timer can complete, because kernel sockets do not hold
reference on the netns.
This patch adds inet_csk_clear_xmit_timers_sync() function
that using sk_stop_timer_sync() to make sure all timers
are terminated before the kernel socket is released.
Modules using kernel sockets close them in their netns exit()
handler.
Also add sock_not_owned_by_me() helper to get LOCKDEP
support : inet_csk_clear_xmit_timers_sync() must not be called
while socket lock is held.
It is very possible we can revert in the future commit
3a58f13a881e ("net: rds: acquire refcount on TCP sockets")
which attempted to solve the issue in rds only.
(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)
We probably can remove the check_net() tests from
tcp_out_of_resources() and __tcp_close() in the future.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe Version: 26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35910",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T18:25:39.390284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T19:44:27.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/inet_connection_sock.h",
"include/net/sock.h",
"net/ipv4/inet_connection_sock.c",
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93f0133b9d589cc6e865f254ad9be3e9d8133f50",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "44e62f5d35678686734afd47c6a421ad30772e7f",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "e3e27d2b446deb1f643758a0c4731f5c22492810",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "91b243de910a9ac8476d40238ab3dbfeedd5b7de",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "c1ae4d1e76eacddaacb958b67cd942082f800c87",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "899265c1389fe022802aae73dbf13ee08837a35a",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
},
{
"lessThan": "151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada",
"status": "affected",
"version": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/inet_connection_sock.h",
"include/net/sock.h",
"net/ipv4/inet_connection_sock.c",
"net/ipv4/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.312",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto \u0027stop\u0027 the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:08:11.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50"
},
{
"url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f"
},
{
"url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810"
},
{
"url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4"
},
{
"url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de"
},
{
"url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87"
},
{
"url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a"
},
{
"url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada"
}
],
"title": "tcp: properly terminate timers for kernel sockets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35910",
"datePublished": "2024-05-19T08:35:03.287Z",
"dateReserved": "2024-05-17T13:50:33.121Z",
"dateUpdated": "2025-05-04T09:08:11.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49644 (GCVE-0-2022-49644)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()
If drm_connector_init fails, intel_connector_free will be called to take
care of proper free. So it is necessary to drop the refcount of port
before intel_connector_free.
(cherry picked from commit cea9ed611e85d36a05db52b6457bf584b7d969e2)
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:51.519733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_dp_mst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72f231b9a88abcfac9f5ddaa1a0aacb3f9f87ba5",
"status": "affected",
"version": "091a4f91942a4396c67e5747f5cb38c6396d1fc5",
"versionType": "git"
},
{
"lessThan": "592f3bad00b7e2a95a6fb7a4f9e742c061c9c3c1",
"status": "affected",
"version": "091a4f91942a4396c67e5747f5cb38c6396d1fc5",
"versionType": "git"
},
{
"lessThan": "505114dda5bbfd07f4ce9a2df5b7d8ef5f2a1218",
"status": "affected",
"version": "091a4f91942a4396c67e5747f5cb38c6396d1fc5",
"versionType": "git"
},
{
"lessThan": "a91522b4279bebb098106a19b91f82b9c3213be9",
"status": "affected",
"version": "091a4f91942a4396c67e5747f5cb38c6396d1fc5",
"versionType": "git"
},
{
"lessThan": "85144df9ff4652816448369de76897c57cbb1b93",
"status": "affected",
"version": "091a4f91942a4396c67e5747f5cb38c6396d1fc5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_dp_mst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()\n\nIf drm_connector_init fails, intel_connector_free will be called to take\ncare of proper free. So it is necessary to drop the refcount of port\nbefore intel_connector_free.\n\n(cherry picked from commit cea9ed611e85d36a05db52b6457bf584b7d969e2)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:27.608Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72f231b9a88abcfac9f5ddaa1a0aacb3f9f87ba5"
},
{
"url": "https://git.kernel.org/stable/c/592f3bad00b7e2a95a6fb7a4f9e742c061c9c3c1"
},
{
"url": "https://git.kernel.org/stable/c/505114dda5bbfd07f4ce9a2df5b7d8ef5f2a1218"
},
{
"url": "https://git.kernel.org/stable/c/a91522b4279bebb098106a19b91f82b9c3213be9"
},
{
"url": "https://git.kernel.org/stable/c/85144df9ff4652816448369de76897c57cbb1b93"
}
],
"title": "drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49644",
"datePublished": "2025-02-26T02:23:50.134Z",
"dateReserved": "2025-02-26T02:21:30.432Z",
"dateUpdated": "2025-10-01T19:36:48.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49679 (GCVE-0-2022-49679)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: Fix refcount leak in axxia_boot_secondary
of_find_compatible_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 Version: 1d22924e1c4e299337e86e290c02c3e3eb43b608 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:05.829477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:46.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-axxia/platsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9b76c232a1ce4cbf27862097f7eb634dcc779eb",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
},
{
"lessThan": "b385cb59aac8d61c29bc72ebf3d19a536914af96",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
},
{
"lessThan": "71e12e5b02674459a24f16e965255d63b31fe049",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
},
{
"lessThan": "29ca9c4efacccdc15104a8d4bf10b5183fc92840",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
},
{
"lessThan": "44a5b3a073e5aaa5720929dba95b2725eb32bb65",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
},
{
"lessThan": "4d9c60e868f7cf8e09956e7d5bb44d807d712699",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
},
{
"lessThan": "3c19fe3f04f4f4e7a2b722c2fd3c98356fc1d72b",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
},
{
"lessThan": "7c7ff68daa93d8c4cdea482da4f2429c0398fcde",
"status": "affected",
"version": "1d22924e1c4e299337e86e290c02c3e3eb43b608",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-axxia/platsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.321",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.321",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.286",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.250",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: Fix refcount leak in axxia_boot_secondary\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:09.809Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9b76c232a1ce4cbf27862097f7eb634dcc779eb"
},
{
"url": "https://git.kernel.org/stable/c/b385cb59aac8d61c29bc72ebf3d19a536914af96"
},
{
"url": "https://git.kernel.org/stable/c/71e12e5b02674459a24f16e965255d63b31fe049"
},
{
"url": "https://git.kernel.org/stable/c/29ca9c4efacccdc15104a8d4bf10b5183fc92840"
},
{
"url": "https://git.kernel.org/stable/c/44a5b3a073e5aaa5720929dba95b2725eb32bb65"
},
{
"url": "https://git.kernel.org/stable/c/4d9c60e868f7cf8e09956e7d5bb44d807d712699"
},
{
"url": "https://git.kernel.org/stable/c/3c19fe3f04f4f4e7a2b722c2fd3c98356fc1d72b"
},
{
"url": "https://git.kernel.org/stable/c/7c7ff68daa93d8c4cdea482da4f2429c0398fcde"
}
],
"title": "ARM: Fix refcount leak in axxia_boot_secondary",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49679",
"datePublished": "2025-02-26T02:24:09.299Z",
"dateReserved": "2025-02-26T02:21:30.439Z",
"dateUpdated": "2025-10-01T19:36:46.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58013 (GCVE-0-2024-58013)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync
This fixes the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543
Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961
CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543
hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 16026:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568
hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
sock_write_iter+0x2d7/0x3f0 net/socket.c:1147
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0xaeb/0xd30 fs/read_write.c:679
ksys_write+0x18f/0x2b0 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 16022:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kfree+0x196/0x420 mm/slub.c:4746
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
__mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550
hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208
hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508
sock_do_ioctl+0x158/0x460 net/socket.c:1209
sock_ioctl+0x626/0x8e0 net/socket.c:1328
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T21:14:21.847636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T21:21:43.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:28.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75e65b983c5e2ee51962bfada98a79d805f28827",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
},
{
"lessThan": "4ebbcb9bc794e5be647ee28fdf14eb1ae0659405",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
},
{
"lessThan": "ebb90f23f0ac21044aacf4c61cc5d7841fe99987",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
},
{
"lessThan": "0f3d05aacbfcf3584bbd9caaee34cb02508dab68",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
},
{
"lessThan": "26fbd3494a7dd26269cb0817c289267dbcfdec06",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\nRead of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961\n\nCPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\n hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nAllocated by task 16026:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\n remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568\n hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n sock_write_iter+0x2d7/0x3f0 net/socket.c:1147\n new_sync_write fs/read_write.c:586 [inline]\n vfs_write+0xaeb/0xd30 fs/read_write.c:679\n ksys_write+0x18f/0x2b0 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 16022:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2338 [inline]\n slab_free mm/slub.c:4598 [inline]\n kfree+0x196/0x420 mm/slub.c:4746\n mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550\n hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208\n hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\n hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\n sock_do_ioctl+0x158/0x460 net/socket.c:1209\n sock_ioctl+0x626/0x8e0 net/socket.c:1328\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:43.171Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75e65b983c5e2ee51962bfada98a79d805f28827"
},
{
"url": "https://git.kernel.org/stable/c/4ebbcb9bc794e5be647ee28fdf14eb1ae0659405"
},
{
"url": "https://git.kernel.org/stable/c/ebb90f23f0ac21044aacf4c61cc5d7841fe99987"
},
{
"url": "https://git.kernel.org/stable/c/0f3d05aacbfcf3584bbd9caaee34cb02508dab68"
},
{
"url": "https://git.kernel.org/stable/c/26fbd3494a7dd26269cb0817c289267dbcfdec06"
}
],
"title": "Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58013",
"datePublished": "2025-02-27T02:12:06.735Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-11-03T19:33:28.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21693 (GCVE-0-2025-21693)
Vulnerability from cvelistv5
Published
2025-02-10 15:58
Modified
2025-05-04 07:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: zswap: properly synchronize freeing resources during CPU hotunplug
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as some of the resources attached to the acomp_ctx
are freed during hotunplug in zswap_cpu_comp_dead() (i.e.
acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating
and freeing resources with compression/decompression paths. Make sure
that acomp_ctx.req is NULL when the resources are freed. In the
compression/decompression paths, check if acomp_ctx.req is NULL after
acquiring the mutex (meaning the CPU was offlined) and retry on the new
CPU.
The initialization of acomp_ctx.mutex is moved from the CPU hotplug
callback to the pool initialization where it belongs (where the mutex is
allocated). In addition to adding clarity, this makes sure that CPU
hotplug cannot reinitialize a mutex that is already locked by
compression/decompression.
Previously a fix was attempted by holding cpus_read_lock() [1]. This
would have caused a potential deadlock as it is possible for code already
holding the lock to fall into reclaim and enter zswap (causing a
deadlock). A fix was also attempted using SRCU for synchronization, but
Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug
notifiers [2].
Alternative fixes that were considered/attempted and could have worked:
- Refcounting the per-CPU acomp_ctx. This involves complexity in
handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the
CPU is onlined.
- Disabling migration before getting the per-CPU acomp_ctx [3], but
that's discouraged and is a much bigger hammer than needed, and could
result in subtle performance issues.
[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/
[yosryahmed@google.com: remove comment]
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:10:07.856772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:11:03.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1",
"status": "affected",
"version": "1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161",
"versionType": "git"
},
{
"lessThan": "12dcb0ef540629a281533f9dedc1b6b8e14cfb65",
"status": "affected",
"version": "1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.12",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: properly synchronize freeing resources during CPU hotunplug\n\nIn zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the\ncurrent CPU at the beginning of the operation is retrieved and used\nthroughout. However, since neither preemption nor migration are disabled,\nit is possible that the operation continues on a different CPU.\n\nIf the original CPU is hotunplugged while the acomp_ctx is still in use,\nwe run into a UAF bug as some of the resources attached to the acomp_ctx\nare freed during hotunplug in zswap_cpu_comp_dead() (i.e. \nacomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).\n\nThe problem was introduced in commit 1ec3b5fe6eec (\"mm/zswap: move to use\ncrypto_acomp API for hardware acceleration\") when the switch to the\ncrypto_acomp API was made. Prior to that, the per-CPU crypto_comp was\nretrieved using get_cpu_ptr() which disables preemption and makes sure the\nCPU cannot go away from under us. Preemption cannot be disabled with the\ncrypto_acomp API as a sleepable context is needed.\n\nUse the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating\nand freeing resources with compression/decompression paths. Make sure\nthat acomp_ctx.req is NULL when the resources are freed. In the\ncompression/decompression paths, check if acomp_ctx.req is NULL after\nacquiring the mutex (meaning the CPU was offlined) and retry on the new\nCPU.\n\nThe initialization of acomp_ctx.mutex is moved from the CPU hotplug\ncallback to the pool initialization where it belongs (where the mutex is\nallocated). In addition to adding clarity, this makes sure that CPU\nhotplug cannot reinitialize a mutex that is already locked by\ncompression/decompression.\n\nPreviously a fix was attempted by holding cpus_read_lock() [1]. This\nwould have caused a potential deadlock as it is possible for code already\nholding the lock to fall into reclaim and enter zswap (causing a\ndeadlock). A fix was also attempted using SRCU for synchronization, but\nJohannes pointed out that synchronize_srcu() cannot be used in CPU hotplug\nnotifiers [2].\n\nAlternative fixes that were considered/attempted and could have worked:\n- Refcounting the per-CPU acomp_ctx. This involves complexity in\n handling the race between the refcount dropping to zero in\n zswap_[de]compress() and the refcount being re-initialized when the\n CPU is onlined.\n- Disabling migration before getting the per-CPU acomp_ctx [3], but\n that\u0027s discouraged and is a much bigger hammer than needed, and could\n result in subtle performance issues.\n\n[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/\n[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/\n[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/\n\n[yosryahmed@google.com: remove comment]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:10.155Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1"
},
{
"url": "https://git.kernel.org/stable/c/12dcb0ef540629a281533f9dedc1b6b8e14cfb65"
}
],
"title": "mm: zswap: properly synchronize freeing resources during CPU hotunplug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21693",
"datePublished": "2025-02-10T15:58:49.056Z",
"dateReserved": "2024-12-29T08:45:45.742Z",
"dateUpdated": "2025-05-04T07:19:10.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49703 (GCVE-0-2022-49703)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Store vhost pointer during subcrq allocation
Currently the back pointer from a queue to the vhost adapter isn't set
until after subcrq interrupt registration. The value is available when a
queue is first allocated and can/should be also set for primary and async
queues as well as subcrqs.
This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS
interrupt controller where a pending subcrq interrupt from the previous
kernel can be replayed immediately upon IRQ registration resulting in
dereference of a garbage backpointer in ibmvfc_interrupt_scsi().
Kernel attempted to read user page (58) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000058
Faulting instruction address: 0xc008000003216a08
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc]
LR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270
Call Trace:
[c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable)
[c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270
[c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188
[c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310
[c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80
[c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0
[c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130
[c000000014622f60] [0000000020000000] 0x20000000
[c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0
[c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0
[c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170
[c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0
[c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0
[c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230
[c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc]
[c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc]
[c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc]
[c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc]
[c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:39.217289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:45.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c",
"drivers/scsi/ibmvscsi/ibmvfc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8540f66196ca35b7b5e902932571c18b9fde0cd1",
"status": "affected",
"version": "3034ebe26389740bb6b4a463e05afb51dc93c336",
"versionType": "git"
},
{
"lessThan": "6d38e3b614ded59da8b95377a98df969a5a5627a",
"status": "affected",
"version": "3034ebe26389740bb6b4a463e05afb51dc93c336",
"versionType": "git"
},
{
"lessThan": "aeaadcde1a60138bceb65de3cdaeec78170b4459",
"status": "affected",
"version": "3034ebe26389740bb6b4a463e05afb51dc93c336",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c",
"drivers/scsi/ibmvscsi/ibmvfc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Store vhost pointer during subcrq allocation\n\nCurrently the back pointer from a queue to the vhost adapter isn\u0027t set\nuntil after subcrq interrupt registration. The value is available when a\nqueue is first allocated and can/should be also set for primary and async\nqueues as well as subcrqs.\n\nThis fixes a crash observed during kexec/kdump on Power 9 with legacy XICS\ninterrupt controller where a pending subcrq interrupt from the previous\nkernel can be replayed immediately upon IRQ registration resulting in\ndereference of a garbage backpointer in ibmvfc_interrupt_scsi().\n\nKernel attempted to read user page (58) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x00000058\nFaulting instruction address: 0xc008000003216a08\nOops: Kernel access of bad area, sig: 11 [#1]\n...\nNIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc]\nLR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270\nCall Trace:\n[c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable)\n[c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270\n[c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188\n[c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310\n[c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80\n[c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0\n[c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130\n[c000000014622f60] [0000000020000000] 0x20000000\n[c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0\n[c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0\n[c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170\n[c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0\n[c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0\n[c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230\n[c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc]\n[c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc]\n[c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc]\n[c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc]\n[c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:36.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"url": "https://git.kernel.org/stable/c/6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"url": "https://git.kernel.org/stable/c/aeaadcde1a60138bceb65de3cdaeec78170b4459"
}
],
"title": "scsi: ibmvfc: Store vhost pointer during subcrq allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49703",
"datePublished": "2025-02-26T02:24:22.700Z",
"dateReserved": "2025-02-26T02:21:30.443Z",
"dateUpdated": "2025-10-01T19:36:45.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49093 (GCVE-0-2022-49093)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
skbuff: fix coalescing for page_pool fragment recycling
Fix a use-after-free when using page_pool with page fragments. We
encountered this problem during normal RX in the hns3 driver:
(1) Initially we have three descriptors in the RX queue. The first one
allocates PAGE1 through page_pool, and the other two allocate one
half of PAGE2 each. Page references look like this:
RX_BD1 _______ PAGE1
RX_BD2 _______ PAGE2
RX_BD3 _________/
(2) Handle RX on the first descriptor. Allocate SKB1, eventually added
to the receive queue by tcp_queue_rcv().
(3) Handle RX on the second descriptor. Allocate SKB2 and pass it to
netif_receive_skb():
netif_receive_skb(SKB2)
ip_rcv(SKB2)
SKB3 = skb_clone(SKB2)
SKB2 and SKB3 share a reference to PAGE2 through
skb_shinfo()->dataref. The other ref to PAGE2 is still held by
RX_BD3:
SKB2 ---+- PAGE2
SKB3 __/ /
RX_BD3 _________/
(3b) Now while handling TCP, coalesce SKB3 with SKB1:
tcp_v4_rcv(SKB3)
tcp_try_coalesce(to=SKB1, from=SKB3) // succeeds
kfree_skb_partial(SKB3)
skb_release_data(SKB3) // drops one dataref
SKB1 _____ PAGE1
\____
SKB2 _____ PAGE2
/
RX_BD3 _________/
In skb_try_coalesce(), __skb_frag_ref() takes a page reference to
PAGE2, where it should instead have increased the page_pool frag
reference, pp_frag_count. Without coalescing, when releasing both
SKB2 and SKB3, a single reference to PAGE2 would be dropped. Now
when releasing SKB1 and SKB2, two references to PAGE2 will be
dropped, resulting in underflow.
(3c) Drop SKB2:
af_packet_rcv(SKB2)
consume_skb(SKB2)
skb_release_data(SKB2) // drops second dataref
page_pool_return_skb_page(PAGE2) // drops one pp_frag_count
SKB1 _____ PAGE1
\____
PAGE2
/
RX_BD3 _________/
(4) Userspace calls recvmsg()
Copies SKB1 and releases it. Since SKB3 was coalesced with SKB1, we
release the SKB3 page as well:
tcp_eat_recv_skb(SKB1)
skb_release_data(SKB1)
page_pool_return_skb_page(PAGE1)
page_pool_return_skb_page(PAGE2) // drops second pp_frag_count
(5) PAGE2 is freed, but the third RX descriptor was still using it!
In our case this causes IOMMU faults, but it would silently corrupt
memory if the IOMMU was disabled.
Change the logic that checks whether pp_recycle SKBs can be coalesced.
We still reject differing pp_recycle between 'from' and 'to' SKBs, but
in order to avoid the situation described above, we also reject
coalescing when both 'from' and 'to' are pp_recycled and 'from' is
cloned.
The new logic allows coalescing a cloned pp_recycle SKB into a page
refcounted one, because in this case the release (4) will drop the right
reference, the one taken by skb_try_coalesce().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:26.547109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:35.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba965e8605aee5387cecaa28fcf7ee9f61779a49",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
},
{
"lessThan": "c4fa19615806a9a7e518c295b39175aa47a685ac",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
},
{
"lessThan": "72bb856d16e883437023ff2ff77d0c498018728a",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
},
{
"lessThan": "1effe8ca4e34c34cdd9318436a4232dcb582ebf4",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: fix coalescing for page_pool fragment recycling\n\nFix a use-after-free when using page_pool with page fragments. We\nencountered this problem during normal RX in the hns3 driver:\n\n(1) Initially we have three descriptors in the RX queue. The first one\n allocates PAGE1 through page_pool, and the other two allocate one\n half of PAGE2 each. Page references look like this:\n\n RX_BD1 _______ PAGE1\n RX_BD2 _______ PAGE2\n RX_BD3 _________/\n\n(2) Handle RX on the first descriptor. Allocate SKB1, eventually added\n to the receive queue by tcp_queue_rcv().\n\n(3) Handle RX on the second descriptor. Allocate SKB2 and pass it to\n netif_receive_skb():\n\n netif_receive_skb(SKB2)\n ip_rcv(SKB2)\n SKB3 = skb_clone(SKB2)\n\n SKB2 and SKB3 share a reference to PAGE2 through\n skb_shinfo()-\u003edataref. The other ref to PAGE2 is still held by\n RX_BD3:\n\n SKB2 ---+- PAGE2\n SKB3 __/ /\n RX_BD3 _________/\n\n (3b) Now while handling TCP, coalesce SKB3 with SKB1:\n\n tcp_v4_rcv(SKB3)\n tcp_try_coalesce(to=SKB1, from=SKB3) // succeeds\n kfree_skb_partial(SKB3)\n skb_release_data(SKB3) // drops one dataref\n\n SKB1 _____ PAGE1\n \\____\n SKB2 _____ PAGE2\n /\n RX_BD3 _________/\n\n In skb_try_coalesce(), __skb_frag_ref() takes a page reference to\n PAGE2, where it should instead have increased the page_pool frag\n reference, pp_frag_count. Without coalescing, when releasing both\n SKB2 and SKB3, a single reference to PAGE2 would be dropped. Now\n when releasing SKB1 and SKB2, two references to PAGE2 will be\n dropped, resulting in underflow.\n\n (3c) Drop SKB2:\n\n af_packet_rcv(SKB2)\n consume_skb(SKB2)\n skb_release_data(SKB2) // drops second dataref\n page_pool_return_skb_page(PAGE2) // drops one pp_frag_count\n\n SKB1 _____ PAGE1\n \\____\n PAGE2\n /\n RX_BD3 _________/\n\n(4) Userspace calls recvmsg()\n Copies SKB1 and releases it. Since SKB3 was coalesced with SKB1, we\n release the SKB3 page as well:\n\n tcp_eat_recv_skb(SKB1)\n skb_release_data(SKB1)\n page_pool_return_skb_page(PAGE1)\n page_pool_return_skb_page(PAGE2) // drops second pp_frag_count\n\n(5) PAGE2 is freed, but the third RX descriptor was still using it!\n In our case this causes IOMMU faults, but it would silently corrupt\n memory if the IOMMU was disabled.\n\nChange the logic that checks whether pp_recycle SKBs can be coalesced.\nWe still reject differing pp_recycle between \u0027from\u0027 and \u0027to\u0027 SKBs, but\nin order to avoid the situation described above, we also reject\ncoalescing when both \u0027from\u0027 and \u0027to\u0027 are pp_recycled and \u0027from\u0027 is\ncloned.\n\nThe new logic allows coalescing a cloned pp_recycle SKB into a page\nrefcounted one, because in this case the release (4) will drop the right\nreference, the one taken by skb_try_coalesce()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:44.316Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba965e8605aee5387cecaa28fcf7ee9f61779a49"
},
{
"url": "https://git.kernel.org/stable/c/c4fa19615806a9a7e518c295b39175aa47a685ac"
},
{
"url": "https://git.kernel.org/stable/c/72bb856d16e883437023ff2ff77d0c498018728a"
},
{
"url": "https://git.kernel.org/stable/c/1effe8ca4e34c34cdd9318436a4232dcb582ebf4"
}
],
"title": "skbuff: fix coalescing for page_pool fragment recycling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49093",
"datePublished": "2025-02-26T01:54:47.669Z",
"dateReserved": "2025-02-26T01:49:39.249Z",
"dateUpdated": "2025-05-04T08:29:44.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49468 (GCVE-0-2022-49468)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal/core: Fix memory leak in __thermal_cooling_device_register()
I got memory leak as follows when doing fault injection test:
unreferenced object 0xffff888010080000 (size 264312):
comm "182", pid 102533, jiffies 4296434960 (age 10.100s)
hex dump (first 32 bytes):
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
ff ff ff ff ff ff ff ff 40 7f 1f b9 ff ff ff ff ........@.......
backtrace:
[<0000000038b2f4fc>] kmalloc_order_trace+0x1d/0x110 mm/slab_common.c:969
[<00000000ebcb8da5>] __kmalloc+0x373/0x420 include/linux/slab.h:510
[<0000000084137f13>] thermal_cooling_device_setup_sysfs+0x15d/0x2d0 include/linux/slab.h:586
[<00000000352b8755>] __thermal_cooling_device_register+0x332/0xa60 drivers/thermal/thermal_core.c:927
[<00000000fb9f331b>] devm_thermal_of_cooling_device_register+0x6b/0xf0 drivers/thermal/thermal_core.c:1041
[<000000009b8012d2>] max6650_probe.cold+0x557/0x6aa drivers/hwmon/max6650.c:211
[<00000000da0b7e04>] i2c_device_probe+0x472/0xac0 drivers/i2c/i2c-core-base.c:561
If device_register() fails, thermal_cooling_device_destroy_sysfs() need be called
to free the memory allocated in thermal_cooling_device_setup_sysfs().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:52.745332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:46.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18530bedd221160823f63ccc20dd55c7a03edbcf",
"status": "affected",
"version": "8ea229511e06f9635ecc338dcbe0db41a73623f0",
"versionType": "git"
},
{
"lessThan": "21ccc58b671aea924f2481cf5c1cf0ebbfd3552d",
"status": "affected",
"version": "8ea229511e06f9635ecc338dcbe0db41a73623f0",
"versionType": "git"
},
{
"lessThan": "3802171f0b5b8b831f4ade5c827547cb323a5bb2",
"status": "affected",
"version": "8ea229511e06f9635ecc338dcbe0db41a73623f0",
"versionType": "git"
},
{
"lessThan": "9abdf0c0184230f0cb5c6685aabf33dda89aa9fb",
"status": "affected",
"version": "8ea229511e06f9635ecc338dcbe0db41a73623f0",
"versionType": "git"
},
{
"lessThan": "98a160e898c0f4a979af9de3ab48b4b1d42d1dbb",
"status": "affected",
"version": "8ea229511e06f9635ecc338dcbe0db41a73623f0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/core: Fix memory leak in __thermal_cooling_device_register()\n\nI got memory leak as follows when doing fault injection test:\n\nunreferenced object 0xffff888010080000 (size 264312):\n comm \"182\", pid 102533, jiffies 4296434960 (age 10.100s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 40 7f 1f b9 ff ff ff ff ........@.......\n backtrace:\n [\u003c0000000038b2f4fc\u003e] kmalloc_order_trace+0x1d/0x110 mm/slab_common.c:969\n [\u003c00000000ebcb8da5\u003e] __kmalloc+0x373/0x420 include/linux/slab.h:510\n [\u003c0000000084137f13\u003e] thermal_cooling_device_setup_sysfs+0x15d/0x2d0 include/linux/slab.h:586\n [\u003c00000000352b8755\u003e] __thermal_cooling_device_register+0x332/0xa60 drivers/thermal/thermal_core.c:927\n [\u003c00000000fb9f331b\u003e] devm_thermal_of_cooling_device_register+0x6b/0xf0 drivers/thermal/thermal_core.c:1041\n [\u003c000000009b8012d2\u003e] max6650_probe.cold+0x557/0x6aa drivers/hwmon/max6650.c:211\n [\u003c00000000da0b7e04\u003e] i2c_device_probe+0x472/0xac0 drivers/i2c/i2c-core-base.c:561\n\nIf device_register() fails, thermal_cooling_device_destroy_sysfs() need be called\nto free the memory allocated in thermal_cooling_device_setup_sysfs()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:23.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18530bedd221160823f63ccc20dd55c7a03edbcf"
},
{
"url": "https://git.kernel.org/stable/c/21ccc58b671aea924f2481cf5c1cf0ebbfd3552d"
},
{
"url": "https://git.kernel.org/stable/c/3802171f0b5b8b831f4ade5c827547cb323a5bb2"
},
{
"url": "https://git.kernel.org/stable/c/9abdf0c0184230f0cb5c6685aabf33dda89aa9fb"
},
{
"url": "https://git.kernel.org/stable/c/98a160e898c0f4a979af9de3ab48b4b1d42d1dbb"
}
],
"title": "thermal/core: Fix memory leak in __thermal_cooling_device_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49468",
"datePublished": "2025-02-26T02:13:12.713Z",
"dateReserved": "2025-02-26T02:08:31.578Z",
"dateUpdated": "2025-10-01T19:46:46.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49147 (GCVE-0-2022-49147)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Fix the maximum minor value is blk_alloc_ext_minor()
ida_alloc_range(..., min, max, ...) returns values from min to max,
inclusive.
So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor().
This is an issue because in device_add_disk(), this value is used in:
ddev->devt = MKDEV(disk->major, disk->first_minor);
and NR_EXT_DEVT is '(1 << MINORBITS)'.
So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b9ac3727e4abb11c9cfbe9c0781fc05dfdd7cfb",
"status": "affected",
"version": "22ae8ce8b89241c94ac00c237752c0ffa37ba5ae",
"versionType": "git"
},
{
"lessThan": "0f8cf8f5ccbad25ed6828875b222dbab29d5c272",
"status": "affected",
"version": "22ae8ce8b89241c94ac00c237752c0ffa37ba5ae",
"versionType": "git"
},
{
"lessThan": "fbe2cc4525480ddd20c866bb5c0578071e01451a",
"status": "affected",
"version": "22ae8ce8b89241c94ac00c237752c0ffa37ba5ae",
"versionType": "git"
},
{
"lessThan": "d1868328dec5ae2cf210111025fcbc71f78dd5ca",
"status": "affected",
"version": "22ae8ce8b89241c94ac00c237752c0ffa37ba5ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix the maximum minor value is blk_alloc_ext_minor()\n\nida_alloc_range(..., min, max, ...) returns values from min to max,\ninclusive.\n\nSo, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor().\n\nThis is an issue because in device_add_disk(), this value is used in:\n ddev-\u003edevt = MKDEV(disk-\u003emajor, disk-\u003efirst_minor);\nand NR_EXT_DEVT is \u0027(1 \u003c\u003c MINORBITS)\u0027.\n\nSo, should \u0027disk-\u003efirst_minor\u0027 be NR_EXT_DEVT, it would overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:59.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b9ac3727e4abb11c9cfbe9c0781fc05dfdd7cfb"
},
{
"url": "https://git.kernel.org/stable/c/0f8cf8f5ccbad25ed6828875b222dbab29d5c272"
},
{
"url": "https://git.kernel.org/stable/c/fbe2cc4525480ddd20c866bb5c0578071e01451a"
},
{
"url": "https://git.kernel.org/stable/c/d1868328dec5ae2cf210111025fcbc71f78dd5ca"
}
],
"title": "block: Fix the maximum minor value is blk_alloc_ext_minor()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49147",
"datePublished": "2025-02-26T01:55:15.373Z",
"dateReserved": "2025-02-26T01:49:39.271Z",
"dateUpdated": "2025-05-04T08:30:59.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49261 (GCVE-0-2022-49261)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: add missing boundary check in vm_access
A missing bounds check in vm_access() can lead to an out-of-bounds read
or write in the adjacent memory area, since the len attribute is not
validated before the memcpy later in the function, potentially hitting:
[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000
[ 183.637934] #PF: supervisor read access in kernel mode
[ 183.637997] #PF: error_code(0x0000) - not-present page
[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0
[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI
[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1
[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019
[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10
[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246
[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc
[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004
[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000
[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000
[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000
[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000
[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0
[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 183.650142] Call Trace:
[ 183.650988] <TASK>
[ 183.651793] vm_access+0x1f0/0x2a0 [i915]
[ 183.652726] __access_remote_vm+0x224/0x380
[ 183.653561] mem_rw.isra.0+0xf9/0x190
[ 183.654402] vfs_read+0x9d/0x1b0
[ 183.655238] ksys_read+0x63/0xe0
[ 183.656065] do_syscall_64+0x38/0xc0
[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 183.657663] RIP: 0033:0x7fe5ef725142
[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142
[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005
[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046
[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0
[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000
Changes since v1:
- Updated if condition with range_overflows_t [Chris Wilson]
[mauld: tidy up the commit message and add Cc: stable]
(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_mman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89ddcc81914ab58cc203acc844f27d55ada8ec0e",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "312d3d4f49e12f97260bcf972c848c3562126a18",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "5f6e560e3e86ac053447524224e411034f41f5c7",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
},
{
"lessThan": "3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7",
"status": "affected",
"version": "9f909e215fea0652023b9ed09d3d7bfe10386423",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_mman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: add missing boundary check in vm_access\n\nA missing bounds check in vm_access() can lead to an out-of-bounds read\nor write in the adjacent memory area, since the len attribute is not\nvalidated before the memcpy later in the function, potentially hitting:\n\n[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000\n[ 183.637934] #PF: supervisor read access in kernel mode\n[ 183.637997] #PF: error_code(0x0000) - not-present page\n[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0\n[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI\n[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1\n[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019\n[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10\n[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246\n[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc\n[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004\n[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000\n[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000\n[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000\n[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000\n[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0\n[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 183.650142] Call Trace:\n[ 183.650988] \u003cTASK\u003e\n[ 183.651793] vm_access+0x1f0/0x2a0 [i915]\n[ 183.652726] __access_remote_vm+0x224/0x380\n[ 183.653561] mem_rw.isra.0+0xf9/0x190\n[ 183.654402] vfs_read+0x9d/0x1b0\n[ 183.655238] ksys_read+0x63/0xe0\n[ 183.656065] do_syscall_64+0x38/0xc0\n[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 183.657663] RIP: 0033:0x7fe5ef725142\n[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142\n[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005\n[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046\n[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0\n[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000\n\nChanges since v1:\n - Updated if condition with range_overflows_t [Chris Wilson]\n\n[mauld: tidy up the commit message and add Cc: stable]\n(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:36.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89ddcc81914ab58cc203acc844f27d55ada8ec0e"
},
{
"url": "https://git.kernel.org/stable/c/312d3d4f49e12f97260bcf972c848c3562126a18"
},
{
"url": "https://git.kernel.org/stable/c/5f6e560e3e86ac053447524224e411034f41f5c7"
},
{
"url": "https://git.kernel.org/stable/c/8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa"
},
{
"url": "https://git.kernel.org/stable/c/3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7"
}
],
"title": "drm/i915/gem: add missing boundary check in vm_access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49261",
"datePublished": "2025-02-26T01:56:13.077Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:36.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58057 (GCVE-0-2024-58057)
Vulnerability from cvelistv5
Published
2025-03-06 15:54
Modified
2025-05-04 10:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: convert workqueues to unbound
When a workqueue is created with `WQ_UNBOUND`, its work items are
served by special worker-pools, whose host workers are not bound to
any specific CPU. In the default configuration (i.e. when
`queue_delayed_work` and friends do not specify which CPU to run the
work item on), `WQ_UNBOUND` allows the work item to be executed on any
CPU in the same node of the CPU it was enqueued on. While this
solution potentially sacrifices locality, it avoids contention with
other processes that might dominate the CPU time of the processor the
work item was scheduled on.
This is not just a theoretical problem: in a particular scenario
misconfigured process was hogging most of the time from CPU0, leaving
less than 0.5% of its CPU time to the kworker. The IDPF workqueues
that were using the kworker on CPU0 suffered large completion delays
as a result, causing performance degradation, timeouts and eventual
system crash.
* I have also run a manual test to gauge the performance
improvement. The test consists of an antagonist process
(`./stress --cpu 2`) consuming as much of CPU 0 as possible. This
process is run under `taskset 01` to bind it to CPU0, and its
priority is changed with `chrt -pQ 9900 10000 ${pid}` and
`renice -n -20 ${pid}` after start.
Then, the IDPF driver is forced to prefer CPU0 by editing all calls
to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0.
Finally, `ktraces` for the workqueue events are collected.
Without the current patch, the antagonist process can force
arbitrary delays between `workqueue_queue_work` and
`workqueue_execute_start`, that in my tests were as high as
`30ms`. With the current patch applied, the workqueue can be
migrated to another unloaded CPU in the same node, and, keeping
everything else equal, the maximum delay I could see was `6us`.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66bf9b3d9e1658333741f075320dc8e7cd6f8d09",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "868202ec3854e13de1164e4a3e25521194c5af72",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "9a5b021cb8186f1854bac2812bd4f396bb1e881c",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: convert workqueues to unbound\n\nWhen a workqueue is created with `WQ_UNBOUND`, its work items are\nserved by special worker-pools, whose host workers are not bound to\nany specific CPU. In the default configuration (i.e. when\n`queue_delayed_work` and friends do not specify which CPU to run the\nwork item on), `WQ_UNBOUND` allows the work item to be executed on any\nCPU in the same node of the CPU it was enqueued on. While this\nsolution potentially sacrifices locality, it avoids contention with\nother processes that might dominate the CPU time of the processor the\nwork item was scheduled on.\n\nThis is not just a theoretical problem: in a particular scenario\nmisconfigured process was hogging most of the time from CPU0, leaving\nless than 0.5% of its CPU time to the kworker. The IDPF workqueues\nthat were using the kworker on CPU0 suffered large completion delays\nas a result, causing performance degradation, timeouts and eventual\nsystem crash.\n\n\n* I have also run a manual test to gauge the performance\n improvement. The test consists of an antagonist process\n (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This\n process is run under `taskset 01` to bind it to CPU0, and its\n priority is changed with `chrt -pQ 9900 10000 ${pid}` and\n `renice -n -20 ${pid}` after start.\n\n Then, the IDPF driver is forced to prefer CPU0 by editing all calls\n to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0.\n\n Finally, `ktraces` for the workqueue events are collected.\n\n Without the current patch, the antagonist process can force\n arbitrary delays between `workqueue_queue_work` and\n `workqueue_execute_start`, that in my tests were as high as\n `30ms`. With the current patch applied, the workqueue can be\n migrated to another unloaded CPU in the same node, and, keeping\n everything else equal, the maximum delay I could see was `6us`."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:53.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66bf9b3d9e1658333741f075320dc8e7cd6f8d09"
},
{
"url": "https://git.kernel.org/stable/c/868202ec3854e13de1164e4a3e25521194c5af72"
},
{
"url": "https://git.kernel.org/stable/c/9a5b021cb8186f1854bac2812bd4f396bb1e881c"
}
],
"title": "idpf: convert workqueues to unbound",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58057",
"datePublished": "2025-03-06T15:54:00.345Z",
"dateReserved": "2025-03-06T15:52:09.179Z",
"dateUpdated": "2025-05-04T10:08:53.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58014 (GCVE-0-2024-58014)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()
In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN()
instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access.
Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5b435de0d786869c95d1962121af0d7df2542009 Version: 5b435de0d786869c95d1962121af0d7df2542009 Version: 5b435de0d786869c95d1962121af0d7df2542009 Version: 5b435de0d786869c95d1962121af0d7df2542009 Version: 5b435de0d786869c95d1962121af0d7df2542009 Version: 5b435de0d786869c95d1962121af0d7df2542009 Version: 5b435de0d786869c95d1962121af0d7df2542009 Version: 5b435de0d786869c95d1962121af0d7df2542009 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:31.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a457223cb2b9ca46bae7de387d0f4c093b0220d",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "13ef16c4fe384b1e70277bbe1d87934ee6c81e12",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "d280a12e9b87819a8a209639d600b48a2d6d65dc",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "ada9df08b3ef683507e75b92f522fb659260147f",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "093286c33409bf38896f2dab0c0bb6ca388afb33",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "c27ce584d274f6ad3cba2294497de824a3c66646",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "6f6e293246dc1f5b2b6b3d0f2d757598489cda79",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "3f4a0948c3524ae50f166dbc6572a3296b014e62",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()\n\nIn \u0027wlc_phy_iqcal_gainparams_nphy()\u0027, add gain range check to WARN()\ninstead of possible out-of-bounds \u0027tbl_iqcal_gainparams_nphy\u0027 access.\nCompile tested only.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T09:13:49.431Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a457223cb2b9ca46bae7de387d0f4c093b0220d"
},
{
"url": "https://git.kernel.org/stable/c/13ef16c4fe384b1e70277bbe1d87934ee6c81e12"
},
{
"url": "https://git.kernel.org/stable/c/d280a12e9b87819a8a209639d600b48a2d6d65dc"
},
{
"url": "https://git.kernel.org/stable/c/ada9df08b3ef683507e75b92f522fb659260147f"
},
{
"url": "https://git.kernel.org/stable/c/093286c33409bf38896f2dab0c0bb6ca388afb33"
},
{
"url": "https://git.kernel.org/stable/c/c27ce584d274f6ad3cba2294497de824a3c66646"
},
{
"url": "https://git.kernel.org/stable/c/6f6e293246dc1f5b2b6b3d0f2d757598489cda79"
},
{
"url": "https://git.kernel.org/stable/c/3f4a0948c3524ae50f166dbc6572a3296b014e62"
}
],
"title": "wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58014",
"datePublished": "2025-02-27T02:12:07.344Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-11-03T19:33:31.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21749 (GCVE-0-2025-21749)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: lock the socket in rose_bind()
syzbot reported a soft lockup in rose_loopback_timer(),
with a repro calling bind() from multiple threads.
rose_bind() must lock the socket to avoid this issue.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:54.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8bf5c3fb778bbb1f3ff7d98ec577c969f687513",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed00c5f907d08a647b8bf987514ad8c6b17971a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d308661a0f4e7c8e86dfc7074a55ee5894c61538",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "667f61b3498df751c8b3f0be1637e7226cbe3ed0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e0384efd45f615603e6869205b72040c209e69cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "970cd2ed26cdab2b0f15b6d90d7eaa36538244a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c04b0ab3a647e76d0e752b013de8e404abafc63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1300691aed9ee852b0a9192e29e2bdc2411a7e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: lock the socket in rose_bind()\n\nsyzbot reported a soft lockup in rose_loopback_timer(),\nwith a repro calling bind() from multiple threads.\n\nrose_bind() must lock the socket to avoid this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:17.259Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8bf5c3fb778bbb1f3ff7d98ec577c969f687513"
},
{
"url": "https://git.kernel.org/stable/c/ed00c5f907d08a647b8bf987514ad8c6b17971a7"
},
{
"url": "https://git.kernel.org/stable/c/d308661a0f4e7c8e86dfc7074a55ee5894c61538"
},
{
"url": "https://git.kernel.org/stable/c/667f61b3498df751c8b3f0be1637e7226cbe3ed0"
},
{
"url": "https://git.kernel.org/stable/c/e0384efd45f615603e6869205b72040c209e69cc"
},
{
"url": "https://git.kernel.org/stable/c/970cd2ed26cdab2b0f15b6d90d7eaa36538244a5"
},
{
"url": "https://git.kernel.org/stable/c/4c04b0ab3a647e76d0e752b013de8e404abafc63"
},
{
"url": "https://git.kernel.org/stable/c/a1300691aed9ee852b0a9192e29e2bdc2411a7e6"
}
],
"title": "net: rose: lock the socket in rose_bind()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21749",
"datePublished": "2025-02-27T02:12:20.305Z",
"dateReserved": "2024-12-29T08:45:45.758Z",
"dateUpdated": "2025-11-03T19:36:54.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49460 (GCVE-0-2022-49460)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: rk3399_dmc: Disable edev on remove()
Otherwise we hit an unablanced enable-count when unbinding the DFI
device:
[ 1279.659119] ------------[ cut here ]------------
[ 1279.659179] WARNING: CPU: 2 PID: 5638 at drivers/devfreq/devfreq-event.c:360 devfreq_event_remove_edev+0x84/0x8c
...
[ 1279.659352] Hardware name: Google Kevin (DT)
[ 1279.659363] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO BTYPE=--)
[ 1279.659371] pc : devfreq_event_remove_edev+0x84/0x8c
[ 1279.659380] lr : devm_devfreq_event_release+0x1c/0x28
...
[ 1279.659571] Call trace:
[ 1279.659582] devfreq_event_remove_edev+0x84/0x8c
[ 1279.659590] devm_devfreq_event_release+0x1c/0x28
[ 1279.659602] release_nodes+0x1cc/0x244
[ 1279.659611] devres_release_all+0x44/0x60
[ 1279.659621] device_release_driver_internal+0x11c/0x1ac
[ 1279.659629] device_driver_detach+0x20/0x2c
[ 1279.659641] unbind_store+0x7c/0xb0
[ 1279.659650] drv_attr_store+0x2c/0x40
[ 1279.659663] sysfs_kf_write+0x44/0x58
[ 1279.659672] kernfs_fop_write_iter+0xf4/0x190
[ 1279.659684] vfs_write+0x2b0/0x2e4
[ 1279.659693] ksys_write+0x80/0xec
[ 1279.659701] __arm64_sys_write+0x24/0x30
[ 1279.659714] el0_svc_common+0xf0/0x1d8
[ 1279.659724] do_el0_svc_compat+0x28/0x3c
[ 1279.659738] el0_svc_compat+0x10/0x1c
[ 1279.659746] el0_sync_compat_handler+0xa8/0xcc
[ 1279.659758] el0_sync_compat+0x188/0x1c0
[ 1279.659768] ---[ end trace cec200e5094155b4 ]---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5a893e31a636cca3798af2db5aee8d3d144b1e1e Version: 5a893e31a636cca3798af2db5aee8d3d144b1e1e Version: 5a893e31a636cca3798af2db5aee8d3d144b1e1e Version: 5a893e31a636cca3798af2db5aee8d3d144b1e1e Version: 5a893e31a636cca3798af2db5aee8d3d144b1e1e Version: 5a893e31a636cca3798af2db5aee8d3d144b1e1e Version: 5a893e31a636cca3798af2db5aee8d3d144b1e1e |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/rk3399_dmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "664736e2cc09e504ce58ec61164d029d1f2651bb",
"status": "affected",
"version": "5a893e31a636cca3798af2db5aee8d3d144b1e1e",
"versionType": "git"
},
{
"lessThan": "a0180e324a9a63de8f770da300477b48cb4a53f1",
"status": "affected",
"version": "5a893e31a636cca3798af2db5aee8d3d144b1e1e",
"versionType": "git"
},
{
"lessThan": "86b091b6894c449d2734de7aa7d79ccb33ffd97d",
"status": "affected",
"version": "5a893e31a636cca3798af2db5aee8d3d144b1e1e",
"versionType": "git"
},
{
"lessThan": "cb1be1d4be18fe286ba5a67d928598378fd7fbe5",
"status": "affected",
"version": "5a893e31a636cca3798af2db5aee8d3d144b1e1e",
"versionType": "git"
},
{
"lessThan": "fb089b6f21de03a685dd31df3789bbb01c59f8e3",
"status": "affected",
"version": "5a893e31a636cca3798af2db5aee8d3d144b1e1e",
"versionType": "git"
},
{
"lessThan": "a9c2b23a7ac6ab19214cad8cac8af8608a4d9cef",
"status": "affected",
"version": "5a893e31a636cca3798af2db5aee8d3d144b1e1e",
"versionType": "git"
},
{
"lessThan": "2fccf9e6050e0e3b8b4cd275d41daf7f7fa22804",
"status": "affected",
"version": "5a893e31a636cca3798af2db5aee8d3d144b1e1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/rk3399_dmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: rk3399_dmc: Disable edev on remove()\n\nOtherwise we hit an unablanced enable-count when unbinding the DFI\ndevice:\n\n[ 1279.659119] ------------[ cut here ]------------\n[ 1279.659179] WARNING: CPU: 2 PID: 5638 at drivers/devfreq/devfreq-event.c:360 devfreq_event_remove_edev+0x84/0x8c\n...\n[ 1279.659352] Hardware name: Google Kevin (DT)\n[ 1279.659363] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO BTYPE=--)\n[ 1279.659371] pc : devfreq_event_remove_edev+0x84/0x8c\n[ 1279.659380] lr : devm_devfreq_event_release+0x1c/0x28\n...\n[ 1279.659571] Call trace:\n[ 1279.659582] devfreq_event_remove_edev+0x84/0x8c\n[ 1279.659590] devm_devfreq_event_release+0x1c/0x28\n[ 1279.659602] release_nodes+0x1cc/0x244\n[ 1279.659611] devres_release_all+0x44/0x60\n[ 1279.659621] device_release_driver_internal+0x11c/0x1ac\n[ 1279.659629] device_driver_detach+0x20/0x2c\n[ 1279.659641] unbind_store+0x7c/0xb0\n[ 1279.659650] drv_attr_store+0x2c/0x40\n[ 1279.659663] sysfs_kf_write+0x44/0x58\n[ 1279.659672] kernfs_fop_write_iter+0xf4/0x190\n[ 1279.659684] vfs_write+0x2b0/0x2e4\n[ 1279.659693] ksys_write+0x80/0xec\n[ 1279.659701] __arm64_sys_write+0x24/0x30\n[ 1279.659714] el0_svc_common+0xf0/0x1d8\n[ 1279.659724] do_el0_svc_compat+0x28/0x3c\n[ 1279.659738] el0_svc_compat+0x10/0x1c\n[ 1279.659746] el0_sync_compat_handler+0xa8/0xcc\n[ 1279.659758] el0_sync_compat+0x188/0x1c0\n[ 1279.659768] ---[ end trace cec200e5094155b4 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:13.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/664736e2cc09e504ce58ec61164d029d1f2651bb"
},
{
"url": "https://git.kernel.org/stable/c/a0180e324a9a63de8f770da300477b48cb4a53f1"
},
{
"url": "https://git.kernel.org/stable/c/86b091b6894c449d2734de7aa7d79ccb33ffd97d"
},
{
"url": "https://git.kernel.org/stable/c/cb1be1d4be18fe286ba5a67d928598378fd7fbe5"
},
{
"url": "https://git.kernel.org/stable/c/fb089b6f21de03a685dd31df3789bbb01c59f8e3"
},
{
"url": "https://git.kernel.org/stable/c/a9c2b23a7ac6ab19214cad8cac8af8608a4d9cef"
},
{
"url": "https://git.kernel.org/stable/c/2fccf9e6050e0e3b8b4cd275d41daf7f7fa22804"
}
],
"title": "PM / devfreq: rk3399_dmc: Disable edev on remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49460",
"datePublished": "2025-02-26T02:13:07.635Z",
"dateReserved": "2025-02-26T02:08:31.576Z",
"dateUpdated": "2025-05-04T08:38:13.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27835 (GCVE-0-2020-27835)
Vulnerability from cvelistv5
Published
2021-01-07 17:24
Modified
2024-08-04 16:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:43.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "kernel versions prior to 5.10-rc6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-07T17:24:30",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-27835",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kernel",
"version": {
"version_data": [
{
"version_value": "kernel versions prior to 5.10-rc6"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-416"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901709"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-27835",
"datePublished": "2021-01-07T17:24:30",
"dateReserved": "2020-10-27T00:00:00",
"dateUpdated": "2024-08-04T16:25:43.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49657 (GCVE-0-2022-49657)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: fix memory leak in error case
usbnet_write_cmd_async() mixed up which buffers
need to be freed in which error case.
v2: add Fixes tag
v3: fix uninitialized buf pointer
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 Version: 877bd862f32b815d54ab5fc10a4fd903d7bf3012 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:31.536163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:47.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3eed421ca5c809da93456f69203d164d5220be3d",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
},
{
"lessThan": "5269209f54dd8dfd15f9383f3a3a1fe8370764f8",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
},
{
"lessThan": "d5165e657987ff4ba0ace896d4376a3718a9fbc3",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
},
{
"lessThan": "04894ab34faf40ab72a8a5ab5b404bb0606bbbff",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
},
{
"lessThan": "0085da9df3dced730027923a6b48f58e9016af91",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
},
{
"lessThan": "db89582ff330556188da856e01382ccbf3a5e706",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
},
{
"lessThan": "e7b4f69946a38209b4a4f660bf0e4cbed94f9b4b",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
},
{
"lessThan": "b55a21b764c1e182014630fa5486d717484ac58f",
"status": "affected",
"version": "877bd862f32b815d54ab5fc10a4fd903d7bf3012",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.288",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.323",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.288",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.252",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.205",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.130",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: fix memory leak in error case\n\nusbnet_write_cmd_async() mixed up which buffers\nneed to be freed in which error case.\n\nv2: add Fixes tag\nv3: fix uninitialized buf pointer"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:43.187Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3eed421ca5c809da93456f69203d164d5220be3d"
},
{
"url": "https://git.kernel.org/stable/c/5269209f54dd8dfd15f9383f3a3a1fe8370764f8"
},
{
"url": "https://git.kernel.org/stable/c/d5165e657987ff4ba0ace896d4376a3718a9fbc3"
},
{
"url": "https://git.kernel.org/stable/c/04894ab34faf40ab72a8a5ab5b404bb0606bbbff"
},
{
"url": "https://git.kernel.org/stable/c/0085da9df3dced730027923a6b48f58e9016af91"
},
{
"url": "https://git.kernel.org/stable/c/db89582ff330556188da856e01382ccbf3a5e706"
},
{
"url": "https://git.kernel.org/stable/c/e7b4f69946a38209b4a4f660bf0e4cbed94f9b4b"
},
{
"url": "https://git.kernel.org/stable/c/b55a21b764c1e182014630fa5486d717484ac58f"
}
],
"title": "usbnet: fix memory leak in error case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49657",
"datePublished": "2025-02-26T02:23:56.417Z",
"dateReserved": "2025-02-26T02:21:30.434Z",
"dateUpdated": "2025-10-01T19:36:47.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58002 (GCVE-0-2024-58002)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Remove dangling pointers
When an async control is written, we copy a pointer to the file handle
that started the operation. That pointer will be used when the device is
done. Which could be anytime in the future.
If the user closes that file descriptor, its structure will be freed,
and there will be one dangling pointer per pending async control, that
the driver will try to use.
Clean all the dangling pointers during release().
To avoid adding a performance penalty in the most common case (no async
operation), a counter has been introduced with some logic to make sure
that it is properly handled.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:15.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_ctrl.c",
"drivers/media/usb/uvc/uvc_v4l2.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a29413ace64627e178fd422dd8a5d95219a2c0b",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "653993f46861f2971e95e9a0e36a34b49dec542c",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "ac18d781466252cd35a3e311e0a4b264260fd927",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "4dbaa738c583a0e947803c69e8996e88cf98d971",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "438bda062b2c40ddd7df23b932e29ffe0a448cac",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "9edc7d25f7e49c33a1ce7a5ffadea2222065516c",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
},
{
"lessThan": "221cd51efe4565501a3dbf04cc011b537dcce7fb",
"status": "affected",
"version": "e5225c820c057537dc780244760e2e24c7d27366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_ctrl.c",
"drivers/media/usb/uvc/uvc_v4l2.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Remove dangling pointers\n\nWhen an async control is written, we copy a pointer to the file handle\nthat started the operation. That pointer will be used when the device is\ndone. Which could be anytime in the future.\n\nIf the user closes that file descriptor, its structure will be freed,\nand there will be one dangling pointer per pending async control, that\nthe driver will try to use.\n\nClean all the dangling pointers during release().\n\nTo avoid adding a performance penalty in the most common case (no async\noperation), a counter has been introduced with some logic to make sure\nthat it is properly handled."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:09.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a29413ace64627e178fd422dd8a5d95219a2c0b"
},
{
"url": "https://git.kernel.org/stable/c/653993f46861f2971e95e9a0e36a34b49dec542c"
},
{
"url": "https://git.kernel.org/stable/c/117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50"
},
{
"url": "https://git.kernel.org/stable/c/ac18d781466252cd35a3e311e0a4b264260fd927"
},
{
"url": "https://git.kernel.org/stable/c/4dbaa738c583a0e947803c69e8996e88cf98d971"
},
{
"url": "https://git.kernel.org/stable/c/438bda062b2c40ddd7df23b932e29ffe0a448cac"
},
{
"url": "https://git.kernel.org/stable/c/9edc7d25f7e49c33a1ce7a5ffadea2222065516c"
},
{
"url": "https://git.kernel.org/stable/c/221cd51efe4565501a3dbf04cc011b537dcce7fb"
}
],
"title": "media: uvcvideo: Remove dangling pointers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58002",
"datePublished": "2025-02-27T02:12:00.223Z",
"dateReserved": "2025-02-27T02:04:28.915Z",
"dateUpdated": "2025-11-03T19:33:15.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49365 (GCVE-0-2022-49365)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq()
The > ARRAY_SIZE() should be >= ARRAY_SIZE() to prevent an out of bounds
access.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:38.034710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193 Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:53.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec9ec3bc08b18c5b1b2feafd306ea7c348013898",
"status": "affected",
"version": "734d5ce02cb069cccedc993d8f1dc0ea41cfa3dd",
"versionType": "git"
},
{
"lessThan": "b0808b7a04157b3f56e919f27023fec37a075fad",
"status": "affected",
"version": "e27c41d5b0681c597ac1894f4e02cf626e062250",
"versionType": "git"
},
{
"lessThan": "607c5cd1a08e196d9f2bd3b25a8083ed27ad7ceb",
"status": "affected",
"version": "e27c41d5b0681c597ac1894f4e02cf626e062250",
"versionType": "git"
},
{
"lessThan": "a35faec3db0e13aac8ea720bc1a3503081dd5a3d",
"status": "affected",
"version": "e27c41d5b0681c597ac1894f4e02cf626e062250",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Off by one in dm_dmub_outbox1_low_irq()\n\nThe \u003e ARRAY_SIZE() should be \u003e= ARRAY_SIZE() to prevent an out of bounds\naccess."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:08.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec9ec3bc08b18c5b1b2feafd306ea7c348013898"
},
{
"url": "https://git.kernel.org/stable/c/b0808b7a04157b3f56e919f27023fec37a075fad"
},
{
"url": "https://git.kernel.org/stable/c/607c5cd1a08e196d9f2bd3b25a8083ed27ad7ceb"
},
{
"url": "https://git.kernel.org/stable/c/a35faec3db0e13aac8ea720bc1a3503081dd5a3d"
}
],
"title": "drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49365",
"datePublished": "2025-02-26T02:11:10.768Z",
"dateReserved": "2025-02-26T02:08:31.554Z",
"dateUpdated": "2025-10-01T19:46:53.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49466 (GCVE-0-2022-49466)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: scmi: Fix refcount leak in scmi_regulator_probe
of_find_node_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:59.206657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:46.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/scmi-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ebbfa73d69909b7c737f599fd4ebd42318fc881",
"status": "affected",
"version": "0fbeae70ee7ce98e18a47337cd1f205dd88589e9",
"versionType": "git"
},
{
"lessThan": "299a002161c7bfb72e99ba45e5b660aecc344ea0",
"status": "affected",
"version": "0fbeae70ee7ce98e18a47337cd1f205dd88589e9",
"versionType": "git"
},
{
"lessThan": "4a59c763ef9b68c711dc2fd2ef4a6648da5480ee",
"status": "affected",
"version": "0fbeae70ee7ce98e18a47337cd1f205dd88589e9",
"versionType": "git"
},
{
"lessThan": "68d6c8476fd4f448e70e0ab31ff972838ac41dae",
"status": "affected",
"version": "0fbeae70ee7ce98e18a47337cd1f205dd88589e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/scmi-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: scmi: Fix refcount leak in scmi_regulator_probe\n\nof_find_node_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:20.561Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ebbfa73d69909b7c737f599fd4ebd42318fc881"
},
{
"url": "https://git.kernel.org/stable/c/299a002161c7bfb72e99ba45e5b660aecc344ea0"
},
{
"url": "https://git.kernel.org/stable/c/4a59c763ef9b68c711dc2fd2ef4a6648da5480ee"
},
{
"url": "https://git.kernel.org/stable/c/68d6c8476fd4f448e70e0ab31ff972838ac41dae"
}
],
"title": "regulator: scmi: Fix refcount leak in scmi_regulator_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49466",
"datePublished": "2025-02-26T02:13:11.520Z",
"dateReserved": "2025-02-26T02:08:31.577Z",
"dateUpdated": "2025-10-01T19:46:46.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58056 (GCVE-0-2024-58056)
Vulnerability from cvelistv5
Published
2025-03-06 15:53
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: core: Fix ida_free call while not allocated
In the rproc_alloc() function, on error, put_device(&rproc->dev) is
called, leading to the call of the rproc_type_release() function.
An error can occurs before ida_alloc is called.
In such case in rproc_type_release(), the condition (rproc->index >= 0) is
true as rproc->index has been initialized to 0.
ida_free() is called reporting a warning:
[ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164
[ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0
[ 4.188854] ida_free called for id=0 which is not allocated.
[ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000
[ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+)
[ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442
[ 4.231481] Hardware name: STM32 (Device Tree Support)
[ 4.236627] Workqueue: events_unbound deferred_probe_work_func
[ 4.242504] Call trace:
[ 4.242522] unwind_backtrace from show_stack+0x10/0x14
[ 4.250218] show_stack from dump_stack_lvl+0x50/0x64
[ 4.255274] dump_stack_lvl from __warn+0x80/0x12c
[ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188
[ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164
[ 4.270565] ida_free from rproc_type_release+0x38/0x60
[ 4.275832] rproc_type_release from device_release+0x30/0xa0
[ 4.281601] device_release from kobject_put+0xc4/0x294
[ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c
[ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4
[ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc]
[ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc
Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is
properly set.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:52.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/remoteproc_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cf54928e7e32362215c69b68a6a53d110323bf3",
"status": "affected",
"version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
"versionType": "git"
},
{
"lessThan": "b32d60a852bb3952886625d0c3b1c9a88c3ceb7c",
"status": "affected",
"version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
"versionType": "git"
},
{
"lessThan": "f2013d19b7704cd723ab42664b8d9408ea8cc77c",
"status": "affected",
"version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
"versionType": "git"
},
{
"lessThan": "e9efd9fa4679803fe23188d7b47119cf7bc2de6f",
"status": "affected",
"version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
"versionType": "git"
},
{
"lessThan": "7378aeb664e5ebc396950b36a1f2dedf5aabec20",
"status": "affected",
"version": "08333b911f01862e71e51b7065fb4baca3cd2e67",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/remoteproc_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Fix ida_free call while not allocated\n\nIn the rproc_alloc() function, on error, put_device(\u0026rproc-\u003edev) is\ncalled, leading to the call of the rproc_type_release() function.\nAn error can occurs before ida_alloc is called.\n\nIn such case in rproc_type_release(), the condition (rproc-\u003eindex \u003e= 0) is\ntrue as rproc-\u003eindex has been initialized to 0.\nida_free() is called reporting a warning:\n[ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164\n[ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0\n[ 4.188854] ida_free called for id=0 which is not allocated.\n[ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000\n[ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+)\n[ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442\n[ 4.231481] Hardware name: STM32 (Device Tree Support)\n[ 4.236627] Workqueue: events_unbound deferred_probe_work_func\n[ 4.242504] Call trace:\n[ 4.242522] unwind_backtrace from show_stack+0x10/0x14\n[ 4.250218] show_stack from dump_stack_lvl+0x50/0x64\n[ 4.255274] dump_stack_lvl from __warn+0x80/0x12c\n[ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188\n[ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164\n[ 4.270565] ida_free from rproc_type_release+0x38/0x60\n[ 4.275832] rproc_type_release from device_release+0x30/0xa0\n[ 4.281601] device_release from kobject_put+0xc4/0x294\n[ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c\n[ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4\n[ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc]\n[ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc\n\nCalling ida_alloc earlier in rproc_alloc ensures that the rproc-\u003eindex is\nproperly set."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:51.752Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cf54928e7e32362215c69b68a6a53d110323bf3"
},
{
"url": "https://git.kernel.org/stable/c/b32d60a852bb3952886625d0c3b1c9a88c3ceb7c"
},
{
"url": "https://git.kernel.org/stable/c/f2013d19b7704cd723ab42664b8d9408ea8cc77c"
},
{
"url": "https://git.kernel.org/stable/c/e9efd9fa4679803fe23188d7b47119cf7bc2de6f"
},
{
"url": "https://git.kernel.org/stable/c/7378aeb664e5ebc396950b36a1f2dedf5aabec20"
}
],
"title": "remoteproc: core: Fix ida_free call while not allocated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58056",
"datePublished": "2025-03-06T15:53:59.641Z",
"dateReserved": "2025-03-06T15:52:09.179Z",
"dateUpdated": "2025-11-03T19:33:52.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49568 (GCVE-0-2022-49568)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Don't null dereference ops->destroy
A KVM device cleanup happens in either of two callbacks:
1) destroy() which is called when the VM is being destroyed;
2) release() which is called when a device fd is closed.
Most KVM devices use 1) but Book3s's interrupt controller KVM devices
(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during
the machine execution. The error handling in kvm_ioctl_create_device()
assumes destroy() is always defined which leads to NULL dereference as
discovered by Syzkaller.
This adds a checks for destroy!=NULL and adds a missing release().
This is not changing kvm_destroy_devices() as devices with defined
release() should have been removed from the KVM devices list by then.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49568",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:36:56.420307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:37.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "170465715a60cbb7876e6b961b21bd3225469da8",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "3616776bc51cd3262bb1be60cc01c72e0a1959cf",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "e91665fbbf3ccb268b268a7d71a6513538d813ac",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "d4a5a79b780891c5cbdfdc6124d46fdf8d13dba1",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "e8bc2427018826e02add7b0ed0fc625a60390ae5",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.210",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t null dereference ops-\u003edestroy\n\nA KVM device cleanup happens in either of two callbacks:\n1) destroy() which is called when the VM is being destroyed;\n2) release() which is called when a device fd is closed.\n\nMost KVM devices use 1) but Book3s\u0027s interrupt controller KVM devices\n(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during\nthe machine execution. The error handling in kvm_ioctl_create_device()\nassumes destroy() is always defined which leads to NULL dereference as\ndiscovered by Syzkaller.\n\nThis adds a checks for destroy!=NULL and adds a missing release().\n\nThis is not changing kvm_destroy_devices() as devices with defined\nrelease() should have been removed from the KVM devices list by then."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:21.639Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/170465715a60cbb7876e6b961b21bd3225469da8"
},
{
"url": "https://git.kernel.org/stable/c/3616776bc51cd3262bb1be60cc01c72e0a1959cf"
},
{
"url": "https://git.kernel.org/stable/c/e91665fbbf3ccb268b268a7d71a6513538d813ac"
},
{
"url": "https://git.kernel.org/stable/c/d4a5a79b780891c5cbdfdc6124d46fdf8d13dba1"
},
{
"url": "https://git.kernel.org/stable/c/e8bc2427018826e02add7b0ed0fc625a60390ae5"
}
],
"title": "KVM: Don\u0027t null dereference ops-\u003edestroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49568",
"datePublished": "2025-02-26T02:23:12.722Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-10-01T19:46:37.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49136 (GCVE-0-2022-49136)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set
hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has
been set as that means hci_unregister_dev has been called so it will
likely cause a uaf after the timeout as the hdev will be freed.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:07.674181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c69ef84a808676cceb69210addf5df45b741323",
"status": "affected",
"version": "6a98e3836fa2077b169f10a35c2ca9952d53f987",
"versionType": "git"
},
{
"lessThan": "0b94f2651f56b9e4aa5f012b0d7eb57308c773cf",
"status": "affected",
"version": "6a98e3836fa2077b169f10a35c2ca9952d53f987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set\n\nhci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has\nbeen set as that means hci_unregister_dev has been called so it will\nlikely cause a uaf after the timeout as the hdev will be freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:46.681Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c69ef84a808676cceb69210addf5df45b741323"
},
{
"url": "https://git.kernel.org/stable/c/0b94f2651f56b9e4aa5f012b0d7eb57308c773cf"
}
],
"title": "Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49136",
"datePublished": "2025-02-26T01:55:09.345Z",
"dateReserved": "2025-02-26T01:49:39.268Z",
"dateUpdated": "2025-05-04T08:30:46.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47657 (GCVE-0-2021-47657)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free()
If virtio_gpu_object_shmem_init() fails (e.g. due to fault injection, as it
happened in the bug report by syzbot), virtio_gpu_array_put_free() could be
called with objs equal to NULL.
Ensure that objs is not NULL in virtio_gpu_array_put_free(), or otherwise
return from the function.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 377f8331d0565e6f71ba081c894029a92d0c7e77 Version: 377f8331d0565e6f71ba081c894029a92d0c7e77 Version: 377f8331d0565e6f71ba081c894029a92d0c7e77 Version: 377f8331d0565e6f71ba081c894029a92d0c7e77 Version: 244dbb4abe123779ec30e7c6ca283a681aba5c94 Version: 1016c0f62f73d5d2c3a5d1ad1e1fb0cdce1993ae |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:10.176030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b094fece3810c71ceee6f0921676cb65d4e68c5a",
"status": "affected",
"version": "377f8331d0565e6f71ba081c894029a92d0c7e77",
"versionType": "git"
},
{
"lessThan": "ac92b474eeeed75b8660374ba1d129a121c09da8",
"status": "affected",
"version": "377f8331d0565e6f71ba081c894029a92d0c7e77",
"versionType": "git"
},
{
"lessThan": "abc9ad36df16e27ac1c665085157f1a082d39bac",
"status": "affected",
"version": "377f8331d0565e6f71ba081c894029a92d0c7e77",
"versionType": "git"
},
{
"lessThan": "6b79f96f4a23846516e5e6e4dd37fc06f43a60dd",
"status": "affected",
"version": "377f8331d0565e6f71ba081c894029a92d0c7e77",
"versionType": "git"
},
{
"status": "affected",
"version": "244dbb4abe123779ec30e7c6ca283a681aba5c94",
"versionType": "git"
},
{
"status": "affected",
"version": "1016c0f62f73d5d2c3a5d1ad1e1fb0cdce1993ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free()\n\nIf virtio_gpu_object_shmem_init() fails (e.g. due to fault injection, as it\nhappened in the bug report by syzbot), virtio_gpu_array_put_free() could be\ncalled with objs equal to NULL.\n\nEnsure that objs is not NULL in virtio_gpu_array_put_free(), or otherwise\nreturn from the function."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:41:49.819Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b094fece3810c71ceee6f0921676cb65d4e68c5a"
},
{
"url": "https://git.kernel.org/stable/c/ac92b474eeeed75b8660374ba1d129a121c09da8"
},
{
"url": "https://git.kernel.org/stable/c/abc9ad36df16e27ac1c665085157f1a082d39bac"
},
{
"url": "https://git.kernel.org/stable/c/6b79f96f4a23846516e5e6e4dd37fc06f43a60dd"
}
],
"title": "drm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47657",
"datePublished": "2025-02-26T01:54:20.727Z",
"dateReserved": "2025-02-26T01:48:21.521Z",
"dateUpdated": "2025-10-01T19:57:06.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49603 (GCVE-0-2022-49603)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip: Fix data-races around sysctl_ip_fwd_update_priority.
While reading sysctl_ip_fwd_update_priority, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its readers.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:35:11.593678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:51.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c",
"net/ipv4/ip_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11038fa781ab916535c53351537b22d6d405667d",
"status": "affected",
"version": "432e05d328921c68c35bfdeff7d7b7400b8e3d1a",
"versionType": "git"
},
{
"lessThan": "351f81f7d7185d18a9ff76f8f8c2fa8c4eea563b",
"status": "affected",
"version": "432e05d328921c68c35bfdeff7d7b7400b8e3d1a",
"versionType": "git"
},
{
"lessThan": "bcc03369d3277ae075ed421f0c8bf4adb5e65b74",
"status": "affected",
"version": "432e05d328921c68c35bfdeff7d7b7400b8e3d1a",
"versionType": "git"
},
{
"lessThan": "7bf9e18d9a5e99e3c83482973557e9f047b051e7",
"status": "affected",
"version": "432e05d328921c68c35bfdeff7d7b7400b8e3d1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c",
"net/ipv4/ip_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix data-races around sysctl_ip_fwd_update_priority.\n\nWhile reading sysctl_ip_fwd_update_priority, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:35.651Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11038fa781ab916535c53351537b22d6d405667d"
},
{
"url": "https://git.kernel.org/stable/c/351f81f7d7185d18a9ff76f8f8c2fa8c4eea563b"
},
{
"url": "https://git.kernel.org/stable/c/bcc03369d3277ae075ed421f0c8bf4adb5e65b74"
},
{
"url": "https://git.kernel.org/stable/c/7bf9e18d9a5e99e3c83482973557e9f047b051e7"
}
],
"title": "ip: Fix data-races around sysctl_ip_fwd_update_priority.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49603",
"datePublished": "2025-02-26T02:23:29.912Z",
"dateReserved": "2025-02-26T02:21:30.414Z",
"dateUpdated": "2025-10-01T19:36:51.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49467 (GCVE-0-2022-49467)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: msm: fix possible memory leak in mdp5_crtc_cursor_set()
drm_gem_object_lookup will call drm_gem_object_get inside. So cursor_bo
needs to be put when msm_gem_get_and_pin_iova fails.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e172d10a9c4acc69bb07cbe9142ded2df791ff1f Version: e172d10a9c4acc69bb07cbe9142ded2df791ff1f Version: e172d10a9c4acc69bb07cbe9142ded2df791ff1f Version: e172d10a9c4acc69bb07cbe9142ded2df791ff1f Version: e172d10a9c4acc69bb07cbe9142ded2df791ff1f Version: e172d10a9c4acc69bb07cbe9142ded2df791ff1f Version: e172d10a9c4acc69bb07cbe9142ded2df791ff1f |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:56.029022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:46.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f8cd192752a1f613b14eee77783c6f0aebb49691",
"status": "affected",
"version": "e172d10a9c4acc69bb07cbe9142ded2df791ff1f",
"versionType": "git"
},
{
"lessThan": "449374565f349d4233beec811d4286fdfe5de44b",
"status": "affected",
"version": "e172d10a9c4acc69bb07cbe9142ded2df791ff1f",
"versionType": "git"
},
{
"lessThan": "656aa3c51fc662064f17179b38ec3ce43af53bca",
"status": "affected",
"version": "e172d10a9c4acc69bb07cbe9142ded2df791ff1f",
"versionType": "git"
},
{
"lessThan": "33546183c16c7b9650682dc610bedd732d9c6919",
"status": "affected",
"version": "e172d10a9c4acc69bb07cbe9142ded2df791ff1f",
"versionType": "git"
},
{
"lessThan": "d544880482a5558ec06393b1b3d5dc9275b7a32b",
"status": "affected",
"version": "e172d10a9c4acc69bb07cbe9142ded2df791ff1f",
"versionType": "git"
},
{
"lessThan": "d63ffe3fb3f8327ca21cf91b6a14a2961bc629b4",
"status": "affected",
"version": "e172d10a9c4acc69bb07cbe9142ded2df791ff1f",
"versionType": "git"
},
{
"lessThan": "947a844bb3ebff0f4736d244d792ce129f6700d7",
"status": "affected",
"version": "e172d10a9c4acc69bb07cbe9142ded2df791ff1f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: msm: fix possible memory leak in mdp5_crtc_cursor_set()\n\ndrm_gem_object_lookup will call drm_gem_object_get inside. So cursor_bo\nneeds to be put when msm_gem_get_and_pin_iova fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:21.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f8cd192752a1f613b14eee77783c6f0aebb49691"
},
{
"url": "https://git.kernel.org/stable/c/449374565f349d4233beec811d4286fdfe5de44b"
},
{
"url": "https://git.kernel.org/stable/c/656aa3c51fc662064f17179b38ec3ce43af53bca"
},
{
"url": "https://git.kernel.org/stable/c/33546183c16c7b9650682dc610bedd732d9c6919"
},
{
"url": "https://git.kernel.org/stable/c/d544880482a5558ec06393b1b3d5dc9275b7a32b"
},
{
"url": "https://git.kernel.org/stable/c/d63ffe3fb3f8327ca21cf91b6a14a2961bc629b4"
},
{
"url": "https://git.kernel.org/stable/c/947a844bb3ebff0f4736d244d792ce129f6700d7"
}
],
"title": "drm: msm: fix possible memory leak in mdp5_crtc_cursor_set()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49467",
"datePublished": "2025-02-26T02:13:12.022Z",
"dateReserved": "2025-02-26T02:08:31.577Z",
"dateUpdated": "2025-10-01T19:46:46.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53163 (GCVE-0-2024-53163)
Vulnerability from cvelistv5
Published
2024-12-24 11:29
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat/qat_420xx - fix off by one in uof_get_name()
This is called from uof_get_name_420xx() where "num_objs" is the
ARRAY_SIZE() of fw_objs[]. The > needs to be >= to prevent an out of
bounds access.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:09:16.070998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193 Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:07.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c23661a36eea840b657e485d48ed88b246da1bb8",
"status": "affected",
"version": "fcf60f4bcf54952cc14d14178c358be222dbeb43",
"versionType": "git"
},
{
"lessThan": "91eef1ad75f03d37dba926b73f9dd6f058bc4d58",
"status": "affected",
"version": "fcf60f4bcf54952cc14d14178c358be222dbeb43",
"versionType": "git"
},
{
"lessThan": "93a11608fb3720e1bc2b19a2649ac2b49cca1921",
"status": "affected",
"version": "fcf60f4bcf54952cc14d14178c358be222dbeb43",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat/qat_420xx - fix off by one in uof_get_name()\n\nThis is called from uof_get_name_420xx() where \"num_objs\" is the\nARRAY_SIZE() of fw_objs[]. The \u003e needs to be \u003e= to prevent an out of\nbounds access."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:54:37.480Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c23661a36eea840b657e485d48ed88b246da1bb8"
},
{
"url": "https://git.kernel.org/stable/c/91eef1ad75f03d37dba926b73f9dd6f058bc4d58"
},
{
"url": "https://git.kernel.org/stable/c/93a11608fb3720e1bc2b19a2649ac2b49cca1921"
}
],
"title": "crypto: qat/qat_420xx - fix off by one in uof_get_name()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53163",
"datePublished": "2024-12-24T11:29:19.315Z",
"dateReserved": "2024-11-19T17:17:25.004Z",
"dateUpdated": "2025-10-01T20:17:07.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49404 (GCVE-0-2022-49404)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hfi1: Fix potential integer multiplication overflow errors
When multiplying of different types, an overflow is possible even when
storing the result in a larger type. This is because the conversion is
done after the multiplication. So arithmetic overflow and thus in
incorrect value is possible.
Correct an instance of this in the inter packet delay calculation. Fix by
ensuring one of the operands is u64 which will promote the other to u64 as
well ensuring no overflow.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde Version: 7724105686e718ac476a6ad3304fea2fbcfcffde |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:18.630336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:50.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "252f4afd4557a2e7075f793a5c80fe6dd9e9ee4a",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "a89cb7ddf6a89bab6012e19da38b7cdb26175c19",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "79c164e61f818054cd6012e9035701840d895c51",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "8858284dd74906fa00f04f0252c75df4893a7959",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "31dca00d0cc9f4133320d72eb7e3720badc6d6e6",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "3f09ec80f115d2875d747ed28adc1773037e0f8b",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "06039d8afefdbac05bcea5f397188407eba2996d",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "ef5ab2e48a5f9960e2352332b7cdb7064bb49032",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
},
{
"lessThan": "f93e91a0372c922c20d5bee260b0f43b4b8a1bee",
"status": "affected",
"version": "7724105686e718ac476a6ad3304fea2fbcfcffde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Fix potential integer multiplication overflow errors\n\nWhen multiplying of different types, an overflow is possible even when\nstoring the result in a larger type. This is because the conversion is\ndone after the multiplication. So arithmetic overflow and thus in\nincorrect value is possible.\n\nCorrect an instance of this in the inter packet delay calculation. Fix by\nensuring one of the operands is u64 which will promote the other to u64 as\nwell ensuring no overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:57.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/252f4afd4557a2e7075f793a5c80fe6dd9e9ee4a"
},
{
"url": "https://git.kernel.org/stable/c/a89cb7ddf6a89bab6012e19da38b7cdb26175c19"
},
{
"url": "https://git.kernel.org/stable/c/79c164e61f818054cd6012e9035701840d895c51"
},
{
"url": "https://git.kernel.org/stable/c/8858284dd74906fa00f04f0252c75df4893a7959"
},
{
"url": "https://git.kernel.org/stable/c/31dca00d0cc9f4133320d72eb7e3720badc6d6e6"
},
{
"url": "https://git.kernel.org/stable/c/3f09ec80f115d2875d747ed28adc1773037e0f8b"
},
{
"url": "https://git.kernel.org/stable/c/06039d8afefdbac05bcea5f397188407eba2996d"
},
{
"url": "https://git.kernel.org/stable/c/ef5ab2e48a5f9960e2352332b7cdb7064bb49032"
},
{
"url": "https://git.kernel.org/stable/c/f93e91a0372c922c20d5bee260b0f43b4b8a1bee"
}
],
"title": "RDMA/hfi1: Fix potential integer multiplication overflow errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49404",
"datePublished": "2025-02-26T02:12:30.123Z",
"dateReserved": "2025-02-26T02:08:31.565Z",
"dateUpdated": "2025-10-01T19:46:50.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58058 (GCVE-0-2024-58058)
Vulnerability from cvelistv5
Published
2025-03-06 15:54
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: skip dumping tnc tree when zroot is null
Clearing slab cache will free all znode in memory and make
c->zroot.znode = NULL, then dumping tnc tree will access
c->zroot.znode which cause null pointer dereference.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:28:19.624482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:37.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:54.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "428aff8f7cfb0d9a8854477648022cef96bcab28",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "6211c11fc20424bbc6d79c835c7c212b553ae898",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "1787cd67bb94b106555ffe64f887f6aa24b47010",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "e01b55f261ccc96e347eba4931e4429d080d879d",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "40e25a3c0063935763717877bb2a814c081509ff",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "77e5266e3d3faa6bdcf20d9c68a8972f6aa06522",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "2a987950df825d0144370e700dc5fb337684ffba",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "bdb0ca39e0acccf6771db49c3f94ed787d05f2d7",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: skip dumping tnc tree when zroot is null\n\nClearing slab cache will free all znode in memory and make\nc-\u003ezroot.znode = NULL, then dumping tnc tree will access\nc-\u003ezroot.znode which cause null pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:59.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/428aff8f7cfb0d9a8854477648022cef96bcab28"
},
{
"url": "https://git.kernel.org/stable/c/6211c11fc20424bbc6d79c835c7c212b553ae898"
},
{
"url": "https://git.kernel.org/stable/c/1787cd67bb94b106555ffe64f887f6aa24b47010"
},
{
"url": "https://git.kernel.org/stable/c/e01b55f261ccc96e347eba4931e4429d080d879d"
},
{
"url": "https://git.kernel.org/stable/c/40e25a3c0063935763717877bb2a814c081509ff"
},
{
"url": "https://git.kernel.org/stable/c/77e5266e3d3faa6bdcf20d9c68a8972f6aa06522"
},
{
"url": "https://git.kernel.org/stable/c/2a987950df825d0144370e700dc5fb337684ffba"
},
{
"url": "https://git.kernel.org/stable/c/bdb0ca39e0acccf6771db49c3f94ed787d05f2d7"
}
],
"title": "ubifs: skip dumping tnc tree when zroot is null",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58058",
"datePublished": "2025-03-06T15:54:01.033Z",
"dateReserved": "2025-03-06T15:52:09.179Z",
"dateUpdated": "2025-11-03T19:33:54.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49337 (GCVE-0-2022-49337)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
When user_dlm_destroy_lock failed, it didn't clean up the flags it set
before exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of
lock is still in used, next time when unlink invokes this function, it
will return succeed, and then unlink will remove inode and dentry if lock
is not in used(file closed), but the dlm lock is still linked in dlm lock
resource, then when bast come in, it will trigger a panic due to
user-after-free. See the following panic call trace. To fix this,
USER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should
be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink
fail.
For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,
USER_LOCK_BUSY is also required to be cleared. Even though spin lock is
released in between, but USER_LOCK_IN_TEARDOWN is still set, for
USER_LOCK_BUSY, if before every place that waits on this flag,
USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow
waits on the busy flag set by user_dlm_destroy_lock(), then we can
simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix
user_dlm_cluster_lock() which is the only function not following this.
[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink
004fb0000060000b5a90b8c847b72e1, error -16 from destroy
[ 989.757536] ------------[ cut here ]------------
[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!
[ 989.757876] invalid opcode: 0000 [#1] SMP
[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)
ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc
xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5
auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs
ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc
fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc
rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad
rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)
mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad
ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support
pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si
ipmi_msghandler
[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp
pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel
be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio
libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi
dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
ksplice_2zhuk2jr_ib_ipoib_old]
[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE
4.1.12-124.57.1.el6uek.x86_64 #2
[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER
X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021
[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:
ffff88017f7c8000
[ 989.762848] RIP: e030:[<ffffffffc07d4316>] [<ffffffffc07d4316>]
__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246
[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:
0000000000000003
[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:
ffff880174d48170
[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:
0000000000000000
[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:
ffff880174d48008
[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:
ffff88021db7a000
[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000)
knlGS:ffff880247480000
[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:
0000000000042660
[ 989.765081] Stack:
[ 989.765167] 00000000000
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/dlmfs/userdlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1434cd71ad9f3a6beda3036972983b6c4869207c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "02480e2e82ae0e5588374bbbcf4fa6e4959fa174",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "733a35c00ef363a1c774d7ea486e0735b7c13a15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82bf8e7271fade40184177cb406203addc34c4a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "337e36550788dbe03254f0593a231c1c4873b20d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c96238fac045b289993d7bc5aae7b2d72b25c76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efb54ec548829e1d3605f0434526f86e345b1b28",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c5e26a626fe46675bceba853e12aaf13c712e10",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "863e0d81b6683c4cbc588ad831f560c90e494bef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/dlmfs/userdlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: dlmfs: fix error handling of user_dlm_destroy_lock\n\nWhen user_dlm_destroy_lock failed, it didn\u0027t clean up the flags it set\nbefore exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of\nlock is still in used, next time when unlink invokes this function, it\nwill return succeed, and then unlink will remove inode and dentry if lock\nis not in used(file closed), but the dlm lock is still linked in dlm lock\nresource, then when bast come in, it will trigger a panic due to\nuser-after-free. See the following panic call trace. To fix this,\nUSER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should\nbe returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink\nfail.\n\nFor the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,\nUSER_LOCK_BUSY is also required to be cleared. Even though spin lock is\nreleased in between, but USER_LOCK_IN_TEARDOWN is still set, for\nUSER_LOCK_BUSY, if before every place that waits on this flag,\nUSER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow\nwaits on the busy flag set by user_dlm_destroy_lock(), then we can\nsimplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix\nuser_dlm_cluster_lock() which is the only function not following this.\n\n[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink\n004fb0000060000b5a90b8c847b72e1, error -16 from destroy\n[ 989.757536] ------------[ cut here ]------------\n[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!\n[ 989.757876] invalid opcode: 0000 [#1] SMP\n[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)\nksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc\nxen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5\nauth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs\nocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc\nfcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc\nrds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad\nrdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)\nmlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad\nib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support\npcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si\nipmi_msghandler\n[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp\npps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel\nbe2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio\nlibiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi\ndm_mirror dm_region_hash dm_log dm_mod [last unloaded:\nksplice_2zhuk2jr_ib_ipoib_old]\n[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE\n4.1.12-124.57.1.el6uek.x86_64 #2\n[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER\nX5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021\n[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:\nffff88017f7c8000\n[ 989.762848] RIP: e030:[\u003cffffffffc07d4316\u003e] [\u003cffffffffc07d4316\u003e]\n__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]\n[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246\n[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:\n0000000000000003\n[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:\nffff880174d48170\n[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:\n0000000000000000\n[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:\nffff880174d48008\n[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:\nffff88021db7a000\n[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000)\nknlGS:ffff880247480000\n[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:\n0000000000042660\n[ 989.765081] Stack:\n[ 989.765167] 00000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:29.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1434cd71ad9f3a6beda3036972983b6c4869207c"
},
{
"url": "https://git.kernel.org/stable/c/02480e2e82ae0e5588374bbbcf4fa6e4959fa174"
},
{
"url": "https://git.kernel.org/stable/c/733a35c00ef363a1c774d7ea486e0735b7c13a15"
},
{
"url": "https://git.kernel.org/stable/c/82bf8e7271fade40184177cb406203addc34c4a0"
},
{
"url": "https://git.kernel.org/stable/c/337e36550788dbe03254f0593a231c1c4873b20d"
},
{
"url": "https://git.kernel.org/stable/c/9c96238fac045b289993d7bc5aae7b2d72b25c76"
},
{
"url": "https://git.kernel.org/stable/c/efb54ec548829e1d3605f0434526f86e345b1b28"
},
{
"url": "https://git.kernel.org/stable/c/2c5e26a626fe46675bceba853e12aaf13c712e10"
},
{
"url": "https://git.kernel.org/stable/c/863e0d81b6683c4cbc588ad831f560c90e494bef"
}
],
"title": "ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49337",
"datePublished": "2025-02-26T02:10:55.696Z",
"dateReserved": "2025-02-26T02:08:31.539Z",
"dateUpdated": "2025-05-04T08:35:29.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49353 (GCVE-0-2022-49353)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/papr_scm: don't requests stats with '0' sized stats buffer
Sachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being
reported with vPMEM when papr_scm probe is being called. The panic is of the
form below and is observed only with following option disabled(profile) for the
said LPAR 'Enable Performance Information Collection' in the HMC:
Kernel attempted to write user page (1c) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on write at 0x0000001c
Faulting instruction address: 0xc008000001b90844
Oops: Kernel access of bad area, sig: 11 [#1]
<snip>
NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm]
LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm]
Call Trace:
0xc00000000941bca0 (unreliable)
papr_scm_probe+0x2ac/0x6ec [papr_scm]
platform_probe+0x98/0x150
really_probe+0xfc/0x510
__driver_probe_device+0x17c/0x230
<snip>
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Fatal exception
On investigation looks like this panic was caused due to a 'stat_buffer' of
size==0 being provided to drc_pmem_query_stats() to fetch all performance
stats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn't have been called
since the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused
due to missing check for 'p->stat_buffer_len' at the beginning of
papr_scm_pmu_check_events() which indicates that the NVDIMM doesn't support
performance-stats.
Fix this by introducing the check for 'p->stat_buffer_len' at the beginning of
papr_scm_pmu_check_events().
[1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49353",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:48.865208Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:54.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/papr_scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1295aab2ebcda1c1a9ed342baedc080e5c393e5",
"status": "affected",
"version": "b073096df4dec70d0436321b7093bad27ae91f9e",
"versionType": "git"
},
{
"lessThan": "07bf9431b1590d1cd7a8d62075d0b50b073f0495",
"status": "affected",
"version": "0e0946e22f3665d27325d389ff45ade6e93f3678",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/papr_scm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.18.4",
"status": "affected",
"version": "5.18.3",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.18.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/papr_scm: don\u0027t requests stats with \u00270\u0027 sized stats buffer\n\nSachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being\nreported with vPMEM when papr_scm probe is being called. The panic is of the\nform below and is observed only with following option disabled(profile) for the\nsaid LPAR \u0027Enable Performance Information Collection\u0027 in the HMC:\n\n Kernel attempted to write user page (1c) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on write at 0x0000001c\n Faulting instruction address: 0xc008000001b90844\n Oops: Kernel access of bad area, sig: 11 [#1]\n\u003csnip\u003e\n NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm]\n LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm]\n Call Trace:\n 0xc00000000941bca0 (unreliable)\n papr_scm_probe+0x2ac/0x6ec [papr_scm]\n platform_probe+0x98/0x150\n really_probe+0xfc/0x510\n __driver_probe_device+0x17c/0x230\n\u003csnip\u003e\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n\nOn investigation looks like this panic was caused due to a \u0027stat_buffer\u0027 of\nsize==0 being provided to drc_pmem_query_stats() to fetch all performance\nstats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn\u0027t have been called\nsince the vPMEM NVDIMM doesn\u0027t support and performance stat-id\u0027s. This was caused\ndue to missing check for \u0027p-\u003estat_buffer_len\u0027 at the beginning of\npapr_scm_pmu_check_events() which indicates that the NVDIMM doesn\u0027t support\nperformance-stats.\n\nFix this by introducing the check for \u0027p-\u003estat_buffer_len\u0027 at the beginning of\npapr_scm_pmu_check_events().\n\n[1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:54.660Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1295aab2ebcda1c1a9ed342baedc080e5c393e5"
},
{
"url": "https://git.kernel.org/stable/c/07bf9431b1590d1cd7a8d62075d0b50b073f0495"
}
],
"title": "powerpc/papr_scm: don\u0027t requests stats with \u00270\u0027 sized stats buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49353",
"datePublished": "2025-02-26T02:11:04.982Z",
"dateReserved": "2025-02-26T02:08:31.545Z",
"dateUpdated": "2025-10-01T19:46:54.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49279 (GCVE-0-2022-49279)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: prevent integer overflow on 32 bit systems
On a 32 bit system, the "len * sizeof(*p)" operation can have an
integer overflow.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:26.432021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:01.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sunrpc/xdr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a2789e8ccb4a3e2a631f6817a2d3bb98b8c4fd8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce1aa09cc14ed625104acc2d487bd92b9a88efe2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7af164fa2f1abc577d357d22d83a2f3490875d7e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "303cd6173dce0a28d26526c77814eb90a41bd898",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79b1c54fc6ce09ee0d5fe088bb3de26ae2150e3c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e4195d27306ea468a6dc3a27af6f586709951229",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "23a9dbbe0faf124fc4c139615633b9d12a3a89ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sunrpc/xdr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: prevent integer overflow on 32 bit systems\n\nOn a 32 bit system, the \"len * sizeof(*p)\" operation can have an\ninteger overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:03.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a2789e8ccb4a3e2a631f6817a2d3bb98b8c4fd8"
},
{
"url": "https://git.kernel.org/stable/c/ce1aa09cc14ed625104acc2d487bd92b9a88efe2"
},
{
"url": "https://git.kernel.org/stable/c/7af164fa2f1abc577d357d22d83a2f3490875d7e"
},
{
"url": "https://git.kernel.org/stable/c/303cd6173dce0a28d26526c77814eb90a41bd898"
},
{
"url": "https://git.kernel.org/stable/c/79b1c54fc6ce09ee0d5fe088bb3de26ae2150e3c"
},
{
"url": "https://git.kernel.org/stable/c/e4195d27306ea468a6dc3a27af6f586709951229"
},
{
"url": "https://git.kernel.org/stable/c/23a9dbbe0faf124fc4c139615633b9d12a3a89ef"
}
],
"title": "NFSD: prevent integer overflow on 32 bit systems",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49279",
"datePublished": "2025-02-26T01:56:22.051Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-10-01T19:47:01.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49283 (GCVE-0-2022-49283)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: sysfb: fix platform-device leak in error path
Make sure to free the platform device also in the unlikely event that
registration fails.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/sysfb_simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3e38f939ab4d0d86f56bff3362c3f88c4b2ad32",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
},
{
"lessThan": "bb7fcbe80a013dc883181dc818c407d38558f76c",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
},
{
"lessThan": "fed4df558b8cdb6f3beea38a7c977f118f082b0d",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
},
{
"lessThan": "202c08914ba50dd324e42d5ad99535a89f242560",
"status": "affected",
"version": "8633ef82f101c040427b57d4df7b706261420b94",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/sysfb_simplefb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: sysfb: fix platform-device leak in error path\n\nMake sure to free the platform device also in the unlikely event that\nregistration fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:12.930Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3e38f939ab4d0d86f56bff3362c3f88c4b2ad32"
},
{
"url": "https://git.kernel.org/stable/c/bb7fcbe80a013dc883181dc818c407d38558f76c"
},
{
"url": "https://git.kernel.org/stable/c/fed4df558b8cdb6f3beea38a7c977f118f082b0d"
},
{
"url": "https://git.kernel.org/stable/c/202c08914ba50dd324e42d5ad99535a89f242560"
}
],
"title": "firmware: sysfb: fix platform-device leak in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49283",
"datePublished": "2025-02-26T01:56:24.155Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:34:12.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49111 (GCVE-0-2022-49111)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix use after free in hci_send_acl
This fixes the following trace caused by receiving
HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without
first checking if conn->type is in fact AMP_LINK and in case it is
do properly cleanup upper layers with hci_disconn_cfm:
==================================================================
BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50
Read of size 8 at addr ffff88800e404818 by task bluetoothd/142
CPU: 0 PID: 142 Comm: bluetoothd Not tainted
5.17.0-rc5-00006-gda4022eeac1a #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x59
print_address_description.constprop.0+0x1f/0x150
kasan_report.cold+0x7f/0x11b
hci_send_acl+0xaba/0xc50
l2cap_do_send+0x23f/0x3d0
l2cap_chan_send+0xc06/0x2cc0
l2cap_sock_sendmsg+0x201/0x2b0
sock_sendmsg+0xdc/0x110
sock_write_iter+0x20f/0x370
do_iter_readv_writev+0x343/0x690
do_iter_write+0x132/0x640
vfs_writev+0x198/0x570
do_writev+0x202/0x280
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05
<48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015
RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77
R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580
RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001
</TASK>
R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0
Allocated by task 45:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
hci_chan_create+0x9a/0x2f0
l2cap_conn_add.part.0+0x1a/0xdc0
l2cap_connect_cfm+0x236/0x1000
le_conn_complete_evt+0x15a7/0x1db0
hci_le_conn_complete_evt+0x226/0x2c0
hci_le_meta_evt+0x247/0x450
hci_event_packet+0x61b/0xe90
hci_rx_work+0x4d5/0xc50
process_one_work+0x8fb/0x15a0
worker_thread+0x576/0x1240
kthread+0x29d/0x340
ret_from_fork+0x1f/0x30
Freed by task 45:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xfb/0x130
kfree+0xac/0x350
hci_conn_cleanup+0x101/0x6a0
hci_conn_del+0x27e/0x6c0
hci_disconn_phylink_complete_evt+0xe0/0x120
hci_event_packet+0x812/0xe90
hci_rx_work+0x4d5/0xc50
process_one_work+0x8fb/0x15a0
worker_thread+0x576/0x1240
kthread+0x29d/0x340
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff88800c0f0500
The buggy address is located 24 bytes inside of
which belongs to the cache kmalloc-128 of size 128
The buggy address belongs to the page:
128-byte region [ffff88800c0f0500, ffff88800c0f0580)
flags: 0x100000000000200(slab|node=0|zone=1)
page:00000000fe45cd86 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0xc0f0
raw: 0000000000000000 0000000080100010 00000001ffffffff
0000000000000000
raw: 0100000000000200 ffffea00003a2c80 dead000000000004
ffff8880078418c0
page dumped because: kasan: bad access detected
ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
Memory state around the buggy address:
>ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:22.265818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:35.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c41de54b0a963e59e4dd04c029a4a6d73f45ef9c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "643a6c26bd32e339d00ad97b8822b6db009e803c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "684e505406abaeabe0058e9776f9210bf2747953",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3803d896ddd97c7c16689a5381c0960040727647",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cc803804ec9a296b3156855d6c8c4ca1c6b84be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d404765dffdbd8dcd14758695d0c96c52fb2e624",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4da302b90b96c309987eb9b37c8547f939f042d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f63d24baff787e13b723d86fe036f84bdbc35045",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use after free in hci_send_acl\n\nThis fixes the following trace caused by receiving\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\nfirst checking if conn-\u003etype is in fact AMP_LINK and in case it is\ndo properly cleanup upper layers with hci_disconn_cfm:\n\n ==================================================================\n BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\n Read of size 8 at addr ffff88800e404818 by task bluetoothd/142\n\n CPU: 0 PID: 142 Comm: bluetoothd Not tainted\n 5.17.0-rc5-00006-gda4022eeac1a #7\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x150\n kasan_report.cold+0x7f/0x11b\n hci_send_acl+0xaba/0xc50\n l2cap_do_send+0x23f/0x3d0\n l2cap_chan_send+0xc06/0x2cc0\n l2cap_sock_sendmsg+0x201/0x2b0\n sock_sendmsg+0xdc/0x110\n sock_write_iter+0x20f/0x370\n do_iter_readv_writev+0x343/0x690\n do_iter_write+0x132/0x640\n vfs_writev+0x198/0x570\n do_writev+0x202/0x280\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\n Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\n 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\n \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\n RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\n R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\n RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\n \u003c/TASK\u003e\n R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\n\n Allocated by task 45:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n hci_chan_create+0x9a/0x2f0\n l2cap_conn_add.part.0+0x1a/0xdc0\n l2cap_connect_cfm+0x236/0x1000\n le_conn_complete_evt+0x15a7/0x1db0\n hci_le_conn_complete_evt+0x226/0x2c0\n hci_le_meta_evt+0x247/0x450\n hci_event_packet+0x61b/0xe90\n hci_rx_work+0x4d5/0xc50\n process_one_work+0x8fb/0x15a0\n worker_thread+0x576/0x1240\n kthread+0x29d/0x340\n ret_from_fork+0x1f/0x30\n\n Freed by task 45:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0xfb/0x130\n kfree+0xac/0x350\n hci_conn_cleanup+0x101/0x6a0\n hci_conn_del+0x27e/0x6c0\n hci_disconn_phylink_complete_evt+0xe0/0x120\n hci_event_packet+0x812/0xe90\n hci_rx_work+0x4d5/0xc50\n process_one_work+0x8fb/0x15a0\n worker_thread+0x576/0x1240\n kthread+0x29d/0x340\n ret_from_fork+0x1f/0x30\n\n The buggy address belongs to the object at ffff88800c0f0500\n The buggy address is located 24 bytes inside of\n which belongs to the cache kmalloc-128 of size 128\n The buggy address belongs to the page:\n 128-byte region [ffff88800c0f0500, ffff88800c0f0580)\n flags: 0x100000000000200(slab|node=0|zone=1)\n page:00000000fe45cd86 refcount:1 mapcount:0\n mapping:0000000000000000 index:0x0 pfn:0xc0f0\n raw: 0000000000000000 0000000080100010 00000001ffffffff\n 0000000000000000\n raw: 0100000000000200 ffffea00003a2c80 dead000000000004\n ffff8880078418c0\n page dumped because: kasan: bad access detected\n ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\n Memory state around the buggy address:\n \u003effff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:07.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c41de54b0a963e59e4dd04c029a4a6d73f45ef9c"
},
{
"url": "https://git.kernel.org/stable/c/643a6c26bd32e339d00ad97b8822b6db009e803c"
},
{
"url": "https://git.kernel.org/stable/c/684e505406abaeabe0058e9776f9210bf2747953"
},
{
"url": "https://git.kernel.org/stable/c/3803d896ddd97c7c16689a5381c0960040727647"
},
{
"url": "https://git.kernel.org/stable/c/2cc803804ec9a296b3156855d6c8c4ca1c6b84be"
},
{
"url": "https://git.kernel.org/stable/c/d404765dffdbd8dcd14758695d0c96c52fb2e624"
},
{
"url": "https://git.kernel.org/stable/c/4da302b90b96c309987eb9b37c8547f939f042d2"
},
{
"url": "https://git.kernel.org/stable/c/b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502"
},
{
"url": "https://git.kernel.org/stable/c/f63d24baff787e13b723d86fe036f84bdbc35045"
}
],
"title": "Bluetooth: Fix use after free in hci_send_acl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49111",
"datePublished": "2025-02-26T01:54:56.622Z",
"dateReserved": "2025-02-26T01:49:39.261Z",
"dateUpdated": "2025-05-04T08:30:07.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49203 (GCVE-0-2022-49203)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix double free during GPU reset on DC streams
[Why]
The issue only occurs during the GPU reset code path.
We first backup the current state prior to commiting 0 streams
internally from DM to DC. This state backup contains valid link
encoder assignments.
DC will clear the link encoder assignments as part of current state
(but not the backup, since it was a copied before the commit) and
free the extra stream reference it held.
DC requires that the link encoder assignments remain cleared/invalid
prior to commiting. Since the backup still has valid assignments we
call the interface post reset to clear them. This routine also
releases the extra reference that the link encoder interface held -
resulting in a double free (and eventually a NULL pointer dereference).
[How]
We'll have to do a full DC commit anyway after GPU reset because
the stream count previously went to 0.
We don't need to retain the assignment that we had backed up, so
just copy off of the now clean current state assignment after the
reset has occcurred with the new link_enc_cfg_copy() interface.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:11.954248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:56:58.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c",
"drivers/gpu/drm/amd/display/dc/core/dc_link_enc_cfg.c",
"drivers/gpu/drm/amd/display/dc/inc/link_enc_cfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bbfcdd6289ba6f00f0cd7d496946dce9f6c600ac",
"status": "affected",
"version": "6d63fcc2a334f7bd15e4e9b1db50a19335d2af4f",
"versionType": "git"
},
{
"lessThan": "32685b32d825ca08c5dec826477332df886c4743",
"status": "affected",
"version": "6d63fcc2a334f7bd15e4e9b1db50a19335d2af4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c",
"drivers/gpu/drm/amd/display/dc/core/dc_link_enc_cfg.c",
"drivers/gpu/drm/amd/display/dc/inc/link_enc_cfg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix double free during GPU reset on DC streams\n\n[Why]\nThe issue only occurs during the GPU reset code path.\n\nWe first backup the current state prior to commiting 0 streams\ninternally from DM to DC. This state backup contains valid link\nencoder assignments.\n\nDC will clear the link encoder assignments as part of current state\n(but not the backup, since it was a copied before the commit) and\nfree the extra stream reference it held.\n\nDC requires that the link encoder assignments remain cleared/invalid\nprior to commiting. Since the backup still has valid assignments we\ncall the interface post reset to clear them. This routine also\nreleases the extra reference that the link encoder interface held -\nresulting in a double free (and eventually a NULL pointer dereference).\n\n[How]\nWe\u0027ll have to do a full DC commit anyway after GPU reset because\nthe stream count previously went to 0.\n\nWe don\u0027t need to retain the assignment that we had backed up, so\njust copy off of the now clean current state assignment after the\nreset has occcurred with the new link_enc_cfg_copy() interface."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:16.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bbfcdd6289ba6f00f0cd7d496946dce9f6c600ac"
},
{
"url": "https://git.kernel.org/stable/c/32685b32d825ca08c5dec826477332df886c4743"
}
],
"title": "drm/amd/display: Fix double free during GPU reset on DC streams",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49203",
"datePublished": "2025-02-26T01:55:44.214Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-10-01T19:56:58.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49552 (GCVE-0-2022-49552)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix combination of jit blinding and pointers to bpf subprogs.
The combination of jit blinding and pointers to bpf subprogs causes:
[ 36.989548] BUG: unable to handle page fault for address: 0000000100000001
[ 36.990342] #PF: supervisor instruction fetch in kernel mode
[ 36.990968] #PF: error_code(0x0010) - not-present page
[ 36.994859] RIP: 0010:0x100000001
[ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.
[ 37.004091] Call Trace:
[ 37.004351] <TASK>
[ 37.004576] ? bpf_loop+0x4d/0x70
[ 37.004932] ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b
The jit blinding logic didn't recognize that ld_imm64 with an address
of bpf subprogram is a special instruction and proceeded to randomize it.
By itself it wouldn't have been an issue, but jit_subprogs() logic
relies on two step process to JIT all subprogs and then JIT them
again when addresses of all subprogs are known.
Blinding process in the first JIT phase caused second JIT to miss
adjustment of special ld_imm64.
Fix this issue by ignoring special ld_imm64 instructions that don't have
user controlled constants and shouldn't be blinded.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a029b02b47dd5bb87a21550d9d9a80cb4dd3f714",
"status": "affected",
"version": "69c087ba6225b574afb6e505b72cb75242a3d844",
"versionType": "git"
},
{
"lessThan": "d106a3e96fca30e44081eae9c27aab28fc132a46",
"status": "affected",
"version": "69c087ba6225b574afb6e505b72cb75242a3d844",
"versionType": "git"
},
{
"lessThan": "4b6313cf99b0d51b49aeaea98ec76ca8161ecb80",
"status": "affected",
"version": "69c087ba6225b574afb6e505b72cb75242a3d844",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix combination of jit blinding and pointers to bpf subprogs.\n\nThe combination of jit blinding and pointers to bpf subprogs causes:\n[ 36.989548] BUG: unable to handle page fault for address: 0000000100000001\n[ 36.990342] #PF: supervisor instruction fetch in kernel mode\n[ 36.990968] #PF: error_code(0x0010) - not-present page\n[ 36.994859] RIP: 0010:0x100000001\n[ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.\n[ 37.004091] Call Trace:\n[ 37.004351] \u003cTASK\u003e\n[ 37.004576] ? bpf_loop+0x4d/0x70\n[ 37.004932] ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b\n\nThe jit blinding logic didn\u0027t recognize that ld_imm64 with an address\nof bpf subprogram is a special instruction and proceeded to randomize it.\nBy itself it wouldn\u0027t have been an issue, but jit_subprogs() logic\nrelies on two step process to JIT all subprogs and then JIT them\nagain when addresses of all subprogs are known.\nBlinding process in the first JIT phase caused second JIT to miss\nadjustment of special ld_imm64.\n\nFix this issue by ignoring special ld_imm64 instructions that don\u0027t have\nuser controlled constants and shouldn\u0027t be blinded."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:23.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a029b02b47dd5bb87a21550d9d9a80cb4dd3f714"
},
{
"url": "https://git.kernel.org/stable/c/d106a3e96fca30e44081eae9c27aab28fc132a46"
},
{
"url": "https://git.kernel.org/stable/c/4b6313cf99b0d51b49aeaea98ec76ca8161ecb80"
}
],
"title": "bpf: Fix combination of jit blinding and pointers to bpf subprogs.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49552",
"datePublished": "2025-02-26T02:14:01.696Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-05-04T08:40:23.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49442 (GCVE-0-2022-49442)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers/base/node.c: fix compaction sysfs file leak
Compaction sysfs file is created via compaction_register_node in
register_node. But we forgot to remove it in unregister_node. Thus
compaction sysfs file is leaked. Using compaction_unregister_node to fix
this issue.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 Version: ed4a6d7f0676db50b5023cc01f6cda82a2f2a307 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/node.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39642b0feddb9c39faa6de469a94bfeb4dc0d3a9",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "606732650a2c88e66c59c22dd5464ea0d820250e",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "f76ddc8fcf6d81fe89bfa4d3efcbc4fe69a91d48",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "386e69e068177ee91cac27f2f0e6ebda1515f5ca",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "d8a5bdc767f17281da648555cdbd286f98fd98ee",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "b3fcf1f583b1a0946d9d9bfb7362c9c186801775",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "466134df7561aeb801baddf6666b512e0e1a1707",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "6905be93d1ab54f73718047536fec0ca488d5315",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
},
{
"lessThan": "da63dc84befaa9e6079a0bc363ff0eaa975f9073",
"status": "affected",
"version": "ed4a6d7f0676db50b5023cc01f6cda82a2f2a307",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/node.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/base/node.c: fix compaction sysfs file leak\n\nCompaction sysfs file is created via compaction_register_node in\nregister_node. But we forgot to remove it in unregister_node. Thus\ncompaction sysfs file is leaked. Using compaction_unregister_node to fix\nthis issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:50.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39642b0feddb9c39faa6de469a94bfeb4dc0d3a9"
},
{
"url": "https://git.kernel.org/stable/c/606732650a2c88e66c59c22dd5464ea0d820250e"
},
{
"url": "https://git.kernel.org/stable/c/f76ddc8fcf6d81fe89bfa4d3efcbc4fe69a91d48"
},
{
"url": "https://git.kernel.org/stable/c/386e69e068177ee91cac27f2f0e6ebda1515f5ca"
},
{
"url": "https://git.kernel.org/stable/c/d8a5bdc767f17281da648555cdbd286f98fd98ee"
},
{
"url": "https://git.kernel.org/stable/c/b3fcf1f583b1a0946d9d9bfb7362c9c186801775"
},
{
"url": "https://git.kernel.org/stable/c/466134df7561aeb801baddf6666b512e0e1a1707"
},
{
"url": "https://git.kernel.org/stable/c/6905be93d1ab54f73718047536fec0ca488d5315"
},
{
"url": "https://git.kernel.org/stable/c/da63dc84befaa9e6079a0bc363ff0eaa975f9073"
}
],
"title": "drivers/base/node.c: fix compaction sysfs file leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49442",
"datePublished": "2025-02-26T02:12:55.291Z",
"dateReserved": "2025-02-26T02:08:31.571Z",
"dateUpdated": "2025-05-04T08:37:50.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47636 (GCVE-0-2021-47636)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()
Function ubifs_wbuf_write_nolock() may access buf out of bounds in
following process:
ubifs_wbuf_write_nolock():
aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096
if (aligned_len <= wbuf->avail) ... // Not satisfy
if (wbuf->used) {
ubifs_leb_write() // Fill some data in avail wbuf
len -= wbuf->avail; // len is still not 8-bytes aligned
aligned_len -= wbuf->avail;
}
n = aligned_len >> c->max_write_shift;
if (n) {
n <<= c->max_write_shift;
err = ubifs_leb_write(c, wbuf->lnum, buf + written,
wbuf->offs, n);
// n > len, read out of bounds less than 8(n-len) bytes
}
, which can be catched by KASAN:
=========================================================
BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0
Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128
Workqueue: writeback wb_workfn (flush-ubifs_0_0)
Call Trace:
kasan_report.cold+0x81/0x165
nand_write_page_swecc+0xa9/0x160
ubifs_leb_write+0xf2/0x1b0 [ubifs]
ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]
write_head+0xdc/0x1c0 [ubifs]
ubifs_jnl_write_inode+0x627/0x960 [ubifs]
wb_workfn+0x8af/0xb80
Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8
bytes aligned, the 'len' represents the true length of buf (which is
allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so
ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully
to write leb safely.
Fetch a reproducer in [Link].
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:54.449259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:08.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5343575aa11c5d7044107d59d43f84aec01312b0",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "b80ccbec0e4804436c382d7dd60e943c386ed83a",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "07a209fadee7b53b46858538e1177597273862e4",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "a7054aaf1909cf40489c0ec1b728fdcf79c751a6",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "e09fa5318d51f522e1af4fbaf8f74999355980c8",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "3b7fb89135a20587d57f8877c02e25003e9edbdf",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "4f2262a334641e05f645364d5ade1f565c85f20b",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096\n if (aligned_len \u003c= wbuf-\u003eavail) ... // Not satisfy\n if (wbuf-\u003eused) {\n ubifs_leb_write() // Fill some data in avail wbuf\n len -= wbuf-\u003eavail; // len is still not 8-bytes aligned\n aligned_len -= wbuf-\u003eavail;\n }\n n = aligned_len \u003e\u003e c-\u003emax_write_shift;\n if (n) {\n n \u003c\u003c= c-\u003emax_write_shift;\n err = ubifs_leb_write(c, wbuf-\u003elnum, buf + written,\n wbuf-\u003eoffs, n);\n // n \u003e len, read out of bounds less than 8(n-len) bytes\n }\n\n, which can be catched by KASAN:\n =========================================================\n BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\n Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\n Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n Call Trace:\n kasan_report.cold+0x81/0x165\n nand_write_page_swecc+0xa9/0x160\n ubifs_leb_write+0xf2/0x1b0 [ubifs]\n ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\n write_head+0xdc/0x1c0 [ubifs]\n ubifs_jnl_write_inode+0x627/0x960 [ubifs]\n wb_workfn+0x8af/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter \u0027len\u0027 is not 8\nbytes aligned, the \u0027len\u0027 represents the true length of buf (which is\nallocated in \u0027ubifs_jnl_xxx\u0027, eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from \u0027buf\u0027 carefully\nto write leb safely.\n\nFetch a reproducer in [Link]."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:15.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5343575aa11c5d7044107d59d43f84aec01312b0"
},
{
"url": "https://git.kernel.org/stable/c/b80ccbec0e4804436c382d7dd60e943c386ed83a"
},
{
"url": "https://git.kernel.org/stable/c/07a209fadee7b53b46858538e1177597273862e4"
},
{
"url": "https://git.kernel.org/stable/c/a7054aaf1909cf40489c0ec1b728fdcf79c751a6"
},
{
"url": "https://git.kernel.org/stable/c/e09fa5318d51f522e1af4fbaf8f74999355980c8"
},
{
"url": "https://git.kernel.org/stable/c/3b7fb89135a20587d57f8877c02e25003e9edbdf"
},
{
"url": "https://git.kernel.org/stable/c/4f2262a334641e05f645364d5ade1f565c85f20b"
}
],
"title": "ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47636",
"datePublished": "2025-02-26T01:54:10.206Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-10-01T19:57:08.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49214 (GCVE-0-2022-49214)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s: Don't use DSISR for SLB faults
Since commit 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data
is read or write.") we use page_fault_is_write(regs->dsisr) in
__bad_page_fault() to determine if the fault is for a read or write, and
change the message printed accordingly.
But SLB faults, aka Data Segment Interrupts, don't set DSISR (Data
Storage Interrupt Status Register) to a useful value. All ISA versions
from v2.03 through v3.1 specify that the Data Segment Interrupt sets
DSISR "to an undefined value". As far as I can see there's no mention of
SLB faults setting DSISR in any BookIV content either.
This manifests as accesses that should be a read being incorrectly
reported as writes, for example, using the xmon "dump" command:
0:mon> d 0x5deadbeef0000000
5deadbeef0000000
[359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000
[359526.415611][ C6] Faulting instruction address: 0xc00000000010a300
cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400]
pc: c00000000010a300: mread+0x90/0x190
If we disassemble the PC, we see a load instruction:
0:mon> di c00000000010a300
c00000000010a300 89490000 lbz r10,0(r9)
We can also see in exceptions-64s.S that the data_access_slb block
doesn't set IDSISR=1, which means it doesn't load DSISR into pt_regs. So
the value we're using to determine if the fault is a read/write is some
stale value in pt_regs from a previous page fault.
Rework the printing logic to separate the SLB fault case out, and only
print read/write in the cases where we can determine it.
The result looks like eg:
0:mon> d 0x5deadbeef0000000
5deadbeef0000000
[ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000
[ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0
cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]
0:mon> d 0
0000000000000000
[ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000
[ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0
cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/mm/fault.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a852ff9b7bea9c640540e2c1bc70bd3ba455d61",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
},
{
"lessThan": "a3dae36d632b2cf6eb20314273e512a96cb43c9a",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
},
{
"lessThan": "093449bb182db885dae816d62874cccab7a4c42a",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
},
{
"lessThan": "d4679ac8ea2e5078704aa1c026db36580cc1bf9a",
"status": "affected",
"version": "46ddcb3950a28c0df4815e8dbb8d4b91d5d9f22d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/mm/fault.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Don\u0027t use DSISR for SLB faults\n\nSince commit 46ddcb3950a2 (\"powerpc/mm: Show if a bad page fault on data\nis read or write.\") we use page_fault_is_write(regs-\u003edsisr) in\n__bad_page_fault() to determine if the fault is for a read or write, and\nchange the message printed accordingly.\n\nBut SLB faults, aka Data Segment Interrupts, don\u0027t set DSISR (Data\nStorage Interrupt Status Register) to a useful value. All ISA versions\nfrom v2.03 through v3.1 specify that the Data Segment Interrupt sets\nDSISR \"to an undefined value\". As far as I can see there\u0027s no mention of\nSLB faults setting DSISR in any BookIV content either.\n\nThis manifests as accesses that should be a read being incorrectly\nreported as writes, for example, using the xmon \"dump\" command:\n\n 0:mon\u003e d 0x5deadbeef0000000\n 5deadbeef0000000\n [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000\n [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400]\n pc: c00000000010a300: mread+0x90/0x190\n\nIf we disassemble the PC, we see a load instruction:\n\n 0:mon\u003e di c00000000010a300\n c00000000010a300 89490000 lbz r10,0(r9)\n\nWe can also see in exceptions-64s.S that the data_access_slb block\ndoesn\u0027t set IDSISR=1, which means it doesn\u0027t load DSISR into pt_regs. So\nthe value we\u0027re using to determine if the fault is a read/write is some\nstale value in pt_regs from a previous page fault.\n\nRework the printing logic to separate the SLB fault case out, and only\nprint read/write in the cases where we can determine it.\n\nThe result looks like eg:\n\n 0:mon\u003e d 0x5deadbeef0000000\n 5deadbeef0000000\n [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000\n [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]\n\n 0:mon\u003e d 0\n 0000000000000000\n [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000\n [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:31.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a852ff9b7bea9c640540e2c1bc70bd3ba455d61"
},
{
"url": "https://git.kernel.org/stable/c/a3dae36d632b2cf6eb20314273e512a96cb43c9a"
},
{
"url": "https://git.kernel.org/stable/c/093449bb182db885dae816d62874cccab7a4c42a"
},
{
"url": "https://git.kernel.org/stable/c/d4679ac8ea2e5078704aa1c026db36580cc1bf9a"
}
],
"title": "powerpc/64s: Don\u0027t use DSISR for SLB faults",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49214",
"datePublished": "2025-02-26T01:55:49.677Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-05-04T08:32:31.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21772 (GCVE-0-2025-21772)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
partitions: mac: fix handling of bogus partition table
Fix several issues in partition probing:
- The bailout for a bad partoffset must use put_dev_sector(), since the
preceding read_part_sector() succeeded.
- If the partition table claims a silly sector size like 0xfff bytes
(which results in partition table entries straddling sector boundaries),
bail out instead of accessing out-of-bounds memory.
- We must not assume that the partition table contains proper NUL
termination - use strnlen() and strncmp() instead of strlen() and
strcmp().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:27.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/partitions/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3e77da9f843e4ab93917d30c314f0283e28c124",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "213ba5bd81b7e97ac6e6190b8f3bc6ba76123625",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40a35d14f3c0dc72b689061ec72fc9b193f37d1f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27a39d006f85e869be68c1d5d2ce05e5d6445bf5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "92527100be38ede924768f4277450dfe8a40e16b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6578717ebca91678131d2b1f4ba4258e60536e9f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fa9706722882f634090bfc9af642bf9ed719e27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "80e648042e512d5a767da251d44132553fe04ae0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/partitions/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npartitions: mac: fix handling of bogus partition table\n\nFix several issues in partition probing:\n\n - The bailout for a bad partoffset must use put_dev_sector(), since the\n preceding read_part_sector() succeeded.\n - If the partition table claims a silly sector size like 0xfff bytes\n (which results in partition table entries straddling sector boundaries),\n bail out instead of accessing out-of-bounds memory.\n - We must not assume that the partition table contains proper NUL\n termination - use strnlen() and strncmp() instead of strlen() and\n strcmp()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:46.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124"
},
{
"url": "https://git.kernel.org/stable/c/213ba5bd81b7e97ac6e6190b8f3bc6ba76123625"
},
{
"url": "https://git.kernel.org/stable/c/40a35d14f3c0dc72b689061ec72fc9b193f37d1f"
},
{
"url": "https://git.kernel.org/stable/c/27a39d006f85e869be68c1d5d2ce05e5d6445bf5"
},
{
"url": "https://git.kernel.org/stable/c/92527100be38ede924768f4277450dfe8a40e16b"
},
{
"url": "https://git.kernel.org/stable/c/6578717ebca91678131d2b1f4ba4258e60536e9f"
},
{
"url": "https://git.kernel.org/stable/c/7fa9706722882f634090bfc9af642bf9ed719e27"
},
{
"url": "https://git.kernel.org/stable/c/80e648042e512d5a767da251d44132553fe04ae0"
}
],
"title": "partitions: mac: fix handling of bogus partition table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21772",
"datePublished": "2025-02-27T02:18:19.528Z",
"dateReserved": "2024-12-29T08:45:45.762Z",
"dateUpdated": "2025-11-03T19:37:27.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57807 (GCVE-0-2024-57807)
Vulnerability from cvelistv5
Published
2025-01-11 12:39
Modified
2025-11-03 20:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: megaraid_sas: Fix for a potential deadlock
This fixes a 'possible circular locking dependency detected' warning
CPU0 CPU1
---- ----
lock(&instance->reset_mutex);
lock(&shost->scan_mutex);
lock(&instance->reset_mutex);
lock(&shost->scan_mutex);
Fix this by temporarily releasing the reset_mutex.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:55:10.662774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:20.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:54:38.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/megaraid/megaraid_sas_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78afb9bfad00c4aa58a424111d7edbcab9452f2b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f36d024bd15ed356a80dda3ddc46d0a62aa55815",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c654998a3e8167a58b6c6fede545fe400a4b554",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edadc693bfcc0f1ea08b8fa041c9361fd042410d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f50783148ec98a1d38b87422e2ceaf2380b7b606",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "466ca39dbf5d0ba71c16b15c27478a9c7d4022a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "50740f4dc78b41dec7c8e39772619d5ba841ddd7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/megaraid/megaraid_sas_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.233",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.289",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: megaraid_sas: Fix for a potential deadlock\n\nThis fixes a \u0027possible circular locking dependency detected\u0027 warning\n CPU0 CPU1\n ---- ----\n lock(\u0026instance-\u003ereset_mutex);\n lock(\u0026shost-\u003escan_mutex);\n lock(\u0026instance-\u003ereset_mutex);\n lock(\u0026shost-\u003escan_mutex);\n\nFix this by temporarily releasing the reset_mutex."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:05:15.485Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78afb9bfad00c4aa58a424111d7edbcab9452f2b"
},
{
"url": "https://git.kernel.org/stable/c/f36d024bd15ed356a80dda3ddc46d0a62aa55815"
},
{
"url": "https://git.kernel.org/stable/c/3c654998a3e8167a58b6c6fede545fe400a4b554"
},
{
"url": "https://git.kernel.org/stable/c/edadc693bfcc0f1ea08b8fa041c9361fd042410d"
},
{
"url": "https://git.kernel.org/stable/c/f50783148ec98a1d38b87422e2ceaf2380b7b606"
},
{
"url": "https://git.kernel.org/stable/c/466ca39dbf5d0ba71c16b15c27478a9c7d4022a8"
},
{
"url": "https://git.kernel.org/stable/c/50740f4dc78b41dec7c8e39772619d5ba841ddd7"
}
],
"title": "scsi: megaraid_sas: Fix for a potential deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57807",
"datePublished": "2025-01-11T12:39:53.645Z",
"dateReserved": "2025-01-11T12:33:33.728Z",
"dateUpdated": "2025-11-03T20:54:38.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49435 (GCVE-0-2022-49435)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mfd: davinci_voicecodec: Fix possible null-ptr-deref davinci_vc_probe()
It will cause null-ptr-deref when using 'res', if platform_get_resource()
returns NULL, so move using 'res' after devm_ioremap_resource() that
will check it to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b5e29aa880be84c271be8d0726cec4018bfbfd74 Version: b5e29aa880be84c271be8d0726cec4018bfbfd74 Version: b5e29aa880be84c271be8d0726cec4018bfbfd74 Version: b5e29aa880be84c271be8d0726cec4018bfbfd74 Version: b5e29aa880be84c271be8d0726cec4018bfbfd74 Version: b5e29aa880be84c271be8d0726cec4018bfbfd74 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mfd/davinci_voicecodec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49c1e32e7b3f301642a60448700ec531df981269",
"status": "affected",
"version": "b5e29aa880be84c271be8d0726cec4018bfbfd74",
"versionType": "git"
},
{
"lessThan": "a1d4941d9a24999f680799f9bbde7f57351ca637",
"status": "affected",
"version": "b5e29aa880be84c271be8d0726cec4018bfbfd74",
"versionType": "git"
},
{
"lessThan": "5289795824b77489803b0802cd9edc13824a2d0b",
"status": "affected",
"version": "b5e29aa880be84c271be8d0726cec4018bfbfd74",
"versionType": "git"
},
{
"lessThan": "2d00158a06efe6bbcd020108634ea0f2ed8b32f7",
"status": "affected",
"version": "b5e29aa880be84c271be8d0726cec4018bfbfd74",
"versionType": "git"
},
{
"lessThan": "579944b9f38727d9ff570b58f83bc424e8af8398",
"status": "affected",
"version": "b5e29aa880be84c271be8d0726cec4018bfbfd74",
"versionType": "git"
},
{
"lessThan": "311242c7703df0da14c206260b7e855f69cb0264",
"status": "affected",
"version": "b5e29aa880be84c271be8d0726cec4018bfbfd74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mfd/davinci_voicecodec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: davinci_voicecodec: Fix possible null-ptr-deref davinci_vc_probe()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:36.380Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49c1e32e7b3f301642a60448700ec531df981269"
},
{
"url": "https://git.kernel.org/stable/c/a1d4941d9a24999f680799f9bbde7f57351ca637"
},
{
"url": "https://git.kernel.org/stable/c/5289795824b77489803b0802cd9edc13824a2d0b"
},
{
"url": "https://git.kernel.org/stable/c/2d00158a06efe6bbcd020108634ea0f2ed8b32f7"
},
{
"url": "https://git.kernel.org/stable/c/579944b9f38727d9ff570b58f83bc424e8af8398"
},
{
"url": "https://git.kernel.org/stable/c/311242c7703df0da14c206260b7e855f69cb0264"
}
],
"title": "mfd: davinci_voicecodec: Fix possible null-ptr-deref davinci_vc_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49435",
"datePublished": "2025-02-26T02:12:51.554Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-05-04T08:37:36.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49105 (GCVE-0-2022-49105)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: wfx: fix an error handling in wfx_init_common()
One error handler of wfx_init_common() return without calling
ieee80211_free_hw(hw), which may result in memory leak. And I add
one err label to unify the error handler, which is useful for the
subsequent changes.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:12.268214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:05.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/wfx/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93498c6e775ae91732a8109dba1bdcd324908f84",
"status": "affected",
"version": "a7a91ca5a23dbcc68f04d18ef7e765b1e4f64c7f",
"versionType": "git"
},
{
"lessThan": "86efcb524ae1889ae73f2a2f0bb7fff2ec757ab0",
"status": "affected",
"version": "a7a91ca5a23dbcc68f04d18ef7e765b1e4f64c7f",
"versionType": "git"
},
{
"lessThan": "ab0fed1fa744173433cfd1dbaf9239f200ded650",
"status": "affected",
"version": "a7a91ca5a23dbcc68f04d18ef7e765b1e4f64c7f",
"versionType": "git"
},
{
"lessThan": "9727912e906762a63c1a667c84731d3427653f88",
"status": "affected",
"version": "a7a91ca5a23dbcc68f04d18ef7e765b1e4f64c7f",
"versionType": "git"
},
{
"lessThan": "60f1d3c92dc1ef1026e5b917a329a7fa947da036",
"status": "affected",
"version": "a7a91ca5a23dbcc68f04d18ef7e765b1e4f64c7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/wfx/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: wfx: fix an error handling in wfx_init_common()\n\nOne error handler of wfx_init_common() return without calling\nieee80211_free_hw(hw), which may result in memory leak. And I add\none err label to unify the error handler, which is useful for the\nsubsequent changes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:57.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93498c6e775ae91732a8109dba1bdcd324908f84"
},
{
"url": "https://git.kernel.org/stable/c/86efcb524ae1889ae73f2a2f0bb7fff2ec757ab0"
},
{
"url": "https://git.kernel.org/stable/c/ab0fed1fa744173433cfd1dbaf9239f200ded650"
},
{
"url": "https://git.kernel.org/stable/c/9727912e906762a63c1a667c84731d3427653f88"
},
{
"url": "https://git.kernel.org/stable/c/60f1d3c92dc1ef1026e5b917a329a7fa947da036"
}
],
"title": "staging: wfx: fix an error handling in wfx_init_common()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49105",
"datePublished": "2025-02-26T01:54:53.509Z",
"dateReserved": "2025-02-26T01:49:39.250Z",
"dateUpdated": "2025-10-01T19:57:05.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49548 (GCVE-0-2022-49548)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix potential array overflow in bpf_trampoline_get_progs()
The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not
include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of
the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline
can exceed BPF_MAX_TRAMP_PROGS.
When this happens, the assignment '*progs++ = aux->prog' in
bpf_trampoline_get_progs() will cause progs array overflow as the
progs field in the bpf_tramp_progs struct can only hold at most
BPF_MAX_TRAMP_PROGS bpf programs.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:25.966700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:39.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f845de2863334bed4f362e95853f5e7bc323737",
"status": "affected",
"version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
"versionType": "git"
},
{
"lessThan": "e36452d5da6325df7c10cffc60a9e68d21e2606d",
"status": "affected",
"version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
"versionType": "git"
},
{
"lessThan": "32c4559c61652f24c9fdd5440342196fe37453bc",
"status": "affected",
"version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
"versionType": "git"
},
{
"lessThan": "4f8897bcc20b9ae44758e0572538d741ab66f0dc",
"status": "affected",
"version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
"versionType": "git"
},
{
"lessThan": "a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d",
"status": "affected",
"version": "88fd9e5352fe05f7fe57778293aebd4cd106960b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.45",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix potential array overflow in bpf_trampoline_get_progs()\n\nThe cnt value in the \u0027cnt \u003e= BPF_MAX_TRAMP_PROGS\u0027 check does not\ninclude BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of\nthe attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline\ncan exceed BPF_MAX_TRAMP_PROGS.\n\nWhen this happens, the assignment \u0027*progs++ = aux-\u003eprog\u0027 in\nbpf_trampoline_get_progs() will cause progs array overflow as the\nprogs field in the bpf_tramp_progs struct can only hold at most\nBPF_MAX_TRAMP_PROGS bpf programs."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:18.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f845de2863334bed4f362e95853f5e7bc323737"
},
{
"url": "https://git.kernel.org/stable/c/e36452d5da6325df7c10cffc60a9e68d21e2606d"
},
{
"url": "https://git.kernel.org/stable/c/32c4559c61652f24c9fdd5440342196fe37453bc"
},
{
"url": "https://git.kernel.org/stable/c/4f8897bcc20b9ae44758e0572538d741ab66f0dc"
},
{
"url": "https://git.kernel.org/stable/c/a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d"
}
],
"title": "bpf: Fix potential array overflow in bpf_trampoline_get_progs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49548",
"datePublished": "2025-02-26T02:13:59.797Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-10-01T19:46:39.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3435 (GCVE-0-2022-3435)
Vulnerability from cvelistv5
Published
2022-10-08 00:00
Modified
2025-04-15 13:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-119 - Memory Corruption -> CWE-125 Out-of-Bounds Read
Summary
A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lore.kernel.org/netdev/20221005181257.8897-1-dsahern%40kernel.org/T/#u"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.210357"
},
{
"name": "FEDORA-2022-2cfbe17910",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGHENNMLCWIQV2LLA56BJNFIUZ7WB4IY/"
},
{
"name": "FEDORA-2022-b948fc3cfb",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNN3VFQPECS6D4PS6ZWD7AFXTOSJDSSR/"
},
{
"name": "FEDORA-2022-1a5b125ac6",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S2KTU5LFZNQS7YNGE56MT46VHMXL3DD2/"
},
{
"name": "[debian-lts-announce] 20221222 [SECURITY] [DLA 3244-1] linux-5.10 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:10:02.272892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:46:07.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Memory Corruption -\u003e CWE-125 Out-of-Bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-22T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://lore.kernel.org/netdev/20221005181257.8897-1-dsahern%40kernel.org/T/#u"
},
{
"url": "https://vuldb.com/?id.210357"
},
{
"name": "FEDORA-2022-2cfbe17910",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGHENNMLCWIQV2LLA56BJNFIUZ7WB4IY/"
},
{
"name": "FEDORA-2022-b948fc3cfb",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNN3VFQPECS6D4PS6ZWD7AFXTOSJDSSR/"
},
{
"name": "FEDORA-2022-1a5b125ac6",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S2KTU5LFZNQS7YNGE56MT46VHMXL3DD2/"
},
{
"name": "[debian-lts-announce] 20221222 [SECURITY] [DLA 3244-1] linux-5.10 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html"
}
],
"title": "Linux Kernel IPv4 fib_semantics.c fib_nh_match out-of-bounds",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2022-3435",
"datePublished": "2022-10-08T00:00:00.000Z",
"dateReserved": "2022-10-08T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:46:07.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49418 (GCVE-0-2022-49418)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-06-19 12:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4: Fix free of uninitialized nfs4_label on referral lookup.
Send along the already-allocated fattr along with nfs4_fs_locations, and
drop the memcpy of fattr. We end up growing two more allocations, but this
fixes up a crash as:
PID: 790 TASK: ffff88811b43c000 CPU: 0 COMMAND: "ls"
#0 [ffffc90000857920] panic at ffffffff81b9bfde
#1 [ffffc900008579c0] do_trap at ffffffff81023a9b
#2 [ffffc90000857a10] do_error_trap at ffffffff81023b78
#3 [ffffc90000857a58] exc_stack_segment at ffffffff81be1f45
#4 [ffffc90000857a80] asm_exc_stack_segment at ffffffff81c009de
#5 [ffffc90000857b08] nfs_lookup at ffffffffa0302322 [nfs]
#6 [ffffc90000857b70] __lookup_slow at ffffffff813a4a5f
#7 [ffffc90000857c60] walk_component at ffffffff813a86c4
#8 [ffffc90000857cb8] path_lookupat at ffffffff813a9553
#9 [ffffc90000857cf0] filename_lookup at ffffffff813ab86b
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4namespace.c",
"fs/nfs/nfs4proc.c",
"fs/nfs/nfs4state.c",
"fs/nfs/nfs4xdr.c",
"include/linux/nfs_xdr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6015292653d95ba9f72906e2b65e536aa5807d64",
"status": "affected",
"version": "9558a007dbc383d48e7f5a123d0b5ff656c71068",
"versionType": "git"
},
{
"lessThan": "c3ed222745d9ad7b69299b349a64ba533c64a34f",
"status": "affected",
"version": "9558a007dbc383d48e7f5a123d0b5ff656c71068",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4namespace.c",
"fs/nfs/nfs4proc.c",
"fs/nfs/nfs4state.c",
"fs/nfs/nfs4xdr.c",
"include/linux/nfs_xdr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix free of uninitialized nfs4_label on referral lookup.\n\nSend along the already-allocated fattr along with nfs4_fs_locations, and\ndrop the memcpy of fattr. We end up growing two more allocations, but this\nfixes up a crash as:\n\nPID: 790 TASK: ffff88811b43c000 CPU: 0 COMMAND: \"ls\"\n #0 [ffffc90000857920] panic at ffffffff81b9bfde\n #1 [ffffc900008579c0] do_trap at ffffffff81023a9b\n #2 [ffffc90000857a10] do_error_trap at ffffffff81023b78\n #3 [ffffc90000857a58] exc_stack_segment at ffffffff81be1f45\n #4 [ffffc90000857a80] asm_exc_stack_segment at ffffffff81c009de\n #5 [ffffc90000857b08] nfs_lookup at ffffffffa0302322 [nfs]\n #6 [ffffc90000857b70] __lookup_slow at ffffffff813a4a5f\n #7 [ffffc90000857c60] walk_component at ffffffff813a86c4\n #8 [ffffc90000857cb8] path_lookupat at ffffffff813a9553\n #9 [ffffc90000857cf0] filename_lookup at ffffffff813ab86b"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:39:09.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6015292653d95ba9f72906e2b65e536aa5807d64"
},
{
"url": "https://git.kernel.org/stable/c/c3ed222745d9ad7b69299b349a64ba533c64a34f"
}
],
"title": "NFSv4: Fix free of uninitialized nfs4_label on referral lookup.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49418",
"datePublished": "2025-02-26T02:12:43.359Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-06-19T12:39:09.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49226 (GCVE-0-2022-49226)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: asix: add proper error handling of usb read errors
Syzbot once again hit uninit value in asix driver. The problem still the
same -- asix_read_cmd() reads less bytes, than was requested by caller.
Since all read requests are performed via asix_read_cmd() let's catch
usb related error there and add __must_check notation to be sure all
callers actually check return value.
So, this patch adds sanity check inside asix_read_cmd(), that simply
checks if bytes read are not less, than was requested and adds missing
error handling of asix_read_cmd() all across the driver code.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix.h",
"drivers/net/usb/asix_common.c",
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b96a7265f763b37ff3138b9ca8122a950f13b00e",
"status": "affected",
"version": "d9fe64e511144c1ee7d7555b4111f09dde9692ef",
"versionType": "git"
},
{
"lessThan": "9ea8d2fca8fea3b17005b4dc02f8ef15f7a2fb97",
"status": "affected",
"version": "d9fe64e511144c1ee7d7555b4111f09dde9692ef",
"versionType": "git"
},
{
"lessThan": "662ff765470ad0d11a1153d6d8e99d69a98e60b4",
"status": "affected",
"version": "d9fe64e511144c1ee7d7555b4111f09dde9692ef",
"versionType": "git"
},
{
"lessThan": "920a9fa27e7805499cfe78491b36fed2322c02ec",
"status": "affected",
"version": "d9fe64e511144c1ee7d7555b4111f09dde9692ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix.h",
"drivers/net/usb/asix_common.c",
"drivers/net/usb/asix_devices.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: asix: add proper error handling of usb read errors\n\nSyzbot once again hit uninit value in asix driver. The problem still the\nsame -- asix_read_cmd() reads less bytes, than was requested by caller.\n\nSince all read requests are performed via asix_read_cmd() let\u0027s catch\nusb related error there and add __must_check notation to be sure all\ncallers actually check return value.\n\nSo, this patch adds sanity check inside asix_read_cmd(), that simply\nchecks if bytes read are not less, than was requested and adds missing\nerror handling of asix_read_cmd() all across the driver code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:51.283Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b96a7265f763b37ff3138b9ca8122a950f13b00e"
},
{
"url": "https://git.kernel.org/stable/c/9ea8d2fca8fea3b17005b4dc02f8ef15f7a2fb97"
},
{
"url": "https://git.kernel.org/stable/c/662ff765470ad0d11a1153d6d8e99d69a98e60b4"
},
{
"url": "https://git.kernel.org/stable/c/920a9fa27e7805499cfe78491b36fed2322c02ec"
}
],
"title": "net: asix: add proper error handling of usb read errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49226",
"datePublished": "2025-02-26T01:55:55.716Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-05-04T08:32:51.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21870 (GCVE-0-2025-21870)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers
Other, non DAI copier widgets could have the same stream name (sname) as
the ALH copier and in that case the copier->data is NULL, no alh_data is
attached, which could lead to NULL pointer dereference.
We could check for this NULL pointer in sof_ipc4_prepare_copier_module()
and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()
will miscalculate the ALH device count, causing broken audio.
The correct fix is to harden the matching logic by making sure that the
1. widget is a DAI widget - so dai = w->private is valid
2. the dai (and thus the copier) is ALH copier
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc4-topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87c8768a96092ce75cd47fe076db5080db7ac515",
"status": "affected",
"version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
"versionType": "git"
},
{
"lessThan": "93c6c2e5801aab09ef1ef99f248f3cd323c3f152",
"status": "affected",
"version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
"versionType": "git"
},
{
"lessThan": "6fd60136d256b3b948333ebdb3835f41a95ab7ef",
"status": "affected",
"version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc4-topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers\n\nOther, non DAI copier widgets could have the same stream name (sname) as\nthe ALH copier and in that case the copier-\u003edata is NULL, no alh_data is\nattached, which could lead to NULL pointer dereference.\nWe could check for this NULL pointer in sof_ipc4_prepare_copier_module()\nand avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()\nwill miscalculate the ALH device count, causing broken audio.\n\nThe correct fix is to harden the matching logic by making sure that the\n1. widget is a DAI widget - so dai = w-\u003eprivate is valid\n2. the dai (and thus the copier) is ALH copier"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:54.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87c8768a96092ce75cd47fe076db5080db7ac515"
},
{
"url": "https://git.kernel.org/stable/c/93c6c2e5801aab09ef1ef99f248f3cd323c3f152"
},
{
"url": "https://git.kernel.org/stable/c/6fd60136d256b3b948333ebdb3835f41a95ab7ef"
}
],
"title": "ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21870",
"datePublished": "2025-03-27T13:38:22.849Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:54.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49455 (GCVE-0-2022-49455)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: ocxl: fix possible double free in ocxl_file_register_afu
info_release() will be called in device_unregister() when info->dev's
reference count is 0. So there is no need to call ocxl_afu_put() and
kfree() again.
Fix this by adding free_minor() and return to err_unregister error path.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 75ca758adbafc81804c39b2c200ecdc819a6c042 Version: 75ca758adbafc81804c39b2c200ecdc819a6c042 Version: 75ca758adbafc81804c39b2c200ecdc819a6c042 Version: 75ca758adbafc81804c39b2c200ecdc819a6c042 Version: 75ca758adbafc81804c39b2c200ecdc819a6c042 Version: 75ca758adbafc81804c39b2c200ecdc819a6c042 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:19.995096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:47.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de65c32ace9aa70d51facc61ba986607075e3a25",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "ee89d8dee55ab4b3b8ad8b70866b2841ba334767",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "8fb674216835e1f0c143762696d645facebb4685",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "252768d32e92c1214aeebb5fec0844ca479bcf5c",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "9e9087cf34ee69f4e95d146ac29385d6e367a97b",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "950cf957fe34d40d63dfa3bf3968210430b6491e",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible double free in ocxl_file_register_afu\n\ninfo_release() will be called in device_unregister() when info-\u003edev\u0027s\nreference count is 0. So there is no need to call ocxl_afu_put() and\nkfree() again.\n\nFix this by adding free_minor() and return to err_unregister error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:06.650Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de65c32ace9aa70d51facc61ba986607075e3a25"
},
{
"url": "https://git.kernel.org/stable/c/ee89d8dee55ab4b3b8ad8b70866b2841ba334767"
},
{
"url": "https://git.kernel.org/stable/c/8fb674216835e1f0c143762696d645facebb4685"
},
{
"url": "https://git.kernel.org/stable/c/252768d32e92c1214aeebb5fec0844ca479bcf5c"
},
{
"url": "https://git.kernel.org/stable/c/9e9087cf34ee69f4e95d146ac29385d6e367a97b"
},
{
"url": "https://git.kernel.org/stable/c/950cf957fe34d40d63dfa3bf3968210430b6491e"
}
],
"title": "misc: ocxl: fix possible double free in ocxl_file_register_afu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49455",
"datePublished": "2025-02-26T02:13:04.116Z",
"dateReserved": "2025-02-26T02:08:31.573Z",
"dateUpdated": "2025-10-01T19:46:47.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49263 (GCVE-0-2022-49263)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
This avoids leaking memory if brcmf_chip_get_raminfo fails. Note that
the CLM blob is released in the device remove path.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 Version: 82f93cf46d6007ffa003b2d4a2834563b6b84d21 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ab87f8dcdfe72dc1d763be3392c1fc51a1ace2",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "f3820ddaf4f3ac80c7401ccc6a42e663c9317f31",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "a88337a06966f2d733ad9a97714b874469133f14",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "4e0b507597e1a86e9b4c056ab274c427223cf8ea",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "0347bdfdb1529994ac3a4cb425087c477a74eb2c",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
},
{
"lessThan": "5e90f0f3ead014867dade7a22f93958119f5efab",
"status": "affected",
"version": "82f93cf46d6007ffa003b2d4a2834563b6b84d21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path\n\nThis avoids leaking memory if brcmf_chip_get_raminfo fails. Note that\nthe CLM blob is released in the device remove path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:38.564Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ab87f8dcdfe72dc1d763be3392c1fc51a1ace2"
},
{
"url": "https://git.kernel.org/stable/c/f3820ddaf4f3ac80c7401ccc6a42e663c9317f31"
},
{
"url": "https://git.kernel.org/stable/c/a88337a06966f2d733ad9a97714b874469133f14"
},
{
"url": "https://git.kernel.org/stable/c/4e0b507597e1a86e9b4c056ab274c427223cf8ea"
},
{
"url": "https://git.kernel.org/stable/c/0347bdfdb1529994ac3a4cb425087c477a74eb2c"
},
{
"url": "https://git.kernel.org/stable/c/5e90f0f3ead014867dade7a22f93958119f5efab"
}
],
"title": "brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49263",
"datePublished": "2025-02-26T01:56:14.061Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:38.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49683 (GCVE-0-2022-49683)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: adi-axi-adc: Fix refcount leak in adi_axi_adc_attach_client
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:52.324254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:46.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/adi-axi-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "501652a2ad5450b4908e1f204ce75b2414c305b7",
"status": "affected",
"version": "ef04070692a21633ec6a60f80c19b6af44b3cf47",
"versionType": "git"
},
{
"lessThan": "ab7bf025cee89db73c649216ddd2bc589c3d3862",
"status": "affected",
"version": "ef04070692a21633ec6a60f80c19b6af44b3cf47",
"versionType": "git"
},
{
"lessThan": "5eaa84e1605035a90a64d25b6cba79e89d188175",
"status": "affected",
"version": "ef04070692a21633ec6a60f80c19b6af44b3cf47",
"versionType": "git"
},
{
"lessThan": "ada7b0c0dedafd7d059115adf49e48acba3153a8",
"status": "affected",
"version": "ef04070692a21633ec6a60f80c19b6af44b3cf47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/adi-axi-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: adi-axi-adc: Fix refcount leak in adi_axi_adc_attach_client\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:14.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/501652a2ad5450b4908e1f204ce75b2414c305b7"
},
{
"url": "https://git.kernel.org/stable/c/ab7bf025cee89db73c649216ddd2bc589c3d3862"
},
{
"url": "https://git.kernel.org/stable/c/5eaa84e1605035a90a64d25b6cba79e89d188175"
},
{
"url": "https://git.kernel.org/stable/c/ada7b0c0dedafd7d059115adf49e48acba3153a8"
}
],
"title": "iio: adc: adi-axi-adc: Fix refcount leak in adi_axi_adc_attach_client",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49683",
"datePublished": "2025-02-26T02:24:11.201Z",
"dateReserved": "2025-02-26T02:21:30.440Z",
"dateUpdated": "2025-10-01T19:36:46.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49348 (GCVE-0-2022-49348)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-06-19 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: filter out EXT4_FC_REPLAY from on-disk superblock field s_state
The EXT4_FC_REPLAY bit in sbi->s_mount_state is used to indicate that
we are in the middle of replay the fast commit journal. This was
actually a mistake, since the sbi->s_mount_info is initialized from
es->s_state. Arguably s_mount_state is misleadingly named, but the
name is historical --- s_mount_state and s_state dates back to ext2.
What should have been used is the ext4_{set,clear,test}_mount_flag()
inline functions, which sets EXT4_MF_* bits in sbi->s_mount_flags.
The problem with using EXT4_FC_REPLAY is that a maliciously corrupted
superblock could result in EXT4_FC_REPLAY getting set in
s_mount_state. This bypasses some sanity checks, and this can trigger
a BUG() in ext4_es_cache_extent(). As a easy-to-backport-fix, filter
out the EXT4_FC_REPLAY bit for now. We should eventually transition
away from EXT4_FC_REPLAY to something like EXT4_MF_REPLAY.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc5b09cb6dacd4b32640537929ab4ee8fb2b9e04",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "b99fd73418350dea360da8311e87a6a7b0e15a4c",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "af2f1932743fb52ebcb008ad7ac500d9df0aa796",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "55b4dbb29054a05d839562f6d635ce05669b016d",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "c878bea3c9d724ddfa05a813f30de3d25a0ba83f",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: filter out EXT4_FC_REPLAY from on-disk superblock field s_state\n\nThe EXT4_FC_REPLAY bit in sbi-\u003es_mount_state is used to indicate that\nwe are in the middle of replay the fast commit journal. This was\nactually a mistake, since the sbi-\u003es_mount_info is initialized from\nes-\u003es_state. Arguably s_mount_state is misleadingly named, but the\nname is historical --- s_mount_state and s_state dates back to ext2.\n\nWhat should have been used is the ext4_{set,clear,test}_mount_flag()\ninline functions, which sets EXT4_MF_* bits in sbi-\u003es_mount_flags.\n\nThe problem with using EXT4_FC_REPLAY is that a maliciously corrupted\nsuperblock could result in EXT4_FC_REPLAY getting set in\ns_mount_state. This bypasses some sanity checks, and this can trigger\na BUG() in ext4_es_cache_extent(). As a easy-to-backport-fix, filter\nout the EXT4_FC_REPLAY bit for now. We should eventually transition\naway from EXT4_FC_REPLAY to something like EXT4_MF_REPLAY."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:18.264Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc5b09cb6dacd4b32640537929ab4ee8fb2b9e04"
},
{
"url": "https://git.kernel.org/stable/c/b99fd73418350dea360da8311e87a6a7b0e15a4c"
},
{
"url": "https://git.kernel.org/stable/c/af2f1932743fb52ebcb008ad7ac500d9df0aa796"
},
{
"url": "https://git.kernel.org/stable/c/55b4dbb29054a05d839562f6d635ce05669b016d"
},
{
"url": "https://git.kernel.org/stable/c/c878bea3c9d724ddfa05a813f30de3d25a0ba83f"
}
],
"title": "ext4: filter out EXT4_FC_REPLAY from on-disk superblock field s_state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49348",
"datePublished": "2025-02-26T02:11:02.518Z",
"dateReserved": "2025-02-26T02:08:31.543Z",
"dateUpdated": "2025-06-19T12:56:18.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49228 (GCVE-0-2022-49228)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a btf decl_tag bug when tagging a function
syzbot reported a btf decl_tag bug with stack trace below:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]
RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910
...
Call Trace:
<TASK>
btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198
btf_check_all_types kernel/bpf/btf.c:4239 [inline]
btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]
btf_parse kernel/bpf/btf.c:4513 [inline]
btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047
bpf_btf_load kernel/bpf/syscall.c:4039 [inline]
__sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679
__do_sys_bpf kernel/bpf/syscall.c:4738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4736 [inline]
__x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The kasan error is triggered with an illegal BTF like below:
type 0: void
type 1: int
type 2: decl_tag to func type 3
type 3: func to func_proto type 8
The total number of types is 4 and the type 3 is illegal
since its func_proto type is out of range.
Currently, the target type of decl_tag can be struct/union, var or func.
Both struct/union and var implemented their own 'resolve' callback functions
and hence handled properly in kernel.
But func type doesn't have 'resolve' callback function. When
btf_decl_tag_resolve() tries to check func type, it tries to get
vlen of its func_proto type, which triggered the above kasan error.
To fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()
before trying to accessing func_proto type.
In the current implementation, func type is checked with
btf_func_check() in the main checking function btf_check_all_types().
To fix the above kasan issue, let us implement 'resolve' callback
func type properly. The 'resolve' callback will be also called
in btf_check_all_types() for func types.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3bcd2110c087bc62e90fddd4a93237b049d6e68",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "796d5666f6422ddadc938fb888044fcc16f2dbe3",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "d7e7b42f4f956f2c68ad8cda87d750093dbba737",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a btf decl_tag bug when tagging a function\n\nsyzbot reported a btf decl_tag bug with stack trace below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]\n RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910\n ...\n Call Trace:\n \u003cTASK\u003e\n btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198\n btf_check_all_types kernel/bpf/btf.c:4239 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]\n btf_parse kernel/bpf/btf.c:4513 [inline]\n btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047\n bpf_btf_load kernel/bpf/syscall.c:4039 [inline]\n __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679\n __do_sys_bpf kernel/bpf/syscall.c:4738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4736 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe kasan error is triggered with an illegal BTF like below:\n type 0: void\n type 1: int\n type 2: decl_tag to func type 3\n type 3: func to func_proto type 8\nThe total number of types is 4 and the type 3 is illegal\nsince its func_proto type is out of range.\n\nCurrently, the target type of decl_tag can be struct/union, var or func.\nBoth struct/union and var implemented their own \u0027resolve\u0027 callback functions\nand hence handled properly in kernel.\nBut func type doesn\u0027t have \u0027resolve\u0027 callback function. When\nbtf_decl_tag_resolve() tries to check func type, it tries to get\nvlen of its func_proto type, which triggered the above kasan error.\n\nTo fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()\nbefore trying to accessing func_proto type.\nIn the current implementation, func type is checked with\nbtf_func_check() in the main checking function btf_check_all_types().\nTo fix the above kasan issue, let us implement \u0027resolve\u0027 callback\nfunc type properly. The \u0027resolve\u0027 callback will be also called\nin btf_check_all_types() for func types."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:53.680Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3bcd2110c087bc62e90fddd4a93237b049d6e68"
},
{
"url": "https://git.kernel.org/stable/c/796d5666f6422ddadc938fb888044fcc16f2dbe3"
},
{
"url": "https://git.kernel.org/stable/c/d7e7b42f4f956f2c68ad8cda87d750093dbba737"
}
],
"title": "bpf: Fix a btf decl_tag bug when tagging a function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49228",
"datePublished": "2025-02-26T01:55:56.682Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-05-04T08:32:53.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49163 (GCVE-0-2022-49163)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: imx-jpeg: fix a bug of accessing array out of bounds
When error occurs in parsing jpeg, the slot isn't acquired yet, it may
be the default value MXC_MAX_SLOTS.
If the driver access the slot using the incorrect slot number, it will
access array out of bounds.
The result is the driver will change num_domains, which follows
slot_data in struct mxc_jpeg_dev.
Then the driver won't detach the pm domain at rmmod, which will lead to
kernel panic when trying to insmod again.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/imx-jpeg/mxc-jpeg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02f9f97d54ffc85b50ad77f5b1f3c8f69cd17747",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
},
{
"lessThan": "20c8b90430c5d6c4a3936eaa7c35aac670581487",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
},
{
"lessThan": "e209e6db2e527db6a93b14c2deedf969caca78fc",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
},
{
"lessThan": "97558d170a1236280407e8d29a7d095d2c2ed554",
"status": "affected",
"version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/imx-jpeg/mxc-jpeg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: fix a bug of accessing array out of bounds\n\nWhen error occurs in parsing jpeg, the slot isn\u0027t acquired yet, it may\nbe the default value MXC_MAX_SLOTS.\nIf the driver access the slot using the incorrect slot number, it will\naccess array out of bounds.\nThe result is the driver will change num_domains, which follows\nslot_data in struct mxc_jpeg_dev.\nThen the driver won\u0027t detach the pm domain at rmmod, which will lead to\nkernel panic when trying to insmod again."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:20.976Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02f9f97d54ffc85b50ad77f5b1f3c8f69cd17747"
},
{
"url": "https://git.kernel.org/stable/c/20c8b90430c5d6c4a3936eaa7c35aac670581487"
},
{
"url": "https://git.kernel.org/stable/c/e209e6db2e527db6a93b14c2deedf969caca78fc"
},
{
"url": "https://git.kernel.org/stable/c/97558d170a1236280407e8d29a7d095d2c2ed554"
}
],
"title": "media: imx-jpeg: fix a bug of accessing array out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49163",
"datePublished": "2025-02-26T01:55:24.043Z",
"dateReserved": "2025-02-26T01:49:39.277Z",
"dateUpdated": "2025-05-04T08:31:20.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21796 (GCVE-0-2025-21796)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: clear acl_access/acl_default after releasing them
If getting acl_default fails, acl_access and acl_default will be released
simultaneously. However, acl_access will still retain a pointer pointing
to the released posix_acl, which will trigger a WARNING in
nfs3svc_release_getacl like this:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28
refcount_warn_saturate+0xb5/0x170
Modules linked in:
CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted
6.12.0-rc6-00079-g04ae226af01f-dirty #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
RIP: 0010:refcount_warn_saturate+0xb5/0x170
Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75
e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb
cd 0f b6 1d 8a3
RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380
RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56
R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001
R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0
FS: 0000000000000000(0000) GS:ffff88871ed00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? refcount_warn_saturate+0xb5/0x170
? __warn+0xa5/0x140
? refcount_warn_saturate+0xb5/0x170
? report_bug+0x1b1/0x1e0
? handle_bug+0x53/0xa0
? exc_invalid_op+0x17/0x40
? asm_exc_invalid_op+0x1a/0x20
? tick_nohz_tick_stopped+0x1e/0x40
? refcount_warn_saturate+0xb5/0x170
? refcount_warn_saturate+0xb5/0x170
nfs3svc_release_getacl+0xc9/0xe0
svc_process_common+0x5db/0xb60
? __pfx_svc_process_common+0x10/0x10
? __rcu_read_unlock+0x69/0xa0
? __pfx_nfsd_dispatch+0x10/0x10
? svc_xprt_received+0xa1/0x120
? xdr_init_decode+0x11d/0x190
svc_process+0x2a7/0x330
svc_handle_xprt+0x69d/0x940
svc_recv+0x180/0x2d0
nfsd+0x168/0x200
? __pfx_nfsd+0x10/0x10
kthread+0x1a2/0x1e0
? kthread+0xf4/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
Clear acl_access/acl_default after posix_acl_release is called to prevent
UAF from being triggered.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 Version: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:11.080279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:26.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:40.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs2acl.c",
"fs/nfsd/nfs3acl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a1737ae42c928384ab6447f6ee1a882510e85fa",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "6f7cfee1a316891890c505563aa54f3476db52fd",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "2e59b2b68782519560b3d6a41dd66a3d01a01cd3",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "55d947315fb5f67a35e4e1d3e01bb886b9c6decf",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "f8d871523142f7895f250a856f8c4a4181614510",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "1fd94884174bd20beb1773990fd3b1aa877688d9",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "7faf14a7b0366f153284db0ad3347c457ea70136",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs2acl.c",
"fs/nfsd/nfs3acl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clear acl_access/acl_default after releasing them\n\nIf getting acl_default fails, acl_access and acl_default will be released\nsimultaneously. However, acl_access will still retain a pointer pointing\nto the released posix_acl, which will trigger a WARNING in\nnfs3svc_release_getacl like this:\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 26 PID: 3199 at lib/refcount.c:28\nrefcount_warn_saturate+0xb5/0x170\nModules linked in:\nCPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted\n6.12.0-rc6-00079-g04ae226af01f-dirty #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb5/0x170\nCode: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75\ne4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff \u003c0f\u003e 0b eb\ncd 0f b6 1d 8a3\nRSP: 0018:ffffc90008637cd8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380\nRBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56\nR10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0\nFS: 0000000000000000(0000) GS:ffff88871ed00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? refcount_warn_saturate+0xb5/0x170\n ? __warn+0xa5/0x140\n ? refcount_warn_saturate+0xb5/0x170\n ? report_bug+0x1b1/0x1e0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x17/0x40\n ? asm_exc_invalid_op+0x1a/0x20\n ? tick_nohz_tick_stopped+0x1e/0x40\n ? refcount_warn_saturate+0xb5/0x170\n ? refcount_warn_saturate+0xb5/0x170\n nfs3svc_release_getacl+0xc9/0xe0\n svc_process_common+0x5db/0xb60\n ? __pfx_svc_process_common+0x10/0x10\n ? __rcu_read_unlock+0x69/0xa0\n ? __pfx_nfsd_dispatch+0x10/0x10\n ? svc_xprt_received+0xa1/0x120\n ? xdr_init_decode+0x11d/0x190\n svc_process+0x2a7/0x330\n svc_handle_xprt+0x69d/0x940\n svc_recv+0x180/0x2d0\n nfsd+0x168/0x200\n ? __pfx_nfsd+0x10/0x10\n kthread+0x1a2/0x1e0\n ? kthread+0xf4/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nClear acl_access/acl_default after posix_acl_release is called to prevent\nUAF from being triggered."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:24.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a1737ae42c928384ab6447f6ee1a882510e85fa"
},
{
"url": "https://git.kernel.org/stable/c/6f7cfee1a316891890c505563aa54f3476db52fd"
},
{
"url": "https://git.kernel.org/stable/c/2e59b2b68782519560b3d6a41dd66a3d01a01cd3"
},
{
"url": "https://git.kernel.org/stable/c/55d947315fb5f67a35e4e1d3e01bb886b9c6decf"
},
{
"url": "https://git.kernel.org/stable/c/f8d871523142f7895f250a856f8c4a4181614510"
},
{
"url": "https://git.kernel.org/stable/c/1fd94884174bd20beb1773990fd3b1aa877688d9"
},
{
"url": "https://git.kernel.org/stable/c/7faf14a7b0366f153284db0ad3347c457ea70136"
}
],
"title": "nfsd: clear acl_access/acl_default after releasing them",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21796",
"datePublished": "2025-02-27T02:18:32.191Z",
"dateReserved": "2024-12-29T08:45:45.768Z",
"dateUpdated": "2025-11-03T20:59:40.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49473 (GCVE-0-2022-49473)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: ti: j721e-evm: Fix refcount leak in j721e_soc_probe_*
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not needed anymore.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:43.010636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:46.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/ti/j721e-evm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "510e879420b410d88c612aecc6ca15dc6fe77473",
"status": "affected",
"version": "6748d05590594837e42dfa975879fb275099f0b2",
"versionType": "git"
},
{
"lessThan": "2a3966b950b37a6f10c5f9caee15b4cdcf5a7413",
"status": "affected",
"version": "6748d05590594837e42dfa975879fb275099f0b2",
"versionType": "git"
},
{
"lessThan": "d748ff8fbb3a5296bddd586445dc692b079cbe3d",
"status": "affected",
"version": "6748d05590594837e42dfa975879fb275099f0b2",
"versionType": "git"
},
{
"lessThan": "554df0f70bff1ace6d2df2fcaddbc9b7bd509de2",
"status": "affected",
"version": "6748d05590594837e42dfa975879fb275099f0b2",
"versionType": "git"
},
{
"lessThan": "a34840c4eb3278a7c29c9c57a65ce7541c66f9f2",
"status": "affected",
"version": "6748d05590594837e42dfa975879fb275099f0b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/ti/j721e-evm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ti: j721e-evm: Fix refcount leak in j721e_soc_probe_*\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:28.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/510e879420b410d88c612aecc6ca15dc6fe77473"
},
{
"url": "https://git.kernel.org/stable/c/2a3966b950b37a6f10c5f9caee15b4cdcf5a7413"
},
{
"url": "https://git.kernel.org/stable/c/d748ff8fbb3a5296bddd586445dc692b079cbe3d"
},
{
"url": "https://git.kernel.org/stable/c/554df0f70bff1ace6d2df2fcaddbc9b7bd509de2"
},
{
"url": "https://git.kernel.org/stable/c/a34840c4eb3278a7c29c9c57a65ce7541c66f9f2"
}
],
"title": "ASoC: ti: j721e-evm: Fix refcount leak in j721e_soc_probe_*",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49473",
"datePublished": "2025-02-26T02:13:16.008Z",
"dateReserved": "2025-02-26T02:08:31.579Z",
"dateUpdated": "2025-10-01T19:46:46.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49051 (GCVE-0-2022-49051)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
aqc111_rx_fixup() contains several out-of-bounds accesses that can be
triggered by a malicious (or defective) USB device, in particular:
- The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,
causing OOB reads and (on big-endian systems) OOB endianness flips.
- A packet can overlap the metadata array, causing a later OOB
endianness flip to corrupt data used by a cloned SKB that has already
been handed off into the network stack.
- A packet SKB can be constructed whose tail is far beyond its end,
causing out-of-bounds heap data to be considered part of the SKB's
data.
Found doing variant analysis. Tested it with another driver (ax88179_178a), since
I don't have a aqc111 device to test it, but the code looks very similar.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "404998a137bcb8a926f7c949030afbe285472593",
"status": "affected",
"version": "17364b805f5b9016bb528241ba91481e3497e5e1",
"versionType": "git"
},
{
"lessThan": "d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7",
"status": "affected",
"version": "17364b805f5b9016bb528241ba91481e3497e5e1",
"versionType": "git"
},
{
"lessThan": "b416898442f2b6aa9f1b2f2968ce07e3abaa05f7",
"status": "affected",
"version": "17364b805f5b9016bb528241ba91481e3497e5e1",
"versionType": "git"
},
{
"lessThan": "36311fe98f55dea9200c69e2dd6d6ddb8fc94080",
"status": "affected",
"version": "17364b805f5b9016bb528241ba91481e3497e5e1",
"versionType": "git"
},
{
"lessThan": "afb8e246527536848b9b4025b40e613edf776a9d",
"status": "affected",
"version": "17364b805f5b9016bb528241ba91481e3497e5e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Fix out-of-bounds accesses in RX fixup\n\naqc111_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,\n causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n endianness flip to corrupt data used by a cloned SKB that has already\n been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n causing out-of-bounds heap data to be considered part of the SKB\u0027s\n data.\n\nFound doing variant analysis. Tested it with another driver (ax88179_178a), since\nI don\u0027t have a aqc111 device to test it, but the code looks very similar."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:41.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593"
},
{
"url": "https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7"
},
{
"url": "https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7"
},
{
"url": "https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080"
},
{
"url": "https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d"
}
],
"title": "net: usb: aqc111: Fix out-of-bounds accesses in RX fixup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49051",
"datePublished": "2025-02-26T01:54:25.850Z",
"dateReserved": "2025-02-26T01:49:39.242Z",
"dateUpdated": "2025-05-04T08:28:41.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49544 (GCVE-0-2022-49544)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipw2x00: Fix potential NULL dereference in libipw_xmit()
crypt and crypt->ops could be null, so we need to checking null
before dereference
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49544",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:32.320918Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:39.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/ipw2x00/libipw_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1ff6b0727c8988f25eeb670b6c038c1120bb58dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b4628e0d3754ab2fc98ee6e3d21851ba45798077",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "167affc11781d7d35c4c3a7630a549ac74dd0b21",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8fb1b9beb085bb767ae43e441db5ac6fcd66a04d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "98d1dc32f890642476dbb78ed3437a456bf421b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48d4a820fd33f012e5f63735a59d15b5a3882882",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f7ea274e88c0eeffe6bd6dbf6cf5c479d356af6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "528d2023ccf4748fd542582955236c1634a7d293",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e8366bbabe1d207cf7c5b11ae50e223ae6fc278b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/ipw2x00/libipw_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipw2x00: Fix potential NULL dereference in libipw_xmit()\n\ncrypt and crypt-\u003eops could be null, so we need to checking null\nbefore dereference"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:13.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ff6b0727c8988f25eeb670b6c038c1120bb58dd"
},
{
"url": "https://git.kernel.org/stable/c/b4628e0d3754ab2fc98ee6e3d21851ba45798077"
},
{
"url": "https://git.kernel.org/stable/c/167affc11781d7d35c4c3a7630a549ac74dd0b21"
},
{
"url": "https://git.kernel.org/stable/c/8fb1b9beb085bb767ae43e441db5ac6fcd66a04d"
},
{
"url": "https://git.kernel.org/stable/c/98d1dc32f890642476dbb78ed3437a456bf421b0"
},
{
"url": "https://git.kernel.org/stable/c/48d4a820fd33f012e5f63735a59d15b5a3882882"
},
{
"url": "https://git.kernel.org/stable/c/5f7ea274e88c0eeffe6bd6dbf6cf5c479d356af6"
},
{
"url": "https://git.kernel.org/stable/c/528d2023ccf4748fd542582955236c1634a7d293"
},
{
"url": "https://git.kernel.org/stable/c/e8366bbabe1d207cf7c5b11ae50e223ae6fc278b"
}
],
"title": "ipw2x00: Fix potential NULL dereference in libipw_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49544",
"datePublished": "2025-02-26T02:13:57.898Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-10-01T19:46:39.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49413 (GCVE-0-2022-49413)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bfq: Update cgroup information before merging bio
When the process is migrated to a different cgroup (or in case of
writeback just starts submitting bios associated with a different
cgroup) bfq_merge_bio() can operate with stale cgroup information in
bic. Thus the bio can be merged to a request from a different cgroup or
it can result in merging of bfqqs for different cgroups or bfqqs of
already dead cgroups and causing possible use-after-free issues. Fix the
problem by updating cgroup information in bfq_merge_bio().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:22.832240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da9f3025d595956410ceaab2bea01980d7775948",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "b06691af08b41dfd81052a3362514d9827b44bb1",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "e8821f45612f2e6d9adb9c6ba0fb4184f57692aa",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "d9165200c5627a2cf4408eefabdf0058bdf95e1a",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "2a1077f17169a6059992a0bbdb330e0abad1e6d9",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "ea591cd4eb270393810e7be01feb8fde6a34fbbe",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Update cgroup information before merging bio\n\nWhen the process is migrated to a different cgroup (or in case of\nwriteback just starts submitting bios associated with a different\ncgroup) bfq_merge_bio() can operate with stale cgroup information in\nbic. Thus the bio can be merged to a request from a different cgroup or\nit can result in merging of bfqqs for different cgroups or bfqqs of\nalready dead cgroups and causing possible use-after-free issues. Fix the\nproblem by updating cgroup information in bfq_merge_bio()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:09.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da9f3025d595956410ceaab2bea01980d7775948"
},
{
"url": "https://git.kernel.org/stable/c/b06691af08b41dfd81052a3362514d9827b44bb1"
},
{
"url": "https://git.kernel.org/stable/c/e8821f45612f2e6d9adb9c6ba0fb4184f57692aa"
},
{
"url": "https://git.kernel.org/stable/c/d9165200c5627a2cf4408eefabdf0058bdf95e1a"
},
{
"url": "https://git.kernel.org/stable/c/2a1077f17169a6059992a0bbdb330e0abad1e6d9"
},
{
"url": "https://git.kernel.org/stable/c/ea591cd4eb270393810e7be01feb8fde6a34fbbe"
}
],
"title": "bfq: Update cgroup information before merging bio",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49413",
"datePublished": "2025-02-26T02:12:34.604Z",
"dateReserved": "2025-02-26T02:08:31.567Z",
"dateUpdated": "2025-05-04T08:37:09.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49671 (GCVE-0-2022-49671)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cm: Fix memory leak in ib_cm_insert_listen
cm_alloc_id_priv() allocates resource for the cm_id_priv. When
cm_init_listen() fails it doesn't free it, leading to memory leak.
Add the missing error unwind.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:18.582567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:47.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0cab8b517aeaf2592c3479294f934209c41a26f",
"status": "affected",
"version": "98f67156a80f37db70ec64787020b1f9bc8aea8c",
"versionType": "git"
},
{
"lessThan": "889000874c1204e47c7f2a4945db262a47e7efc9",
"status": "affected",
"version": "98f67156a80f37db70ec64787020b1f9bc8aea8c",
"versionType": "git"
},
{
"lessThan": "2febf09a8a8ae4accf908f043f1bab1421056568",
"status": "affected",
"version": "98f67156a80f37db70ec64787020b1f9bc8aea8c",
"versionType": "git"
},
{
"lessThan": "2990f223ffa7bb25422956b9f79f9176a5b38346",
"status": "affected",
"version": "98f67156a80f37db70ec64787020b1f9bc8aea8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix memory leak in ib_cm_insert_listen\n\ncm_alloc_id_priv() allocates resource for the cm_id_priv. When\ncm_init_listen() fails it doesn\u0027t free it, leading to memory leak.\n\nAdd the missing error unwind."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:59.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0cab8b517aeaf2592c3479294f934209c41a26f"
},
{
"url": "https://git.kernel.org/stable/c/889000874c1204e47c7f2a4945db262a47e7efc9"
},
{
"url": "https://git.kernel.org/stable/c/2febf09a8a8ae4accf908f043f1bab1421056568"
},
{
"url": "https://git.kernel.org/stable/c/2990f223ffa7bb25422956b9f79f9176a5b38346"
}
],
"title": "RDMA/cm: Fix memory leak in ib_cm_insert_listen",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49671",
"datePublished": "2025-02-26T02:24:04.608Z",
"dateReserved": "2025-02-26T02:21:30.437Z",
"dateUpdated": "2025-10-01T19:36:47.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49097 (GCVE-0-2022-49097)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Avoid writeback threads getting stuck in mempool_alloc()
In a low memory situation, allow the NFS writeback code to fail without
getting stuck in infinite loops in mempool_alloc().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/pagelist.c",
"fs/nfs/write.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c74e2f6ecc51bd08bb5b0335477dba954a50592e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ea029e4ce760f786919d06ef52efa2e50ea92a5f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b3fa9a3c420c31e77b406ddc28f3a627100516c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a6caeddd68977a1aaaf62fbd1955b41dd5c3c5d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0bae835b63c53f86cdc524f5962e39409585b22c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/pagelist.c",
"fs/nfs/write.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Avoid writeback threads getting stuck in mempool_alloc()\n\nIn a low memory situation, allow the NFS writeback code to fail without\ngetting stuck in infinite loops in mempool_alloc()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:49.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c74e2f6ecc51bd08bb5b0335477dba954a50592e"
},
{
"url": "https://git.kernel.org/stable/c/ea029e4ce760f786919d06ef52efa2e50ea92a5f"
},
{
"url": "https://git.kernel.org/stable/c/1b3fa9a3c420c31e77b406ddc28f3a627100516c"
},
{
"url": "https://git.kernel.org/stable/c/a6caeddd68977a1aaaf62fbd1955b41dd5c3c5d3"
},
{
"url": "https://git.kernel.org/stable/c/0bae835b63c53f86cdc524f5962e39409585b22c"
}
],
"title": "NFS: Avoid writeback threads getting stuck in mempool_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49097",
"datePublished": "2025-02-26T01:54:49.601Z",
"dateReserved": "2025-02-26T01:49:39.249Z",
"dateUpdated": "2025-05-04T08:29:49.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49368 (GCVE-0-2022-49368)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()
The "fsp->location" variable comes from user via ethtool_get_rxnfc().
Check that it is valid to prevent an out of bounds read.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd Version: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:28.090960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:53.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4f0e57ea0d867aacffad7999527e48bd4ea9293",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "5ba81f82607ead85fe36f50869fc4f5661359ab8",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "657e7174603f0aab2cdedc64ac81edffd2a87afe",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "2bd1faedb74dc2a2be3972abcd4239b75a3e7b00",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "71ae30662ec610b92644d13f79c78f76f17873b3",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "b24ca1cf846273361d5bd73a35de95a486a54b6d",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "4cde554c70d7397cfa2e4116bacb4accdfb6fd48",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "0b238f75b65ed4462ef4cdfa718cac0ac7fce3b8",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "e7e7104e2d5ddf3806a28695670f21bef471f1e1",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()\n\nThe \"fsp-\u003elocation\" variable comes from user via ethtool_get_rxnfc().\nCheck that it is valid to prevent an out of bounds read."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:12.480Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4f0e57ea0d867aacffad7999527e48bd4ea9293"
},
{
"url": "https://git.kernel.org/stable/c/5ba81f82607ead85fe36f50869fc4f5661359ab8"
},
{
"url": "https://git.kernel.org/stable/c/657e7174603f0aab2cdedc64ac81edffd2a87afe"
},
{
"url": "https://git.kernel.org/stable/c/2bd1faedb74dc2a2be3972abcd4239b75a3e7b00"
},
{
"url": "https://git.kernel.org/stable/c/71ae30662ec610b92644d13f79c78f76f17873b3"
},
{
"url": "https://git.kernel.org/stable/c/b24ca1cf846273361d5bd73a35de95a486a54b6d"
},
{
"url": "https://git.kernel.org/stable/c/4cde554c70d7397cfa2e4116bacb4accdfb6fd48"
},
{
"url": "https://git.kernel.org/stable/c/0b238f75b65ed4462ef4cdfa718cac0ac7fce3b8"
},
{
"url": "https://git.kernel.org/stable/c/e7e7104e2d5ddf3806a28695670f21bef471f1e1"
}
],
"title": "net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49368",
"datePublished": "2025-02-26T02:11:12.193Z",
"dateReserved": "2025-02-26T02:08:31.555Z",
"dateUpdated": "2025-10-01T19:46:53.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49131 (GCVE-0-2022-49131)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: fix kernel panic during unload/load ath11k modules
Call netif_napi_del() from ath11k_ahb_free_ext_irq() to fix
the following kernel panic when unload/load ath11k modules
for few iterations.
[ 971.201365] Unable to handle kernel paging request at virtual address 6d97a208
[ 971.204227] pgd = 594c2919
[ 971.211478] [6d97a208] *pgd=00000000
[ 971.214120] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 971.412024] CPU: 2 PID: 4435 Comm: insmod Not tainted 5.4.89 #0
[ 971.434256] Hardware name: Generic DT based system
[ 971.440165] PC is at napi_by_id+0x10/0x40
[ 971.445019] LR is at netif_napi_add+0x160/0x1dc
[ 971.743127] (napi_by_id) from [<807d89a0>] (netif_napi_add+0x160/0x1dc)
[ 971.751295] (netif_napi_add) from [<7f1209ac>] (ath11k_ahb_config_irq+0xf8/0x414 [ath11k_ahb])
[ 971.759164] (ath11k_ahb_config_irq [ath11k_ahb]) from [<7f12135c>] (ath11k_ahb_probe+0x40c/0x51c [ath11k_ahb])
[ 971.768567] (ath11k_ahb_probe [ath11k_ahb]) from [<80666864>] (platform_drv_probe+0x48/0x94)
[ 971.779670] (platform_drv_probe) from [<80664718>] (really_probe+0x1c8/0x450)
[ 971.789389] (really_probe) from [<80664cc4>] (driver_probe_device+0x15c/0x1b8)
[ 971.797547] (driver_probe_device) from [<80664f60>] (device_driver_attach+0x44/0x60)
[ 971.805795] (device_driver_attach) from [<806650a0>] (__driver_attach+0x124/0x140)
[ 971.814822] (__driver_attach) from [<80662adc>] (bus_for_each_dev+0x58/0xa4)
[ 971.823328] (bus_for_each_dev) from [<80663a2c>] (bus_add_driver+0xf0/0x1e8)
[ 971.831662] (bus_add_driver) from [<806658a4>] (driver_register+0xa8/0xf0)
[ 971.839822] (driver_register) from [<8030269c>] (do_one_initcall+0x78/0x1ac)
[ 971.847638] (do_one_initcall) from [<80392524>] (do_init_module+0x54/0x200)
[ 971.855968] (do_init_module) from [<803945b0>] (load_module+0x1e30/0x1ffc)
[ 971.864126] (load_module) from [<803948b0>] (sys_init_module+0x134/0x17c)
[ 971.871852] (sys_init_module) from [<80301000>] (ret_fast_syscall+0x0/0x50)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.6.0.1-00760-QCAHKSWPL_SILICONZ-1
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:17.096820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:02.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/ahb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6a815f5abdf324108799829dd19ea62fef4bf95",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "c4b7653af62a9a5efe2856183d1f987c5429758b",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "699e8c87e5c406af0f0606f40eeebd248c51b702",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "38e488db194dc16d2eb23c77c6a8c04ff583c40d",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "22b59cb965f79ee1accf83172441c9ca0ecb632a",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/ahb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix kernel panic during unload/load ath11k modules\n\nCall netif_napi_del() from ath11k_ahb_free_ext_irq() to fix\nthe following kernel panic when unload/load ath11k modules\nfor few iterations.\n\n[ 971.201365] Unable to handle kernel paging request at virtual address 6d97a208\n[ 971.204227] pgd = 594c2919\n[ 971.211478] [6d97a208] *pgd=00000000\n[ 971.214120] Internal error: Oops: 5 [#1] PREEMPT SMP ARM\n[ 971.412024] CPU: 2 PID: 4435 Comm: insmod Not tainted 5.4.89 #0\n[ 971.434256] Hardware name: Generic DT based system\n[ 971.440165] PC is at napi_by_id+0x10/0x40\n[ 971.445019] LR is at netif_napi_add+0x160/0x1dc\n\n[ 971.743127] (napi_by_id) from [\u003c807d89a0\u003e] (netif_napi_add+0x160/0x1dc)\n[ 971.751295] (netif_napi_add) from [\u003c7f1209ac\u003e] (ath11k_ahb_config_irq+0xf8/0x414 [ath11k_ahb])\n[ 971.759164] (ath11k_ahb_config_irq [ath11k_ahb]) from [\u003c7f12135c\u003e] (ath11k_ahb_probe+0x40c/0x51c [ath11k_ahb])\n[ 971.768567] (ath11k_ahb_probe [ath11k_ahb]) from [\u003c80666864\u003e] (platform_drv_probe+0x48/0x94)\n[ 971.779670] (platform_drv_probe) from [\u003c80664718\u003e] (really_probe+0x1c8/0x450)\n[ 971.789389] (really_probe) from [\u003c80664cc4\u003e] (driver_probe_device+0x15c/0x1b8)\n[ 971.797547] (driver_probe_device) from [\u003c80664f60\u003e] (device_driver_attach+0x44/0x60)\n[ 971.805795] (device_driver_attach) from [\u003c806650a0\u003e] (__driver_attach+0x124/0x140)\n[ 971.814822] (__driver_attach) from [\u003c80662adc\u003e] (bus_for_each_dev+0x58/0xa4)\n[ 971.823328] (bus_for_each_dev) from [\u003c80663a2c\u003e] (bus_add_driver+0xf0/0x1e8)\n[ 971.831662] (bus_add_driver) from [\u003c806658a4\u003e] (driver_register+0xa8/0xf0)\n[ 971.839822] (driver_register) from [\u003c8030269c\u003e] (do_one_initcall+0x78/0x1ac)\n[ 971.847638] (do_one_initcall) from [\u003c80392524\u003e] (do_init_module+0x54/0x200)\n[ 971.855968] (do_init_module) from [\u003c803945b0\u003e] (load_module+0x1e30/0x1ffc)\n[ 971.864126] (load_module) from [\u003c803948b0\u003e] (sys_init_module+0x134/0x17c)\n[ 971.871852] (sys_init_module) from [\u003c80301000\u003e] (ret_fast_syscall+0x0/0x50)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.6.0.1-00760-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:39.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6a815f5abdf324108799829dd19ea62fef4bf95"
},
{
"url": "https://git.kernel.org/stable/c/c4b7653af62a9a5efe2856183d1f987c5429758b"
},
{
"url": "https://git.kernel.org/stable/c/699e8c87e5c406af0f0606f40eeebd248c51b702"
},
{
"url": "https://git.kernel.org/stable/c/38e488db194dc16d2eb23c77c6a8c04ff583c40d"
},
{
"url": "https://git.kernel.org/stable/c/22b59cb965f79ee1accf83172441c9ca0ecb632a"
}
],
"title": "ath11k: fix kernel panic during unload/load ath11k modules",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49131",
"datePublished": "2025-02-26T01:55:06.615Z",
"dateReserved": "2025-02-26T01:49:39.267Z",
"dateUpdated": "2025-10-01T19:57:02.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49180 (GCVE-0-2022-49180)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
LSM: general protection fault in legacy_parse_param
The usual LSM hook "bail on fail" scheme doesn't work for cases where
a security module may return an error code indicating that it does not
recognize an input. In this particular case Smack sees a mount option
that it recognizes, and returns 0. A call to a BPF hook follows, which
returns -ENOPARAM, which confuses the caller because Smack has processed
its data.
The SELinux hook incorrectly returns 1 on success. There was a time
when this was correct, however the current expectation is that it
return 0 on success. This is repaired.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/security.c",
"security/selinux/hooks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddcdda888e14ca451b3ee83d11b65b2a9c8e783b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2784604c8c6fc523248f8f80a421c313a9d790b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3f93a1aaafc3032e0a9655fb43deccfb3e953a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "00fc07fa0b4a004711b6e1a944f0d2e46f7093b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cadae7c5e477aaafcba819b8e4a3d1c1a1503b62",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ecff30575b5ad0eda149aadad247b7f75411fd47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/security.c",
"security/selinux/hooks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLSM: general protection fault in legacy_parse_param\n\nThe usual LSM hook \"bail on fail\" scheme doesn\u0027t work for cases where\na security module may return an error code indicating that it does not\nrecognize an input. In this particular case Smack sees a mount option\nthat it recognizes, and returns 0. A call to a BPF hook follows, which\nreturns -ENOPARAM, which confuses the caller because Smack has processed\nits data.\n\nThe SELinux hook incorrectly returns 1 on success. There was a time\nwhen this was correct, however the current expectation is that it\nreturn 0 on success. This is repaired."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:43.686Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddcdda888e14ca451b3ee83d11b65b2a9c8e783b"
},
{
"url": "https://git.kernel.org/stable/c/2784604c8c6fc523248f8f80a421c313a9d790b7"
},
{
"url": "https://git.kernel.org/stable/c/f3f93a1aaafc3032e0a9655fb43deccfb3e953a3"
},
{
"url": "https://git.kernel.org/stable/c/00fc07fa0b4a004711b6e1a944f0d2e46f7093b7"
},
{
"url": "https://git.kernel.org/stable/c/cadae7c5e477aaafcba819b8e4a3d1c1a1503b62"
},
{
"url": "https://git.kernel.org/stable/c/ecff30575b5ad0eda149aadad247b7f75411fd47"
}
],
"title": "LSM: general protection fault in legacy_parse_param",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49180",
"datePublished": "2025-02-26T01:55:32.590Z",
"dateReserved": "2025-02-26T01:49:39.282Z",
"dateUpdated": "2025-05-04T08:31:43.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49109 (GCVE-0-2022-49109)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix inode reference leakage in ceph_get_snapdir()
The ceph_get_inode() will search for or insert a new inode into the
hash for the given vino, and return a reference to it. If new is
non-NULL, its reference is consumed.
We should release the reference when in error handing cases.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ae7163598c611a8892698e0c056fe794e52b44b",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "9cd21981dedfb4fe9f344529e4be35727cb10940",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "b2d9bb3f06abddefdfa740b0a604575b6797e1bf",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "322794d3355c33adcc4feace0045d85a8e4ed813",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix inode reference leakage in ceph_get_snapdir()\n\nThe ceph_get_inode() will search for or insert a new inode into the\nhash for the given vino, and return a reference to it. If new is\nnon-NULL, its reference is consumed.\n\nWe should release the reference when in error handing cases."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:04.375Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ae7163598c611a8892698e0c056fe794e52b44b"
},
{
"url": "https://git.kernel.org/stable/c/9cd21981dedfb4fe9f344529e4be35727cb10940"
},
{
"url": "https://git.kernel.org/stable/c/b2d9bb3f06abddefdfa740b0a604575b6797e1bf"
},
{
"url": "https://git.kernel.org/stable/c/322794d3355c33adcc4feace0045d85a8e4ed813"
}
],
"title": "ceph: fix inode reference leakage in ceph_get_snapdir()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49109",
"datePublished": "2025-02-26T01:54:55.508Z",
"dateReserved": "2025-02-26T01:49:39.251Z",
"dateUpdated": "2025-05-04T08:30:04.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47650 (GCVE-0-2021-47650)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-compress: prevent the potentially use of null pointer
There is one call trace that snd_soc_register_card()
->snd_soc_bind_card()->soc_init_pcm_runtime()
->snd_soc_dai_compress_new()->snd_soc_new_compress().
In the trace the 'codec_dai' transfers from card->dai_link,
and we can see from the snd_soc_add_pcm_runtime() in
snd_soc_bind_card() that, if value of card->dai_link->num_codecs
is 0, then 'codec_dai' could be null pointer caused
by index out of bound in 'asoc_rtd_to_codec(rtd, 0)'.
And snd_soc_register_card() is called by various platforms.
Therefore, it is better to add the check in the case of misusing.
And because 'cpu_dai' has already checked in soc_init_pcm_runtime(),
there is no need to check again.
Adding the check as follow, then if 'codec_dai' is null,
snd_soc_new_compress() will not pass through the check
'if (playback + capture != 1)', avoiding the leftover use of
'codec_dai'.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 467fece8fbc6774a3a3bd0981e1a342fb5022706 Version: 467fece8fbc6774a3a3bd0981e1a342fb5022706 Version: 467fece8fbc6774a3a3bd0981e1a342fb5022706 Version: 467fece8fbc6774a3a3bd0981e1a342fb5022706 Version: 467fece8fbc6774a3a3bd0981e1a342fb5022706 Version: 467fece8fbc6774a3a3bd0981e1a342fb5022706 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68a69ad8df959e5211ed4a8e120783b2d352ea74",
"status": "affected",
"version": "467fece8fbc6774a3a3bd0981e1a342fb5022706",
"versionType": "git"
},
{
"lessThan": "4639c1d97f385f4784f44d66a3da0672f4951ada",
"status": "affected",
"version": "467fece8fbc6774a3a3bd0981e1a342fb5022706",
"versionType": "git"
},
{
"lessThan": "fc237b8d624f4bcb0f21a532627ce4e3b3a85569",
"status": "affected",
"version": "467fece8fbc6774a3a3bd0981e1a342fb5022706",
"versionType": "git"
},
{
"lessThan": "08af6da684b44097ea09f1d74d5858b837ed203b",
"status": "affected",
"version": "467fece8fbc6774a3a3bd0981e1a342fb5022706",
"versionType": "git"
},
{
"lessThan": "f69a75cb8a98c6c487d620442c68595726a69f60",
"status": "affected",
"version": "467fece8fbc6774a3a3bd0981e1a342fb5022706",
"versionType": "git"
},
{
"lessThan": "de2c6f98817fa5decb9b7d3b3a8a3ab864c10588",
"status": "affected",
"version": "467fece8fbc6774a3a3bd0981e1a342fb5022706",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-compress: prevent the potentially use of null pointer\n\nThere is one call trace that snd_soc_register_card()\n-\u003esnd_soc_bind_card()-\u003esoc_init_pcm_runtime()\n-\u003esnd_soc_dai_compress_new()-\u003esnd_soc_new_compress().\nIn the trace the \u0027codec_dai\u0027 transfers from card-\u003edai_link,\nand we can see from the snd_soc_add_pcm_runtime() in\nsnd_soc_bind_card() that, if value of card-\u003edai_link-\u003enum_codecs\nis 0, then \u0027codec_dai\u0027 could be null pointer caused\nby index out of bound in \u0027asoc_rtd_to_codec(rtd, 0)\u0027.\nAnd snd_soc_register_card() is called by various platforms.\nTherefore, it is better to add the check in the case of misusing.\nAnd because \u0027cpu_dai\u0027 has already checked in soc_init_pcm_runtime(),\nthere is no need to check again.\nAdding the check as follow, then if \u0027codec_dai\u0027 is null,\nsnd_soc_new_compress() will not pass through the check\n\u0027if (playback + capture != 1)\u0027, avoiding the leftover use of\n\u0027codec_dai\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:31.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68a69ad8df959e5211ed4a8e120783b2d352ea74"
},
{
"url": "https://git.kernel.org/stable/c/4639c1d97f385f4784f44d66a3da0672f4951ada"
},
{
"url": "https://git.kernel.org/stable/c/fc237b8d624f4bcb0f21a532627ce4e3b3a85569"
},
{
"url": "https://git.kernel.org/stable/c/08af6da684b44097ea09f1d74d5858b837ed203b"
},
{
"url": "https://git.kernel.org/stable/c/f69a75cb8a98c6c487d620442c68595726a69f60"
},
{
"url": "https://git.kernel.org/stable/c/de2c6f98817fa5decb9b7d3b3a8a3ab864c10588"
}
],
"title": "ASoC: soc-compress: prevent the potentially use of null pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47650",
"datePublished": "2025-02-26T01:54:17.052Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-05-04T07:15:31.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53028 (GCVE-0-2023-53028)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()"
This reverts commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293.
ieee80211_if_free() is already called from free_netdev(ndev)
because ndev->priv_destructor == ieee80211_if_free
syzbot reported:
general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 0 PID: 10041 Comm: syz-executor.0 Not tainted 6.2.0-rc2-syzkaller-00388-g55b98837e37d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:pcpu_get_page_chunk mm/percpu.c:262 [inline]
RIP: 0010:pcpu_chunk_addr_search mm/percpu.c:1619 [inline]
RIP: 0010:free_percpu mm/percpu.c:2271 [inline]
RIP: 0010:free_percpu+0x186/0x10f0 mm/percpu.c:2254
Code: 80 3c 02 00 0f 85 f5 0e 00 00 48 8b 3b 48 01 ef e8 cf b3 0b 00 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 3b 0e 00 00 48 8b 58 20 48 b8 00 00 00 00 00 fc
RSP: 0018:ffffc90004ba7068 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88823ffe2b80 RCX: 0000000000000004
RDX: dffffc0000000000 RSI: ffffffff81c1f4e7 RDI: 0000000000000020
RBP: ffffe8fffe8fc220 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffffffff2179ab2 R12: ffff8880b983d000
R13: 0000000000000003 R14: 0000607f450fc220 R15: ffff88823ffe2988
FS: 00007fcb349de700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32220000 CR3: 000000004914f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netdev_run_todo+0x6bf/0x1100 net/core/dev.c:10352
ieee80211_register_hw+0x2663/0x4040 net/mac80211/main.c:1411
mac80211_hwsim_new_radio+0x2537/0x4d80 drivers/net/wireless/mac80211_hwsim.c:4583
hwsim_new_radio_nl+0xa09/0x10f0 drivers/net/wireless/mac80211_hwsim.c:5176
genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
____sys_sendmsg+0x712/0x8c0 net/socket.c:2476
___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:18:24.516551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:18:27.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/iface.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71e5cd1018d345e649e63f74a56c1897f99db7e9",
"status": "affected",
"version": "b2c0b94f48373ee743a4d63825a9d52364418837",
"versionType": "git"
},
{
"lessThan": "982c8b1e95c088f5d8f65967ec25be66e961401c",
"status": "affected",
"version": "2e32f1299814e8aa2e75aa58704543a36ea3e201",
"versionType": "git"
},
{
"lessThan": "effecd8d116d3d3a28b4f628e61bba8d318fdfcf",
"status": "affected",
"version": "9a50a7f64243bd21a84353c371f3977b9ffd9fa5",
"versionType": "git"
},
{
"lessThan": "80f8a66dede0a4b4e9e846765a97809c6fe49ce5",
"status": "affected",
"version": "13e5afd3d773c6fc6ca2b89027befaaaa1ea7293",
"versionType": "git"
},
{
"status": "affected",
"version": "147537737a3c83e07a5295de38424c21d354d2a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/iface.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.10.165",
"status": "affected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThan": "5.15.90",
"status": "affected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThan": "6.1.8",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.165",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.90",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"wifi: mac80211: fix memory leak in ieee80211_if_add()\"\n\nThis reverts commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293.\n\nieee80211_if_free() is already called from free_netdev(ndev)\nbecause ndev-\u003epriv_destructor == ieee80211_if_free\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nCPU: 0 PID: 10041 Comm: syz-executor.0 Not tainted 6.2.0-rc2-syzkaller-00388-g55b98837e37d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:pcpu_get_page_chunk mm/percpu.c:262 [inline]\nRIP: 0010:pcpu_chunk_addr_search mm/percpu.c:1619 [inline]\nRIP: 0010:free_percpu mm/percpu.c:2271 [inline]\nRIP: 0010:free_percpu+0x186/0x10f0 mm/percpu.c:2254\nCode: 80 3c 02 00 0f 85 f5 0e 00 00 48 8b 3b 48 01 ef e8 cf b3 0b 00 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 \u003c80\u003e 3c 11 00 0f 85 3b 0e 00 00 48 8b 58 20 48 b8 00 00 00 00 00 fc\nRSP: 0018:ffffc90004ba7068 EFLAGS: 00010002\nRAX: 0000000000000000 RBX: ffff88823ffe2b80 RCX: 0000000000000004\nRDX: dffffc0000000000 RSI: ffffffff81c1f4e7 RDI: 0000000000000020\nRBP: ffffe8fffe8fc220 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 1ffffffff2179ab2 R12: ffff8880b983d000\nR13: 0000000000000003 R14: 0000607f450fc220 R15: ffff88823ffe2988\nFS: 00007fcb349de700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32220000 CR3: 000000004914f000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\nnetdev_run_todo+0x6bf/0x1100 net/core/dev.c:10352\nieee80211_register_hw+0x2663/0x4040 net/mac80211/main.c:1411\nmac80211_hwsim_new_radio+0x2537/0x4d80 drivers/net/wireless/mac80211_hwsim.c:4583\nhwsim_new_radio_nl+0xa09/0x10f0 drivers/net/wireless/mac80211_hwsim.c:5176\ngenl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968\ngenl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\ngenl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065\nnetlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564\ngenl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\nnetlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]\nnetlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356\nnetlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg+0xd3/0x120 net/socket.c:734\n____sys_sendmsg+0x712/0x8c0 net/socket.c:2476\n___sys_sendmsg+0x110/0x1b0 net/socket.c:2530\n__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:07.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71e5cd1018d345e649e63f74a56c1897f99db7e9"
},
{
"url": "https://git.kernel.org/stable/c/982c8b1e95c088f5d8f65967ec25be66e961401c"
},
{
"url": "https://git.kernel.org/stable/c/effecd8d116d3d3a28b4f628e61bba8d318fdfcf"
},
{
"url": "https://git.kernel.org/stable/c/80f8a66dede0a4b4e9e846765a97809c6fe49ce5"
}
],
"title": "Revert \"wifi: mac80211: fix memory leak in ieee80211_if_add()\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53028",
"datePublished": "2025-03-27T16:43:57.568Z",
"dateReserved": "2025-03-27T16:40:15.756Z",
"dateUpdated": "2025-10-01T17:18:27.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47656 (GCVE-0-2021-47656)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
When we mount a jffs2 image, assume that the first few blocks of
the image are normal and contain at least one xattr-related inode,
but the next block is abnormal. As a result, an error is returned
in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
called in jffs2_build_filesystem() and then again in
jffs2_do_fill_super().
Finally we can observe the following report:
==================================================================
BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
Read of size 8 at addr ffff8881243384e0 by task mount/719
Call Trace:
dump_stack+0x115/0x16b
jffs2_clear_xattr_subsystem+0x95/0x6ac
jffs2_do_fill_super+0x84f/0xc30
jffs2_fill_super+0x2ea/0x4c0
mtd_get_sb+0x254/0x400
mtd_get_sb_by_nr+0x4f/0xd0
get_tree_mtd+0x498/0x840
jffs2_get_tree+0x25/0x30
vfs_get_tree+0x8d/0x2e0
path_mount+0x50f/0x1e50
do_mount+0x107/0x130
__se_sys_mount+0x1c5/0x2f0
__x64_sys_mount+0xc7/0x160
do_syscall_64+0x45/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 719:
kasan_save_stack+0x23/0x60
__kasan_kmalloc.constprop.0+0x10b/0x120
kasan_slab_alloc+0x12/0x20
kmem_cache_alloc+0x1c0/0x870
jffs2_alloc_xattr_ref+0x2f/0xa0
jffs2_scan_medium.cold+0x3713/0x4794
jffs2_do_mount_fs.cold+0xa7/0x2253
jffs2_do_fill_super+0x383/0xc30
jffs2_fill_super+0x2ea/0x4c0
[...]
Freed by task 719:
kmem_cache_free+0xcc/0x7b0
jffs2_free_xattr_ref+0x78/0x98
jffs2_clear_xattr_subsystem+0xa1/0x6ac
jffs2_do_mount_fs.cold+0x5e6/0x2253
jffs2_do_fill_super+0x383/0xc30
jffs2_fill_super+0x2ea/0x4c0
[...]
The buggy address belongs to the object at ffff8881243384b8
which belongs to the cache jffs2_xattr_ref of size 48
The buggy address is located 40 bytes inside of
48-byte region [ffff8881243384b8, ffff8881243384e8)
[...]
==================================================================
The triggering of the BUG is shown in the following stack:
-----------------------------------------------------------
jffs2_fill_super
jffs2_do_fill_super
jffs2_do_mount_fs
jffs2_build_filesystem
jffs2_scan_medium
jffs2_scan_eraseblock <--- ERROR
jffs2_clear_xattr_subsystem <--- free
jffs2_clear_xattr_subsystem <--- free again
-----------------------------------------------------------
An error is returned in jffs2_do_mount_fs(). If the error is returned
by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
be executed. If the error is returned by jffs2_build_filesystem(), the
jffs2_clear_xattr_subsystem() also does not need to be executed again.
So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
to fix this UAF problem.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe Version: aa98d7cf59b5b0764d3502662053489585faf2fe |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:35.381270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:30.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jffs2/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9150cb625b46f68d524f4cfd491f1aafc23e10a9",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "3bd2454162ec6bbb5503233c804fce6e4b6dcec5",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "c3b07c875fa8f906f932976460fd14798596f101",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "30bf7244acf32f19cb722c39f7bc1c2a9f300422",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "7bb7428dd73991bf4b3a7a61b493ca50046c2b13",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "7a75740206af5f17e9f3efa384211cba70213da1",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "22327bd7988f21de3a53c1373f3b81542bfe1f44",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "8c0f024f29e055840a5a89fe23b96ae3f921afed",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
},
{
"lessThan": "4c7c44ee1650677fbe89d86edbad9497b7679b5c",
"status": "affected",
"version": "aa98d7cf59b5b0764d3502662053489585faf2fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jffs2/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix use-after-free in jffs2_clear_xattr_subsystem\n\nWhen we mount a jffs2 image, assume that the first few blocks of\nthe image are normal and contain at least one xattr-related inode,\nbut the next block is abnormal. As a result, an error is returned\nin jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then\ncalled in jffs2_build_filesystem() and then again in\njffs2_do_fill_super().\n\nFinally we can observe the following report:\n ==================================================================\n BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac\n Read of size 8 at addr ffff8881243384e0 by task mount/719\n\n Call Trace:\n dump_stack+0x115/0x16b\n jffs2_clear_xattr_subsystem+0x95/0x6ac\n jffs2_do_fill_super+0x84f/0xc30\n jffs2_fill_super+0x2ea/0x4c0\n mtd_get_sb+0x254/0x400\n mtd_get_sb_by_nr+0x4f/0xd0\n get_tree_mtd+0x498/0x840\n jffs2_get_tree+0x25/0x30\n vfs_get_tree+0x8d/0x2e0\n path_mount+0x50f/0x1e50\n do_mount+0x107/0x130\n __se_sys_mount+0x1c5/0x2f0\n __x64_sys_mount+0xc7/0x160\n do_syscall_64+0x45/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\n Allocated by task 719:\n kasan_save_stack+0x23/0x60\n __kasan_kmalloc.constprop.0+0x10b/0x120\n kasan_slab_alloc+0x12/0x20\n kmem_cache_alloc+0x1c0/0x870\n jffs2_alloc_xattr_ref+0x2f/0xa0\n jffs2_scan_medium.cold+0x3713/0x4794\n jffs2_do_mount_fs.cold+0xa7/0x2253\n jffs2_do_fill_super+0x383/0xc30\n jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n Freed by task 719:\n kmem_cache_free+0xcc/0x7b0\n jffs2_free_xattr_ref+0x78/0x98\n jffs2_clear_xattr_subsystem+0xa1/0x6ac\n jffs2_do_mount_fs.cold+0x5e6/0x2253\n jffs2_do_fill_super+0x383/0xc30\n jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n The buggy address belongs to the object at ffff8881243384b8\n which belongs to the cache jffs2_xattr_ref of size 48\n The buggy address is located 40 bytes inside of\n 48-byte region [ffff8881243384b8, ffff8881243384e8)\n [...]\n ==================================================================\n\nThe triggering of the BUG is shown in the following stack:\n-----------------------------------------------------------\njffs2_fill_super\n jffs2_do_fill_super\n jffs2_do_mount_fs\n jffs2_build_filesystem\n jffs2_scan_medium\n jffs2_scan_eraseblock \u003c--- ERROR\n jffs2_clear_xattr_subsystem \u003c--- free\n jffs2_clear_xattr_subsystem \u003c--- free again\n-----------------------------------------------------------\n\nAn error is returned in jffs2_do_mount_fs(). If the error is returned\nby jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to\nbe executed. If the error is returned by jffs2_build_filesystem(), the\njffs2_clear_xattr_subsystem() also does not need to be executed again.\nSo move jffs2_clear_xattr_subsystem() from \u0027out_inohash\u0027 to \u0027out_root\u0027\nto fix this UAF problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:43.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9150cb625b46f68d524f4cfd491f1aafc23e10a9"
},
{
"url": "https://git.kernel.org/stable/c/3bd2454162ec6bbb5503233c804fce6e4b6dcec5"
},
{
"url": "https://git.kernel.org/stable/c/c3b07c875fa8f906f932976460fd14798596f101"
},
{
"url": "https://git.kernel.org/stable/c/30bf7244acf32f19cb722c39f7bc1c2a9f300422"
},
{
"url": "https://git.kernel.org/stable/c/7bb7428dd73991bf4b3a7a61b493ca50046c2b13"
},
{
"url": "https://git.kernel.org/stable/c/7a75740206af5f17e9f3efa384211cba70213da1"
},
{
"url": "https://git.kernel.org/stable/c/22327bd7988f21de3a53c1373f3b81542bfe1f44"
},
{
"url": "https://git.kernel.org/stable/c/8c0f024f29e055840a5a89fe23b96ae3f921afed"
},
{
"url": "https://git.kernel.org/stable/c/4c7c44ee1650677fbe89d86edbad9497b7679b5c"
}
],
"title": "jffs2: fix use-after-free in jffs2_clear_xattr_subsystem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47656",
"datePublished": "2025-02-26T01:54:20.069Z",
"dateReserved": "2025-02-26T01:48:21.521Z",
"dateUpdated": "2025-05-04T07:15:43.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49432 (GCVE-0-2022-49432)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/xics: fix refcount leak in icp_opal_init()
The of_find_compatible_node() function returns a node pointer with
refcount incremented, use of_node_put() on it when done.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/xics/icp-opal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "977dbc81d0f866ef63b93c127b7404f07734b3cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53f3f7f73e609b934083f896cb7ca2c2cb009b9f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d5c8cea85fb1680eae8d645b96b92146cb4633c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "537a317e5ff45d1f5a0ecaf6a0d7c8043c878cb1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6a61a97106279c2aa16fbbb2a171fd5dde127d23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "df802880a7f9cd96b921b00639b00871f18a9a57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2357bd7499a81c70b460e2191852bbfc7b63c354",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9a42bc2494fadb453de00ce61042e588563ddc6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5dd9e27ea4a39f7edd4bf81e9e70208e7ac0b7c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/xics/icp-opal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xics: fix refcount leak in icp_opal_init()\n\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, use of_node_put() on it when done."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:32.456Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/977dbc81d0f866ef63b93c127b7404f07734b3cc"
},
{
"url": "https://git.kernel.org/stable/c/53f3f7f73e609b934083f896cb7ca2c2cb009b9f"
},
{
"url": "https://git.kernel.org/stable/c/1d5c8cea85fb1680eae8d645b96b92146cb4633c"
},
{
"url": "https://git.kernel.org/stable/c/537a317e5ff45d1f5a0ecaf6a0d7c8043c878cb1"
},
{
"url": "https://git.kernel.org/stable/c/6a61a97106279c2aa16fbbb2a171fd5dde127d23"
},
{
"url": "https://git.kernel.org/stable/c/df802880a7f9cd96b921b00639b00871f18a9a57"
},
{
"url": "https://git.kernel.org/stable/c/2357bd7499a81c70b460e2191852bbfc7b63c354"
},
{
"url": "https://git.kernel.org/stable/c/9a42bc2494fadb453de00ce61042e588563ddc6d"
},
{
"url": "https://git.kernel.org/stable/c/5dd9e27ea4a39f7edd4bf81e9e70208e7ac0b7c9"
}
],
"title": "powerpc/xics: fix refcount leak in icp_opal_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49432",
"datePublished": "2025-02-26T02:12:50.073Z",
"dateReserved": "2025-02-26T02:08:31.569Z",
"dateUpdated": "2025-05-04T08:37:32.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52979 (GCVE-0-2023-52979)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-07T06:23:46.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52979",
"datePublished": "2025-03-27T16:43:18.882Z",
"dateRejected": "2025-10-07T06:23:46.355Z",
"dateReserved": "2025-03-27T16:40:15.739Z",
"dateUpdated": "2025-10-07T06:23:46.355Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47649 (GCVE-0-2021-47649)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udmabuf: validate ubuf->pagecount
Syzbot has reported GPF in sg_alloc_append_table_from_pages(). The
problem was in ubuf->pages == ZERO_PTR.
ubuf->pagecount is calculated from arguments passed from user-space. If
user creates udmabuf with list.size == 0 then ubuf->pagecount will be
also equal to zero; it causes kmalloc_array() to return ZERO_PTR.
Fix it by validating ubuf->pagecount before passing it to
kmalloc_array().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fbb0de795078190a9834b3409e4b009cfb18a6d4 Version: fbb0de795078190a9834b3409e4b009cfb18a6d4 Version: fbb0de795078190a9834b3409e4b009cfb18a6d4 Version: fbb0de795078190a9834b3409e4b009cfb18a6d4 Version: fbb0de795078190a9834b3409e4b009cfb18a6d4 Version: fbb0de795078190a9834b3409e4b009cfb18a6d4 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/udmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d50f851dd307c07ca5591297093f19967c834a9",
"status": "affected",
"version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
"versionType": "git"
},
{
"lessThan": "b267a8118c2b171bf7d67b90ed64154eeab9fae0",
"status": "affected",
"version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
"versionType": "git"
},
{
"lessThan": "811b667cefbea9cb7511a874b169d6a92907137e",
"status": "affected",
"version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
"versionType": "git"
},
{
"lessThan": "a3728d32fc61eb0fe283cb8ff60b2c8f751e2202",
"status": "affected",
"version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
"versionType": "git"
},
{
"lessThan": "9e9b4a269f84d3230f2af84ff42322db676440d9",
"status": "affected",
"version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
"versionType": "git"
},
{
"lessThan": "2b6dd600dd72573c23ea180b5b0b2f1813405882",
"status": "affected",
"version": "fbb0de795078190a9834b3409e4b009cfb18a6d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/udmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: validate ubuf-\u003epagecount\n\nSyzbot has reported GPF in sg_alloc_append_table_from_pages(). The\nproblem was in ubuf-\u003epages == ZERO_PTR.\n\nubuf-\u003epagecount is calculated from arguments passed from user-space. If\nuser creates udmabuf with list.size == 0 then ubuf-\u003epagecount will be\nalso equal to zero; it causes kmalloc_array() to return ZERO_PTR.\n\nFix it by validating ubuf-\u003epagecount before passing it to\nkmalloc_array()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:30.553Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d50f851dd307c07ca5591297093f19967c834a9"
},
{
"url": "https://git.kernel.org/stable/c/b267a8118c2b171bf7d67b90ed64154eeab9fae0"
},
{
"url": "https://git.kernel.org/stable/c/811b667cefbea9cb7511a874b169d6a92907137e"
},
{
"url": "https://git.kernel.org/stable/c/a3728d32fc61eb0fe283cb8ff60b2c8f751e2202"
},
{
"url": "https://git.kernel.org/stable/c/9e9b4a269f84d3230f2af84ff42322db676440d9"
},
{
"url": "https://git.kernel.org/stable/c/2b6dd600dd72573c23ea180b5b0b2f1813405882"
}
],
"title": "udmabuf: validate ubuf-\u003epagecount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47649",
"datePublished": "2025-02-26T01:54:16.574Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-05-04T07:15:30.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58069 (GCVE-0-2024-58069)
Vulnerability from cvelistv5
Published
2025-03-06 15:54
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
The nvmem interface supports variable buffer sizes, while the regmap
interface operates with fixed-size storage. If an nvmem client uses a
buffer size less than 4 bytes, regmap_read will write out of bounds
as it expects the buffer to point at an unsigned int.
Fix this by using an intermediary unsigned int to hold the value.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 Version: fadfd092ee9138825d8c2a4f95719d2e2e3202b9 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:27:38.670709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:36.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:03.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-pcf85063.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21cd59fcb9952eb7505da2bdfc1eb9c619df3ff4",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
},
{
"lessThan": "6f2a8ca9a0a38589f52a7f0fb9425b9ba987ae7c",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
},
{
"lessThan": "e5536677da803ed54a29a446515c28dce7d3d574",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
},
{
"lessThan": "c72b7a474d3f445bf0c5bcf8ffed332c78eb28a1",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
},
{
"lessThan": "9adefa7b9559d0f21034a5d5ec1b55840c9348b9",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
},
{
"lessThan": "e5e06455760f2995b16a176033909347929d1128",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
},
{
"lessThan": "517aedb365f2c94e2d7e0b908ac7127df76203a1",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
},
{
"lessThan": "3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c",
"status": "affected",
"version": "fadfd092ee9138825d8c2a4f95719d2e2e3202b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-pcf85063.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read\n\nThe nvmem interface supports variable buffer sizes, while the regmap\ninterface operates with fixed-size storage. If an nvmem client uses a\nbuffer size less than 4 bytes, regmap_read will write out of bounds\nas it expects the buffer to point at an unsigned int.\n\nFix this by using an intermediary unsigned int to hold the value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:16.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21cd59fcb9952eb7505da2bdfc1eb9c619df3ff4"
},
{
"url": "https://git.kernel.org/stable/c/6f2a8ca9a0a38589f52a7f0fb9425b9ba987ae7c"
},
{
"url": "https://git.kernel.org/stable/c/e5536677da803ed54a29a446515c28dce7d3d574"
},
{
"url": "https://git.kernel.org/stable/c/c72b7a474d3f445bf0c5bcf8ffed332c78eb28a1"
},
{
"url": "https://git.kernel.org/stable/c/9adefa7b9559d0f21034a5d5ec1b55840c9348b9"
},
{
"url": "https://git.kernel.org/stable/c/e5e06455760f2995b16a176033909347929d1128"
},
{
"url": "https://git.kernel.org/stable/c/517aedb365f2c94e2d7e0b908ac7127df76203a1"
},
{
"url": "https://git.kernel.org/stable/c/3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c"
}
],
"title": "rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58069",
"datePublished": "2025-03-06T15:54:09.480Z",
"dateReserved": "2025-03-06T15:52:09.181Z",
"dateUpdated": "2025-11-03T19:34:03.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49243 (GCVE-0-2022-49243)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
This node pointer is returned by of_parse_phandle() with refcount
incremented in this function.
Calling of_node_put() to avoid the refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 Version: 531f67e41dcde1e358cf821d056241a66355cf03 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/sam9g20_wm8731.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81f266396237cea09a8c6322a6a78535f06ed345",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "f8b7b9a0594715ecfbe6f18db2328d992242654a",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "b0c56a0071116a37c24df998166c22a7e4684626",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "0325193cf40dc3a6e27d55a5b98680936deebcd0",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "662ee5ac6b451aa5a27b8eebd397f2f5c7f42cec",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "a0bc36b247dcf4d21bf820bfc4bcbaf7f6cf19b5",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "32e6ceb05f36432811753852c674a301f944a24b",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "4793a02deb31b71b3984abc67bf1011a03c13b18",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
},
{
"lessThan": "f590797fa3c1bccdd19e55441592a23b46aef449",
"status": "affected",
"version": "531f67e41dcde1e358cf821d056241a66355cf03",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/sam9g20_wm8731.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe\n\nThis node pointer is returned by of_parse_phandle() with refcount\nincremented in this function.\nCalling of_node_put() to avoid the refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:12.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81f266396237cea09a8c6322a6a78535f06ed345"
},
{
"url": "https://git.kernel.org/stable/c/f8b7b9a0594715ecfbe6f18db2328d992242654a"
},
{
"url": "https://git.kernel.org/stable/c/b0c56a0071116a37c24df998166c22a7e4684626"
},
{
"url": "https://git.kernel.org/stable/c/0325193cf40dc3a6e27d55a5b98680936deebcd0"
},
{
"url": "https://git.kernel.org/stable/c/662ee5ac6b451aa5a27b8eebd397f2f5c7f42cec"
},
{
"url": "https://git.kernel.org/stable/c/a0bc36b247dcf4d21bf820bfc4bcbaf7f6cf19b5"
},
{
"url": "https://git.kernel.org/stable/c/32e6ceb05f36432811753852c674a301f944a24b"
},
{
"url": "https://git.kernel.org/stable/c/4793a02deb31b71b3984abc67bf1011a03c13b18"
},
{
"url": "https://git.kernel.org/stable/c/f590797fa3c1bccdd19e55441592a23b46aef449"
}
],
"title": "ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49243",
"datePublished": "2025-02-26T01:56:04.304Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-05-04T08:33:12.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49265 (GCVE-0-2022-49265)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()
When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following
sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called
with a spinlock being held.
[ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460
[ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0
[ 0.029219] preempt_count: 1, expected: 0
[ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489
[ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT)
[ 0.029256] Call trace:
[ 0.029265] dump_backtrace.part.0+0xbc/0xd0
[ 0.029285] show_stack+0x3c/0xa0
[ 0.029298] dump_stack_lvl+0x7c/0xa0
[ 0.029311] dump_stack+0x18/0x34
[ 0.029323] __might_resched+0x10c/0x13c
[ 0.029338] __might_sleep+0x4c/0x80
[ 0.029351] down_read+0x24/0xd0
[ 0.029363] lookup_one_len_unlocked+0x9c/0xcc
[ 0.029379] lookup_positive_unlocked+0x10/0x50
[ 0.029392] debugfs_lookup+0x68/0xac
[ 0.029406] genpd_remove.part.0+0x12c/0x1b4
[ 0.029419] of_genpd_remove_last+0xa8/0xd4
[ 0.029434] psci_cpuidle_domain_probe+0x174/0x53c
[ 0.029449] platform_probe+0x68/0xe0
[ 0.029462] really_probe+0x190/0x430
[ 0.029473] __driver_probe_device+0x90/0x18c
[ 0.029485] driver_probe_device+0x40/0xe0
[ 0.029497] __driver_attach+0xf4/0x1d0
[ 0.029508] bus_for_each_dev+0x70/0xd0
[ 0.029523] driver_attach+0x24/0x30
[ 0.029534] bus_add_driver+0x164/0x22c
[ 0.029545] driver_register+0x78/0x130
[ 0.029556] __platform_driver_register+0x28/0x34
[ 0.029569] psci_idle_init_domains+0x1c/0x28
[ 0.029583] do_one_initcall+0x50/0x1b0
[ 0.029595] kernel_init_freeable+0x214/0x280
[ 0.029609] kernel_init+0x2c/0x13c
[ 0.029622] ret_from_fork+0x10/0x20
It doesn't seem necessary to call genpd_debug_remove() with the lock, so
move it out from locking to fix the problem.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/power/domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2039163c30f886cf5638afd6993705ae9bb34a06",
"status": "affected",
"version": "718072ceb211833f3c71724f49d733d636067191",
"versionType": "git"
},
{
"lessThan": "d1b6840d8fb9b35193d45d8fe6b4d830bfd20c3c",
"status": "affected",
"version": "718072ceb211833f3c71724f49d733d636067191",
"versionType": "git"
},
{
"lessThan": "fee777ea77769cc5392a34805d9d73099a223fae",
"status": "affected",
"version": "718072ceb211833f3c71724f49d733d636067191",
"versionType": "git"
},
{
"lessThan": "f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8",
"status": "affected",
"version": "718072ceb211833f3c71724f49d733d636067191",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/power/domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()\n\nWhen a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following\nsleep-in-atomic bug will be seen, as genpd_debug_remove() will be called\nwith a spinlock being held.\n\n[ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460\n[ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0\n[ 0.029219] preempt_count: 1, expected: 0\n[ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489\n[ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT)\n[ 0.029256] Call trace:\n[ 0.029265] dump_backtrace.part.0+0xbc/0xd0\n[ 0.029285] show_stack+0x3c/0xa0\n[ 0.029298] dump_stack_lvl+0x7c/0xa0\n[ 0.029311] dump_stack+0x18/0x34\n[ 0.029323] __might_resched+0x10c/0x13c\n[ 0.029338] __might_sleep+0x4c/0x80\n[ 0.029351] down_read+0x24/0xd0\n[ 0.029363] lookup_one_len_unlocked+0x9c/0xcc\n[ 0.029379] lookup_positive_unlocked+0x10/0x50\n[ 0.029392] debugfs_lookup+0x68/0xac\n[ 0.029406] genpd_remove.part.0+0x12c/0x1b4\n[ 0.029419] of_genpd_remove_last+0xa8/0xd4\n[ 0.029434] psci_cpuidle_domain_probe+0x174/0x53c\n[ 0.029449] platform_probe+0x68/0xe0\n[ 0.029462] really_probe+0x190/0x430\n[ 0.029473] __driver_probe_device+0x90/0x18c\n[ 0.029485] driver_probe_device+0x40/0xe0\n[ 0.029497] __driver_attach+0xf4/0x1d0\n[ 0.029508] bus_for_each_dev+0x70/0xd0\n[ 0.029523] driver_attach+0x24/0x30\n[ 0.029534] bus_add_driver+0x164/0x22c\n[ 0.029545] driver_register+0x78/0x130\n[ 0.029556] __platform_driver_register+0x28/0x34\n[ 0.029569] psci_idle_init_domains+0x1c/0x28\n[ 0.029583] do_one_initcall+0x50/0x1b0\n[ 0.029595] kernel_init_freeable+0x214/0x280\n[ 0.029609] kernel_init+0x2c/0x13c\n[ 0.029622] ret_from_fork+0x10/0x20\n\nIt doesn\u0027t seem necessary to call genpd_debug_remove() with the lock, so\nmove it out from locking to fix the problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:40.866Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2039163c30f886cf5638afd6993705ae9bb34a06"
},
{
"url": "https://git.kernel.org/stable/c/d1b6840d8fb9b35193d45d8fe6b4d830bfd20c3c"
},
{
"url": "https://git.kernel.org/stable/c/fee777ea77769cc5392a34805d9d73099a223fae"
},
{
"url": "https://git.kernel.org/stable/c/f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8"
}
],
"title": "PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49265",
"datePublished": "2025-02-26T01:56:15.221Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:40.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49556 (GCVE-0-2022-49556)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak
For some sev ioctl interfaces, the length parameter that is passed maybe
less than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data
that PSP firmware returns. In this case, kmalloc will allocate memory
that is the size of the input rather than the size of the data.
Since PSP firmware doesn't fully overwrite the allocated buffer, these
sev ioctl interface may return uninitialized kernel slab memory.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "401bef1f95de92c3a8c6eece46e02fa88d7285ee",
"status": "affected",
"version": "eaf78265a4ab33935d3a0f1407ce4a91aac4d4d5",
"versionType": "git"
},
{
"lessThan": "d8fdb4b24097472ff6b3c0559448200d420b1418",
"status": "affected",
"version": "eaf78265a4ab33935d3a0f1407ce4a91aac4d4d5",
"versionType": "git"
},
{
"lessThan": "bbdcc644b59e01e98c68894a9fab42b9687f42b0",
"status": "affected",
"version": "eaf78265a4ab33935d3a0f1407ce4a91aac4d4d5",
"versionType": "git"
},
{
"lessThan": "57a01725339f9d82b099102ba2751621b1caab93",
"status": "affected",
"version": "eaf78265a4ab33935d3a0f1407ce4a91aac4d4d5",
"versionType": "git"
},
{
"lessThan": "d22d2474e3953996f03528b84b7f52cc26a39403",
"status": "affected",
"version": "eaf78265a4ab33935d3a0f1407ce4a91aac4d4d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.45",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak\n\nFor some sev ioctl interfaces, the length parameter that is passed maybe\nless than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data\nthat PSP firmware returns. In this case, kmalloc will allocate memory\nthat is the size of the input rather than the size of the data.\nSince PSP firmware doesn\u0027t fully overwrite the allocated buffer, these\nsev ioctl interface may return uninitialized kernel slab memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:28.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/401bef1f95de92c3a8c6eece46e02fa88d7285ee"
},
{
"url": "https://git.kernel.org/stable/c/d8fdb4b24097472ff6b3c0559448200d420b1418"
},
{
"url": "https://git.kernel.org/stable/c/bbdcc644b59e01e98c68894a9fab42b9687f42b0"
},
{
"url": "https://git.kernel.org/stable/c/57a01725339f9d82b099102ba2751621b1caab93"
},
{
"url": "https://git.kernel.org/stable/c/d22d2474e3953996f03528b84b7f52cc26a39403"
}
],
"title": "KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49556",
"datePublished": "2025-02-26T02:14:03.630Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-05-04T08:40:28.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49074 (GCVE-0-2022-49074)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3: Fix GICR_CTLR.RWP polling
It turns out that our polling of RWP is totally wrong when checking
for it in the redistributors, as we test the *distributor* bit index,
whereas it is a different bit number in the RDs... Oopsie boo.
This is embarassing. Not only because it is wrong, but also because
it took *8 years* to notice the blunder...
Just fix the damn thing.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 021f653791ad17e03f98aaa7fb933816ae16f161 Version: 021f653791ad17e03f98aaa7fb933816ae16f161 Version: 021f653791ad17e03f98aaa7fb933816ae16f161 Version: 021f653791ad17e03f98aaa7fb933816ae16f161 Version: 021f653791ad17e03f98aaa7fb933816ae16f161 Version: 021f653791ad17e03f98aaa7fb933816ae16f161 Version: 021f653791ad17e03f98aaa7fb933816ae16f161 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7daf1b4ad809692d5c26f33c02ed8a031066548",
"status": "affected",
"version": "021f653791ad17e03f98aaa7fb933816ae16f161",
"versionType": "git"
},
{
"lessThan": "3c07cc242baf83f0bddbbd9d7945d0bee56d8b57",
"status": "affected",
"version": "021f653791ad17e03f98aaa7fb933816ae16f161",
"versionType": "git"
},
{
"lessThan": "ff24114bb08d8b90edf2aff0a4fd0689523e6c17",
"status": "affected",
"version": "021f653791ad17e03f98aaa7fb933816ae16f161",
"versionType": "git"
},
{
"lessThan": "7218a789abb3e033f5f3a85636ca50d9ae7b0fc9",
"status": "affected",
"version": "021f653791ad17e03f98aaa7fb933816ae16f161",
"versionType": "git"
},
{
"lessThan": "60e1eb4811f53f5f60c788297d978515e7a2637a",
"status": "affected",
"version": "021f653791ad17e03f98aaa7fb933816ae16f161",
"versionType": "git"
},
{
"lessThan": "6fef3e3179e6ed8fecdd004ede541674ffa7749d",
"status": "affected",
"version": "021f653791ad17e03f98aaa7fb933816ae16f161",
"versionType": "git"
},
{
"lessThan": "0df6664531a12cdd8fc873f0cac0dcb40243d3e9",
"status": "affected",
"version": "021f653791ad17e03f98aaa7fb933816ae16f161",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Fix GICR_CTLR.RWP polling\n\nIt turns out that our polling of RWP is totally wrong when checking\nfor it in the redistributors, as we test the *distributor* bit index,\nwhereas it is a different bit number in the RDs... Oopsie boo.\n\nThis is embarassing. Not only because it is wrong, but also because\nit took *8 years* to notice the blunder...\n\nJust fix the damn thing."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:10.086Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7daf1b4ad809692d5c26f33c02ed8a031066548"
},
{
"url": "https://git.kernel.org/stable/c/3c07cc242baf83f0bddbbd9d7945d0bee56d8b57"
},
{
"url": "https://git.kernel.org/stable/c/ff24114bb08d8b90edf2aff0a4fd0689523e6c17"
},
{
"url": "https://git.kernel.org/stable/c/7218a789abb3e033f5f3a85636ca50d9ae7b0fc9"
},
{
"url": "https://git.kernel.org/stable/c/60e1eb4811f53f5f60c788297d978515e7a2637a"
},
{
"url": "https://git.kernel.org/stable/c/6fef3e3179e6ed8fecdd004ede541674ffa7749d"
},
{
"url": "https://git.kernel.org/stable/c/0df6664531a12cdd8fc873f0cac0dcb40243d3e9"
}
],
"title": "irqchip/gic-v3: Fix GICR_CTLR.RWP polling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49074",
"datePublished": "2025-02-26T01:54:38.290Z",
"dateReserved": "2025-02-26T01:49:39.245Z",
"dateUpdated": "2025-05-04T08:29:10.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49453 (GCVE-0-2022-49453)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: ti: ti_sci_pm_domains: Check for null return of devm_kcalloc
The allocation funciton devm_kcalloc may fail and return a null pointer,
which would cause a null-pointer dereference later.
It might be better to check it and directly return -ENOMEM just like the
usage of devm_kcalloc in previous code.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49453",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:26.333997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:47.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/ti/ti_sci_pm_domains.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05efc4591f80582b6fe53366b70b6a35a42fd255",
"status": "affected",
"version": "52835d59fc6cc7f3c3cfdb4a194ddc9ebd6c0c31",
"versionType": "git"
},
{
"lessThan": "7cef9274fa1b8506949d74bc45aef072b890824a",
"status": "affected",
"version": "52835d59fc6cc7f3c3cfdb4a194ddc9ebd6c0c31",
"versionType": "git"
},
{
"lessThan": "c4e188869406b47ac3350920bf165be303cb1c96",
"status": "affected",
"version": "52835d59fc6cc7f3c3cfdb4a194ddc9ebd6c0c31",
"versionType": "git"
},
{
"lessThan": "01ba41a359622ab256ce4d4f8b94c67165ae3daf",
"status": "affected",
"version": "52835d59fc6cc7f3c3cfdb4a194ddc9ebd6c0c31",
"versionType": "git"
},
{
"lessThan": "ba56291e297d28aa6eb82c5c1964fae2d7594746",
"status": "affected",
"version": "52835d59fc6cc7f3c3cfdb4a194ddc9ebd6c0c31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/ti/ti_sci_pm_domains.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: ti: ti_sci_pm_domains: Check for null return of devm_kcalloc\n\nThe allocation funciton devm_kcalloc may fail and return a null pointer,\nwhich would cause a null-pointer dereference later.\nIt might be better to check it and directly return -ENOMEM just like the\nusage of devm_kcalloc in previous code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:04.063Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05efc4591f80582b6fe53366b70b6a35a42fd255"
},
{
"url": "https://git.kernel.org/stable/c/7cef9274fa1b8506949d74bc45aef072b890824a"
},
{
"url": "https://git.kernel.org/stable/c/c4e188869406b47ac3350920bf165be303cb1c96"
},
{
"url": "https://git.kernel.org/stable/c/01ba41a359622ab256ce4d4f8b94c67165ae3daf"
},
{
"url": "https://git.kernel.org/stable/c/ba56291e297d28aa6eb82c5c1964fae2d7594746"
}
],
"title": "soc: ti: ti_sci_pm_domains: Check for null return of devm_kcalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49453",
"datePublished": "2025-02-26T02:13:02.751Z",
"dateReserved": "2025-02-26T02:08:31.573Z",
"dateUpdated": "2025-10-01T19:46:47.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49508 (GCVE-0-2022-49508)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: elan: Fix potential double free in elan_input_configured
'input' is a managed resource allocated with devm_input_allocate_device(),
so there is no need to call input_free_device() explicitly or
there will be a double free.
According to the doc of devm_input_allocate_device():
* Managed input devices do not need to be explicitly unregistered or
* freed as it will be done automatically when owner device unbinds from
* its driver (or binding fails).
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9a6a4193d65b853020ef0e66cecdf9e64a863883 Version: 9a6a4193d65b853020ef0e66cecdf9e64a863883 Version: 9a6a4193d65b853020ef0e66cecdf9e64a863883 Version: 9a6a4193d65b853020ef0e66cecdf9e64a863883 Version: 9a6a4193d65b853020ef0e66cecdf9e64a863883 Version: 9a6a4193d65b853020ef0e66cecdf9e64a863883 Version: 9a6a4193d65b853020ef0e66cecdf9e64a863883 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49508",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:25.923559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:42.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-elan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c92ec22a991778a096342cf1a917ae36c5c86a90",
"status": "affected",
"version": "9a6a4193d65b853020ef0e66cecdf9e64a863883",
"versionType": "git"
},
{
"lessThan": "f1d4f19a796551edc6679a681ea1756b8c578c08",
"status": "affected",
"version": "9a6a4193d65b853020ef0e66cecdf9e64a863883",
"versionType": "git"
},
{
"lessThan": "6d0726725c7c560495f5ff364862a2cefea542e3",
"status": "affected",
"version": "9a6a4193d65b853020ef0e66cecdf9e64a863883",
"versionType": "git"
},
{
"lessThan": "24f9dfdaece9bd75bb8dbfdba83eddeefdf7dc47",
"status": "affected",
"version": "9a6a4193d65b853020ef0e66cecdf9e64a863883",
"versionType": "git"
},
{
"lessThan": "5291451851feeb66fd4bf0826710f482f3b1ab38",
"status": "affected",
"version": "9a6a4193d65b853020ef0e66cecdf9e64a863883",
"versionType": "git"
},
{
"lessThan": "8bb1716507ebf12d50bbf181764481de3b6bc7fd",
"status": "affected",
"version": "9a6a4193d65b853020ef0e66cecdf9e64a863883",
"versionType": "git"
},
{
"lessThan": "1af20714fedad238362571620be0bd690ded05b6",
"status": "affected",
"version": "9a6a4193d65b853020ef0e66cecdf9e64a863883",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-elan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: elan: Fix potential double free in elan_input_configured\n\n\u0027input\u0027 is a managed resource allocated with devm_input_allocate_device(),\nso there is no need to call input_free_device() explicitly or\nthere will be a double free.\n\nAccording to the doc of devm_input_allocate_device():\n * Managed input devices do not need to be explicitly unregistered or\n * freed as it will be done automatically when owner device unbinds from\n * its driver (or binding fails)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:26.779Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c92ec22a991778a096342cf1a917ae36c5c86a90"
},
{
"url": "https://git.kernel.org/stable/c/f1d4f19a796551edc6679a681ea1756b8c578c08"
},
{
"url": "https://git.kernel.org/stable/c/6d0726725c7c560495f5ff364862a2cefea542e3"
},
{
"url": "https://git.kernel.org/stable/c/24f9dfdaece9bd75bb8dbfdba83eddeefdf7dc47"
},
{
"url": "https://git.kernel.org/stable/c/5291451851feeb66fd4bf0826710f482f3b1ab38"
},
{
"url": "https://git.kernel.org/stable/c/8bb1716507ebf12d50bbf181764481de3b6bc7fd"
},
{
"url": "https://git.kernel.org/stable/c/1af20714fedad238362571620be0bd690ded05b6"
}
],
"title": "HID: elan: Fix potential double free in elan_input_configured",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49508",
"datePublished": "2025-02-26T02:13:39.472Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-10-01T19:46:42.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49063 (GCVE-0-2022-49063)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-11-03 17:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: arfs: fix use-after-free when freeing @rx_cpu_rmap
The CI testing bots triggered the following splat:
[ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80
[ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834
[ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1
[ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020
[ 718.223418] Call Trace:
[ 718.227139]
[ 718.230783] dump_stack_lvl+0x33/0x42
[ 718.234431] print_address_description.constprop.9+0x21/0x170
[ 718.238177] ? free_irq_cpu_rmap+0x53/0x80
[ 718.241885] ? free_irq_cpu_rmap+0x53/0x80
[ 718.245539] kasan_report.cold.18+0x7f/0x11b
[ 718.249197] ? free_irq_cpu_rmap+0x53/0x80
[ 718.252852] free_irq_cpu_rmap+0x53/0x80
[ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]
[ 718.260174] ice_remove_arfs+0x5f/0x70 [ice]
[ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice]
[ 718.267419] ice_rebuild+0x39c/0xb60 [ice]
[ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice]
[ 718.278033] ? delay_tsc+0x4a/0xb0
[ 718.281513] ? preempt_count_sub+0x14/0xc0
[ 718.284984] ? delay_tsc+0x8f/0xb0
[ 718.288463] ice_do_reset+0x92/0xf0 [ice]
[ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice]
[ 718.295561] pci_reset_function+0x53/0x80
<...>
[ 718.393035] Allocated by task 690:
[ 718.433497] Freed by task 20834:
[ 718.495688] Last potentially related work creation:
[ 718.568966] The buggy address belongs to the object at ffff8881bd127e00
which belongs to the cache kmalloc-96 of size 96
[ 718.574085] The buggy address is located 0 bytes inside of
96-byte region [ffff8881bd127e00, ffff8881bd127e60)
[ 718.579265] The buggy address belongs to the page:
[ 718.598905] Memory state around the buggy address:
[ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 718.610811] ^
[ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
This is due to that free_irq_cpu_rmap() is always being called
*after* (devm_)free_irq() and thus it tries to work with IRQ descs
already freed. For example, on device reset the driver frees the
rmap right before allocating a new one (the splat above).
Make rmap creation and freeing function symmetrical with
{request,free}_irq() calls i.e. do that on ifup/ifdown instead
of device probe/remove/resume. These operations can be performed
independently from the actual device aRFS configuration.
Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers
only when aRFS is disabled -- otherwise, CPU rmap sets and clears
its own and they must not be touched manually.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:43.737630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:35.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:01.995Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_arfs.c",
"drivers/net/ethernet/intel/ice/ice_lib.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba2f6ec28733fb6b24ed086e676df3df4c138f3f",
"status": "affected",
"version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
"versionType": "git"
},
{
"lessThan": "618df75f2e30c7838a3e010ca32cd4893ec9fe33",
"status": "affected",
"version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
"versionType": "git"
},
{
"lessThan": "d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3",
"status": "affected",
"version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
"versionType": "git"
},
{
"lessThan": "d7442f512b71fc63a99c8a801422dde4fbbf9f93",
"status": "affected",
"version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_arfs.c",
"drivers/net/ethernet/intel/ice/ice_lib.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.184",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.184",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\n\nThe CI testing bots triggered the following splat:\n\n[ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[ 718.223418] Call Trace:\n[ 718.227139]\n[ 718.230783] dump_stack_lvl+0x33/0x42\n[ 718.234431] print_address_description.constprop.9+0x21/0x170\n[ 718.238177] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.241885] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.245539] kasan_report.cold.18+0x7f/0x11b\n[ 718.249197] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.252852] free_irq_cpu_rmap+0x53/0x80\n[ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[ 718.260174] ice_remove_arfs+0x5f/0x70 [ice]\n[ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice]\n[ 718.267419] ice_rebuild+0x39c/0xb60 [ice]\n[ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[ 718.278033] ? delay_tsc+0x4a/0xb0\n[ 718.281513] ? preempt_count_sub+0x14/0xc0\n[ 718.284984] ? delay_tsc+0x8f/0xb0\n[ 718.288463] ice_do_reset+0x92/0xf0 [ice]\n[ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice]\n[ 718.295561] pci_reset_function+0x53/0x80\n\u003c...\u003e\n[ 718.393035] Allocated by task 690:\n[ 718.433497] Freed by task 20834:\n[ 718.495688] Last potentially related work creation:\n[ 718.568966] The buggy address belongs to the object at ffff8881bd127e00\n which belongs to the cache kmalloc-96 of size 96\n[ 718.574085] The buggy address is located 0 bytes inside of\n 96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[ 718.579265] The buggy address belongs to the page:\n[ 718.598905] Memory state around the buggy address:\n[ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[ 718.607794] \u003effff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.610811] ^\n[ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\n*after* (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T12:57:13.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba2f6ec28733fb6b24ed086e676df3df4c138f3f"
},
{
"url": "https://git.kernel.org/stable/c/618df75f2e30c7838a3e010ca32cd4893ec9fe33"
},
{
"url": "https://git.kernel.org/stable/c/d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3"
},
{
"url": "https://git.kernel.org/stable/c/d7442f512b71fc63a99c8a801422dde4fbbf9f93"
}
],
"title": "ice: arfs: fix use-after-free when freeing @rx_cpu_rmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49063",
"datePublished": "2025-02-26T01:54:32.460Z",
"dateReserved": "2025-02-26T01:49:39.244Z",
"dateUpdated": "2025-11-03T17:31:01.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21832 (GCVE-0-2025-21832)
Vulnerability from cvelistv5
Published
2025-03-06 16:22
Modified
2025-11-03 21:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: don't revert iter for -EIOCBQUEUED
blkdev_read_iter() has a few odd checks, like gating the position and
count adjustment on whether or not the result is bigger-than-or-equal to
zero (where bigger than makes more sense), and not checking the return
value of blkdev_direct_IO() before doing an iov_iter_revert(). The
latter can lead to attempting to revert with a negative value, which
when passed to iov_iter_revert() as an unsigned value will lead to
throwing a WARN_ON() because unroll is bigger than MAX_RW_COUNT.
Be sane and don't revert for -EIOCBQUEUED, like what is done in other
spots.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:00:04.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c26619effb1b4cb7d20b4e666ab8f71f6a53ccb",
"status": "affected",
"version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
"versionType": "git"
},
{
"lessThan": "84671b0630ccb46ae9f1f99a45c7d63ffcd6a474",
"status": "affected",
"version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
"versionType": "git"
},
{
"lessThan": "68f16d3034a06661245ecd22f0d586a8b4e7c473",
"status": "affected",
"version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
"versionType": "git"
},
{
"lessThan": "a58f136bad29f9ae721a29d98c042fddbee22f77",
"status": "affected",
"version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
"versionType": "git"
},
{
"lessThan": "b13ee668e8280ca5b07f8ce2846b9957a8a10853",
"status": "affected",
"version": "3e1f941dd9f33776b3df4e30f741fe445ff773f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don\u0027t revert iter for -EIOCBQUEUED\n\nblkdev_read_iter() has a few odd checks, like gating the position and\ncount adjustment on whether or not the result is bigger-than-or-equal to\nzero (where bigger than makes more sense), and not checking the return\nvalue of blkdev_direct_IO() before doing an iov_iter_revert(). The\nlatter can lead to attempting to revert with a negative value, which\nwhen passed to iov_iter_revert() as an unsigned value will lead to\nthrowing a WARN_ON() because unroll is bigger than MAX_RW_COUNT.\n\nBe sane and don\u0027t revert for -EIOCBQUEUED, like what is done in other\nspots."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-10T16:48:42.602Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c26619effb1b4cb7d20b4e666ab8f71f6a53ccb"
},
{
"url": "https://git.kernel.org/stable/c/84671b0630ccb46ae9f1f99a45c7d63ffcd6a474"
},
{
"url": "https://git.kernel.org/stable/c/68f16d3034a06661245ecd22f0d586a8b4e7c473"
},
{
"url": "https://git.kernel.org/stable/c/a58f136bad29f9ae721a29d98c042fddbee22f77"
},
{
"url": "https://git.kernel.org/stable/c/b13ee668e8280ca5b07f8ce2846b9957a8a10853"
}
],
"title": "block: don\u0027t revert iter for -EIOCBQUEUED",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21832",
"datePublished": "2025-03-06T16:22:34.125Z",
"dateReserved": "2024-12-29T08:45:45.777Z",
"dateUpdated": "2025-11-03T21:00:04.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49219 (GCVE-0-2022-49219)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-11-03 19:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfio/pci: fix memory leak during D3hot to D0 transition
If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does
not have No_Soft_Reset bit set in its PMCSR config register), then
the current PCI state will be saved locally in
'vfio_pci_core_device::pm_save' during D0->D3hot transition and same
will be restored back during D3hot->D0 transition.
For saving the PCI state locally, pci_store_saved_state() is being
used and the pci_load_and_free_saved_state() will free the allocated
memory.
But for reset related IOCTLs, vfio driver calls PCI reset-related
API's which will internally change the PCI power state back to D0. So,
when the guest resumes, then it will get the current state as D0 and it
will skip the call to vfio_pci_set_power_state() for changing the
power state to D0 explicitly. In this case, the memory pointed by
'pm_save' will never be freed. In a malicious sequence, the state changing
to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be
run in a loop and it can cause an OOM situation.
This patch frees the earlier allocated memory first before overwriting
'pm_save' to prevent the mentioned memory leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:27:50.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vfio/pci/vfio_pci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da426ad86027b849b877d4628b277ffbbd2f5325",
"status": "affected",
"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2",
"versionType": "git"
},
{
"lessThan": "4319f17fb8264ba39352b611dfa913a4d8c1d1a0",
"status": "affected",
"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2",
"versionType": "git"
},
{
"lessThan": "26ddd196e9eb264da8e1bdc4df8a94d62581c8b5",
"status": "affected",
"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2",
"versionType": "git"
},
{
"lessThan": "c8a1f8bd586ee31020614b8d48b702ece3e2ae44",
"status": "affected",
"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2",
"versionType": "git"
},
{
"lessThan": "eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991",
"status": "affected",
"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vfio/pci/vfio_pci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix memory leak during D3hot to D0 transition\n\nIf \u0027vfio_pci_core_device::needs_pm_restore\u0027 is set (PCI device does\nnot have No_Soft_Reset bit set in its PMCSR config register), then\nthe current PCI state will be saved locally in\n\u0027vfio_pci_core_device::pm_save\u0027 during D0-\u003eD3hot transition and same\nwill be restored back during D3hot-\u003eD0 transition.\nFor saving the PCI state locally, pci_store_saved_state() is being\nused and the pci_load_and_free_saved_state() will free the allocated\nmemory.\n\nBut for reset related IOCTLs, vfio driver calls PCI reset-related\nAPI\u0027s which will internally change the PCI power state back to D0. So,\nwhen the guest resumes, then it will get the current state as D0 and it\nwill skip the call to vfio_pci_set_power_state() for changing the\npower state to D0 explicitly. In this case, the memory pointed by\n\u0027pm_save\u0027 will never be freed. In a malicious sequence, the state changing\nto D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be\nrun in a loop and it can cause an OOM situation.\n\nThis patch frees the earlier allocated memory first before overwriting\n\u0027pm_save\u0027 to prevent the mentioned memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:37.106Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da426ad86027b849b877d4628b277ffbbd2f5325"
},
{
"url": "https://git.kernel.org/stable/c/4319f17fb8264ba39352b611dfa913a4d8c1d1a0"
},
{
"url": "https://git.kernel.org/stable/c/26ddd196e9eb264da8e1bdc4df8a94d62581c8b5"
},
{
"url": "https://git.kernel.org/stable/c/c8a1f8bd586ee31020614b8d48b702ece3e2ae44"
},
{
"url": "https://git.kernel.org/stable/c/eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991"
}
],
"title": "vfio/pci: fix memory leak during D3hot to D0 transition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49219",
"datePublished": "2025-02-26T01:55:52.131Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-11-03T19:27:50.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58078 (GCVE-0-2024-58078)
Vulnerability from cvelistv5
Published
2025-03-06 16:13
Modified
2025-05-04 10:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors
misc_minor_alloc was allocating id using ida for minor only in case of
MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids
using ida_free causing a mismatch and following warn:
> > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f
> > ida_free called for id=127 which is not allocated.
> > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
...
> > [<60941eb4>] ida_free+0x3e0/0x41f
> > [<605ac993>] misc_minor_free+0x3e/0xbc
> > [<605acb82>] misc_deregister+0x171/0x1b3
misc_minor_alloc is changed to allocate id from ida for all minors
falling in the range of dynamic/ misc dynamic minors
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3df72111c39f7e4c5029c9ff720b56ec2e05b764",
"status": "affected",
"version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
"versionType": "git"
},
{
"lessThan": "8b4120b3e060e137eaa8dc76a1c40401088336e5",
"status": "affected",
"version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
"versionType": "git"
},
{
"lessThan": "6635332d246d7db89b90e145f2bf937406cecaf0",
"status": "affected",
"version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
"versionType": "git"
},
{
"lessThan": "6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68",
"status": "affected",
"version": "ab760791c0cfbb1d7a668f46a135264f56c8f018",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors\n\nmisc_minor_alloc was allocating id using ida for minor only in case of\nMISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids\nusing ida_free causing a mismatch and following warn:\n\u003e \u003e WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f\n\u003e \u003e ida_free called for id=127 which is not allocated.\n\u003e \u003e \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\n...\n\u003e \u003e [\u003c60941eb4\u003e] ida_free+0x3e0/0x41f\n\u003e \u003e [\u003c605ac993\u003e] misc_minor_free+0x3e/0xbc\n\u003e \u003e [\u003c605acb82\u003e] misc_deregister+0x171/0x1b3\n\nmisc_minor_alloc is changed to allocate id from ida for all minors\nfalling in the range of dynamic/ misc dynamic minors"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:29.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3df72111c39f7e4c5029c9ff720b56ec2e05b764"
},
{
"url": "https://git.kernel.org/stable/c/8b4120b3e060e137eaa8dc76a1c40401088336e5"
},
{
"url": "https://git.kernel.org/stable/c/6635332d246d7db89b90e145f2bf937406cecaf0"
},
{
"url": "https://git.kernel.org/stable/c/6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68"
}
],
"title": "misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58078",
"datePublished": "2025-03-06T16:13:41.909Z",
"dateReserved": "2025-03-06T15:52:09.183Z",
"dateUpdated": "2025-05-04T10:09:29.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56642 (GCVE-0-2024-56642)
Vulnerability from cvelistv5
Published
2024-12-27 15:02
Modified
2025-11-03 20:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free of kernel socket in cleanup_bearer().
syzkaller reported a use-after-free of UDP kernel socket
in cleanup_bearer() without repro. [0][1]
When bearer_disable() calls tipc_udp_disable(), cleanup
of the UDP kernel socket is deferred by work calling
cleanup_bearer().
tipc_exit_net() waits for such works to finish by checking
tipc_net(net)->wq_count. However, the work decrements the
count too early before releasing the kernel socket,
unblocking cleanup_net() and resulting in use-after-free.
Let's move the decrement after releasing the socket in
cleanup_bearer().
[0]:
ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at
sk_alloc+0x438/0x608
inet_create+0x4c8/0xcb0
__sock_create+0x350/0x6b8
sock_create_kern+0x58/0x78
udp_sock_create4+0x68/0x398
udp_sock_create+0x88/0xc8
tipc_udp_enable+0x5e8/0x848
__tipc_nl_bearer_enable+0x84c/0xed8
tipc_nl_bearer_enable+0x38/0x60
genl_family_rcv_msg_doit+0x170/0x248
genl_rcv_msg+0x400/0x5b0
netlink_rcv_skb+0x1dc/0x398
genl_rcv+0x44/0x68
netlink_unicast+0x678/0x8b0
netlink_sendmsg+0x5e4/0x898
____sys_sendmsg+0x500/0x830
[1]:
BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]
BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
udp_hashslot include/net/udp.h:85 [inline]
udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
sk_common_release+0xaf/0x3f0 net/core/sock.c:3820
inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437
inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489
__sock_release net/socket.c:658 [inline]
sock_release+0xa0/0x210 net/socket.c:686
cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
kthread+0x531/0x6b0 kernel/kthread.c:389
ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
Uninit was created at:
slab_free_hook mm/slub.c:2269 [inline]
slab_free mm/slub.c:4580 [inline]
kmem_cache_free+0x207/0xc40 mm/slub.c:4682
net_free net/core/net_namespace.c:454 [inline]
cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
kthread+0x531/0x6b0 kernel/kthread.c:389
ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: events cleanup_bearer
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa Version: 5195ec5e365a2a9331bfeb585b613a6e94f98dba Version: 04c26faa51d1e2fe71cf13c45791f5174c37f986 Version: 04c26faa51d1e2fe71cf13c45791f5174c37f986 Version: 04c26faa51d1e2fe71cf13c45791f5174c37f986 Version: 04c26faa51d1e2fe71cf13c45791f5174c37f986 Version: 04c26faa51d1e2fe71cf13c45791f5174c37f986 Version: b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56642",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:41:46.826025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:21.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:51:42.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/udp_media.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e69457f9dfae67435f3ccf29008768eae860415",
"status": "affected",
"version": "d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa",
"versionType": "git"
},
{
"lessThan": "650ee9a22d7a2de8999fac2d45983597a0c22359",
"status": "affected",
"version": "5195ec5e365a2a9331bfeb585b613a6e94f98dba",
"versionType": "git"
},
{
"lessThan": "d2a4894f238551eae178904e7f45af87577074fd",
"status": "affected",
"version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
"versionType": "git"
},
{
"lessThan": "d62d5180c036eeac09f80660edc7a602b369125f",
"status": "affected",
"version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
"versionType": "git"
},
{
"lessThan": "d00d4470bf8c4282617a3a10e76b20a9c7e4cffa",
"status": "affected",
"version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
"versionType": "git"
},
{
"lessThan": "e48b211c4c59062cb6dd6c2c37c51a7cc235a464",
"status": "affected",
"version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
"versionType": "git"
},
{
"lessThan": "6a2fa13312e51a621f652d522d7e2df7066330b6",
"status": "affected",
"version": "04c26faa51d1e2fe71cf13c45791f5174c37f986",
"versionType": "git"
},
{
"status": "affected",
"version": "b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/udp_media.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "5.4.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "5.10.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free of kernel socket in cleanup_bearer().\n\nsyzkaller reported a use-after-free of UDP kernel socket\nin cleanup_bearer() without repro. [0][1]\n\nWhen bearer_disable() calls tipc_udp_disable(), cleanup\nof the UDP kernel socket is deferred by work calling\ncleanup_bearer().\n\ntipc_exit_net() waits for such works to finish by checking\ntipc_net(net)-\u003ewq_count. However, the work decrements the\ncount too early before releasing the kernel socket,\nunblocking cleanup_net() and resulting in use-after-free.\n\nLet\u0027s move the decrement after releasing the socket in\ncleanup_bearer().\n\n[0]:\nref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at\n sk_alloc+0x438/0x608\n inet_create+0x4c8/0xcb0\n __sock_create+0x350/0x6b8\n sock_create_kern+0x58/0x78\n udp_sock_create4+0x68/0x398\n udp_sock_create+0x88/0xc8\n tipc_udp_enable+0x5e8/0x848\n __tipc_nl_bearer_enable+0x84c/0xed8\n tipc_nl_bearer_enable+0x38/0x60\n genl_family_rcv_msg_doit+0x170/0x248\n genl_rcv_msg+0x400/0x5b0\n netlink_rcv_skb+0x1dc/0x398\n genl_rcv+0x44/0x68\n netlink_unicast+0x678/0x8b0\n netlink_sendmsg+0x5e4/0x898\n ____sys_sendmsg+0x500/0x830\n\n[1]:\nBUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]\nBUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\n udp_hashslot include/net/udp.h:85 [inline]\n udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\n sk_common_release+0xaf/0x3f0 net/core/sock.c:3820\n inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437\n inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489\n __sock_release net/socket.c:658 [inline]\n sock_release+0xa0/0x210 net/socket.c:686\n cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\n worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\n kthread+0x531/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\n\nUninit was created at:\n slab_free_hook mm/slub.c:2269 [inline]\n slab_free mm/slub.c:4580 [inline]\n kmem_cache_free+0x207/0xc40 mm/slub.c:4682\n net_free net/core/net_namespace.c:454 [inline]\n cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\n worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\n kthread+0x531/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\n\nCPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: events cleanup_bearer"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:00:56.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415"
},
{
"url": "https://git.kernel.org/stable/c/650ee9a22d7a2de8999fac2d45983597a0c22359"
},
{
"url": "https://git.kernel.org/stable/c/d2a4894f238551eae178904e7f45af87577074fd"
},
{
"url": "https://git.kernel.org/stable/c/d62d5180c036eeac09f80660edc7a602b369125f"
},
{
"url": "https://git.kernel.org/stable/c/d00d4470bf8c4282617a3a10e76b20a9c7e4cffa"
},
{
"url": "https://git.kernel.org/stable/c/e48b211c4c59062cb6dd6c2c37c51a7cc235a464"
},
{
"url": "https://git.kernel.org/stable/c/6a2fa13312e51a621f652d522d7e2df7066330b6"
}
],
"title": "tipc: Fix use-after-free of kernel socket in cleanup_bearer().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56642",
"datePublished": "2024-12-27T15:02:43.660Z",
"dateReserved": "2024-12-27T15:00:39.839Z",
"dateUpdated": "2025-11-03T20:51:42.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21891 (GCVE-0-2025-21891)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvlan: ensure network headers are in skb linear part
syzbot found that ipvlan_process_v6_outbound() was assuming
the IPv6 network header isis present in skb->head [1]
Add the needed pskb_network_may_pull() calls for both
IPv4 and IPv6 handlers.
[1]
BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
__ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
ipv6_addr_type include/net/ipv6.h:555 [inline]
ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]
ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651
ip6_route_output include/net/ip6_route.h:93 [inline]
ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476
ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]
ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671
ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223
__netdev_start_xmit include/linux/netdevice.h:5150 [inline]
netdev_start_xmit include/linux/netdevice.h:5159 [inline]
xmit_one net/core/dev.c:3735 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751
sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
qdisc_restart net/sched/sch_generic.c:408 [inline]
__qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416
qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127
net_tx_action+0x78b/0x940 net/core/dev.c:5484
handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561
__do_softirq+0x14/0x1a kernel/softirq.c:595
do_softirq+0x9a/0x100 kernel/softirq.c:462
__local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
__dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611
dev_queue_xmit include/linux/netdevice.h:3311 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3132 [inline]
packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164
sock_sendmsg_nosec net/socket.c:718 [inline]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:21.205802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:36.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:41.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b8dea8d1612dc7151d2457d7d2e6a69820309bf",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "4ec48f812804f370f622e0874e6dd8fcc58241cd",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "5353fd89663c48f56bdff975c562cfe78b1a2e4c",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "e2a4f76a2d8a44816ecd25bcbdb47b786d621974",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "27843ce6ba3d3122b65066550fe33fb8839f8aef",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: ensure network headers are in skb linear part\n\nsyzbot found that ipvlan_process_v6_outbound() was assuming\nthe IPv6 network header isis present in skb-\u003ehead [1]\n\nAdd the needed pskb_network_may_pull() calls for both\nIPv4 and IPv6 handlers.\n\n[1]\nBUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n ipv6_addr_type include/net/ipv6.h:555 [inline]\n ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]\n ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476\n ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]\n ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671\n ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223\n __netdev_start_xmit include/linux/netdevice.h:5150 [inline]\n netdev_start_xmit include/linux/netdevice.h:5159 [inline]\n xmit_one net/core/dev.c:3735 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751\n sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343\n qdisc_restart net/sched/sch_generic.c:408 [inline]\n __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416\n qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127\n net_tx_action+0x78b/0x940 net/core/dev.c:5484\n handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n __do_softirq+0x14/0x1a kernel/softirq.c:595\n do_softirq+0x9a/0x100 kernel/softirq.c:462\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611\n dev_queue_xmit include/linux/netdevice.h:3311 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3132 [inline]\n packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164\n sock_sendmsg_nosec net/socket.c:718 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:27.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b8dea8d1612dc7151d2457d7d2e6a69820309bf"
},
{
"url": "https://git.kernel.org/stable/c/4ec48f812804f370f622e0874e6dd8fcc58241cd"
},
{
"url": "https://git.kernel.org/stable/c/5353fd89663c48f56bdff975c562cfe78b1a2e4c"
},
{
"url": "https://git.kernel.org/stable/c/e2a4f76a2d8a44816ecd25bcbdb47b786d621974"
},
{
"url": "https://git.kernel.org/stable/c/27843ce6ba3d3122b65066550fe33fb8839f8aef"
}
],
"title": "ipvlan: ensure network headers are in skb linear part",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21891",
"datePublished": "2025-03-27T14:57:17.267Z",
"dateReserved": "2024-12-29T08:45:45.783Z",
"dateUpdated": "2025-11-03T19:38:41.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49227 (GCVE-0-2022-49227)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igc: avoid kernel warning when changing RX ring parameters
Calling ethtool changing the RX ring parameters like this:
$ ethtool -G eth0 rx 1024
on igc triggers kernel warnings like this:
[ 225.198467] ------------[ cut here ]------------
[ 225.198473] Missing unregister, handled but fix driver
[ 225.198485] WARNING: CPU: 7 PID: 959 at net/core/xdp.c:168
xdp_rxq_info_reg+0x79/0xd0
[...]
[ 225.198601] Call Trace:
[ 225.198604] <TASK>
[ 225.198609] igc_setup_rx_resources+0x3f/0xe0 [igc]
[ 225.198617] igc_ethtool_set_ringparam+0x30e/0x450 [igc]
[ 225.198626] ethnl_set_rings+0x18a/0x250
[ 225.198631] genl_family_rcv_msg_doit+0xca/0x110
[ 225.198637] genl_rcv_msg+0xce/0x1c0
[ 225.198640] ? rings_prepare_data+0x60/0x60
[ 225.198644] ? genl_get_cmd+0xd0/0xd0
[ 225.198647] netlink_rcv_skb+0x4e/0xf0
[ 225.198652] genl_rcv+0x24/0x40
[ 225.198655] netlink_unicast+0x20e/0x330
[ 225.198659] netlink_sendmsg+0x23f/0x480
[ 225.198663] sock_sendmsg+0x5b/0x60
[ 225.198667] __sys_sendto+0xf0/0x160
[ 225.198671] ? handle_mm_fault+0xb2/0x280
[ 225.198676] ? do_user_addr_fault+0x1eb/0x690
[ 225.198680] __x64_sys_sendto+0x20/0x30
[ 225.198683] do_syscall_64+0x38/0x90
[ 225.198687] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 225.198693] RIP: 0033:0x7f7ae38ac3aa
igc_ethtool_set_ringparam() copies the igc_ring structure but neglects to
reset the xdp_rxq_info member before calling igc_setup_rx_resources().
This in turn calls xdp_rxq_info_reg() with an already registered xdp_rxq_info.
Make sure to unregister the xdp_rxq_info structure first in
igc_setup_rx_resources.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igc/igc_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab8c107470d12e7ef99030bf0911a10cdef62d16",
"status": "affected",
"version": "73f1071c1d2952b8c93cd6cd99744768c59ec840",
"versionType": "git"
},
{
"lessThan": "3ddb49af08094ebee250b461172ee7b8e27a35d3",
"status": "affected",
"version": "73f1071c1d2952b8c93cd6cd99744768c59ec840",
"versionType": "git"
},
{
"lessThan": "65aebcf1e05bd97d2e7ffcdff36efea1757c9450",
"status": "affected",
"version": "73f1071c1d2952b8c93cd6cd99744768c59ec840",
"versionType": "git"
},
{
"lessThan": "453307b569a0d41bddd07f26bf41b784cd82a4c9",
"status": "affected",
"version": "73f1071c1d2952b8c93cd6cd99744768c59ec840",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igc/igc_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid kernel warning when changing RX ring parameters\n\nCalling ethtool changing the RX ring parameters like this:\n\n $ ethtool -G eth0 rx 1024\n\non igc triggers kernel warnings like this:\n\n[ 225.198467] ------------[ cut here ]------------\n[ 225.198473] Missing unregister, handled but fix driver\n[ 225.198485] WARNING: CPU: 7 PID: 959 at net/core/xdp.c:168\nxdp_rxq_info_reg+0x79/0xd0\n[...]\n[ 225.198601] Call Trace:\n[ 225.198604] \u003cTASK\u003e\n[ 225.198609] igc_setup_rx_resources+0x3f/0xe0 [igc]\n[ 225.198617] igc_ethtool_set_ringparam+0x30e/0x450 [igc]\n[ 225.198626] ethnl_set_rings+0x18a/0x250\n[ 225.198631] genl_family_rcv_msg_doit+0xca/0x110\n[ 225.198637] genl_rcv_msg+0xce/0x1c0\n[ 225.198640] ? rings_prepare_data+0x60/0x60\n[ 225.198644] ? genl_get_cmd+0xd0/0xd0\n[ 225.198647] netlink_rcv_skb+0x4e/0xf0\n[ 225.198652] genl_rcv+0x24/0x40\n[ 225.198655] netlink_unicast+0x20e/0x330\n[ 225.198659] netlink_sendmsg+0x23f/0x480\n[ 225.198663] sock_sendmsg+0x5b/0x60\n[ 225.198667] __sys_sendto+0xf0/0x160\n[ 225.198671] ? handle_mm_fault+0xb2/0x280\n[ 225.198676] ? do_user_addr_fault+0x1eb/0x690\n[ 225.198680] __x64_sys_sendto+0x20/0x30\n[ 225.198683] do_syscall_64+0x38/0x90\n[ 225.198687] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 225.198693] RIP: 0033:0x7f7ae38ac3aa\n\nigc_ethtool_set_ringparam() copies the igc_ring structure but neglects to\nreset the xdp_rxq_info member before calling igc_setup_rx_resources().\nThis in turn calls xdp_rxq_info_reg() with an already registered xdp_rxq_info.\n\nMake sure to unregister the xdp_rxq_info structure first in\nigc_setup_rx_resources."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:52.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab8c107470d12e7ef99030bf0911a10cdef62d16"
},
{
"url": "https://git.kernel.org/stable/c/3ddb49af08094ebee250b461172ee7b8e27a35d3"
},
{
"url": "https://git.kernel.org/stable/c/65aebcf1e05bd97d2e7ffcdff36efea1757c9450"
},
{
"url": "https://git.kernel.org/stable/c/453307b569a0d41bddd07f26bf41b784cd82a4c9"
}
],
"title": "igc: avoid kernel warning when changing RX ring parameters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49227",
"datePublished": "2025-02-26T01:55:56.202Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-05-04T08:32:52.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49645 (GCVE-0-2022-49645)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panfrost: Fix shrinker list corruption by madvise IOCTL
Calling madvise IOCTL twice on BO causes memory shrinker list corruption
and crashes kernel because BO is already on the list and it's added to
the list again, while BO should be removed from the list before it's
re-added. Fix it.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panfrost/panfrost_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "393594aad55179eb761af41533d8d1d6eb4543b0",
"status": "affected",
"version": "013b6510131568ce4e01856d5360bfdfe9c3632f",
"versionType": "git"
},
{
"lessThan": "0581613df7f9a4c5fac096ce1d5fb15b7b994240",
"status": "affected",
"version": "013b6510131568ce4e01856d5360bfdfe9c3632f",
"versionType": "git"
},
{
"lessThan": "1807d8867402a58b831a7fc16832747ff559a0d1",
"status": "affected",
"version": "013b6510131568ce4e01856d5360bfdfe9c3632f",
"versionType": "git"
},
{
"lessThan": "f036392edd9c49090781d8cca26ad6557a63bae4",
"status": "affected",
"version": "013b6510131568ce4e01856d5360bfdfe9c3632f",
"versionType": "git"
},
{
"lessThan": "9fc33eaaa979d112d10fea729edcd2a2e21aa912",
"status": "affected",
"version": "013b6510131568ce4e01856d5360bfdfe9c3632f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panfrost/panfrost_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix shrinker list corruption by madvise IOCTL\n\nCalling madvise IOCTL twice on BO causes memory shrinker list corruption\nand crashes kernel because BO is already on the list and it\u0027s added to\nthe list again, while BO should be removed from the list before it\u0027s\nre-added. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:28.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/393594aad55179eb761af41533d8d1d6eb4543b0"
},
{
"url": "https://git.kernel.org/stable/c/0581613df7f9a4c5fac096ce1d5fb15b7b994240"
},
{
"url": "https://git.kernel.org/stable/c/1807d8867402a58b831a7fc16832747ff559a0d1"
},
{
"url": "https://git.kernel.org/stable/c/f036392edd9c49090781d8cca26ad6557a63bae4"
},
{
"url": "https://git.kernel.org/stable/c/9fc33eaaa979d112d10fea729edcd2a2e21aa912"
}
],
"title": "drm/panfrost: Fix shrinker list corruption by madvise IOCTL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49645",
"datePublished": "2025-02-26T02:23:50.598Z",
"dateReserved": "2025-02-26T02:21:30.432Z",
"dateUpdated": "2025-05-04T08:42:28.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47642 (GCVE-0-2021-47642)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
Coverity complains of a possible buffer overflow. However,
given the 'static' scope of nvidia_setup_i2c_bus() it looks
like that can't happen after examiniing the call sites.
CID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
1. fixed_size_dest: You might overrun the 48-character fixed-size string
chan->adapter.name by copying name without checking the length.
2. parameter_as_source: Note: This defect has an elevated risk because the
source argument is a parameter of the current function.
89 strcpy(chan->adapter.name, name);
Fix this warning by using strscpy() which will silence the warning and
prevent any future buffer overflows should the names used to identify the
channel become much longer.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/nvidia/nv_i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47e5533adf118afaf06d25a3e2aaaab89371b1c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "580e5d3815474b8349250c25c16416585a72c7fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "72dd5c46a152136712a55bf026a9aa8c1b12b60d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "055cdd2e7b992921424d4daaa285ced787fb205f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "08dff482012758935c185532b1ad7d584785a86e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ff2f7294ab0f011cd4d1b7dcd9a07d8fdf72834",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6a5226e544ac043bb2d8dc1bfe8920d02282f7cd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41baa86b6c802cdc6ab8ff2d46c083c9be93de81",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37a1a2e6eeeb101285cd34e12e48a881524701aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/nvidia/nv_i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow\n\nCoverity complains of a possible buffer overflow. However,\ngiven the \u0027static\u0027 scope of nvidia_setup_i2c_bus() it looks\nlike that can\u0027t happen after examiniing the call sites.\n\nCID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)\n1. fixed_size_dest: You might overrun the 48-character fixed-size string\n chan-\u003eadapter.name by copying name without checking the length.\n2. parameter_as_source: Note: This defect has an elevated risk because the\n source argument is a parameter of the current function.\n 89 strcpy(chan-\u003eadapter.name, name);\n\nFix this warning by using strscpy() which will silence the warning and\nprevent any future buffer overflows should the names used to identify the\nchannel become much longer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:22.072Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47e5533adf118afaf06d25a3e2aaaab89371b1c5"
},
{
"url": "https://git.kernel.org/stable/c/580e5d3815474b8349250c25c16416585a72c7fe"
},
{
"url": "https://git.kernel.org/stable/c/72dd5c46a152136712a55bf026a9aa8c1b12b60d"
},
{
"url": "https://git.kernel.org/stable/c/055cdd2e7b992921424d4daaa285ced787fb205f"
},
{
"url": "https://git.kernel.org/stable/c/08dff482012758935c185532b1ad7d584785a86e"
},
{
"url": "https://git.kernel.org/stable/c/9ff2f7294ab0f011cd4d1b7dcd9a07d8fdf72834"
},
{
"url": "https://git.kernel.org/stable/c/6a5226e544ac043bb2d8dc1bfe8920d02282f7cd"
},
{
"url": "https://git.kernel.org/stable/c/41baa86b6c802cdc6ab8ff2d46c083c9be93de81"
},
{
"url": "https://git.kernel.org/stable/c/37a1a2e6eeeb101285cd34e12e48a881524701aa"
}
],
"title": "video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47642",
"datePublished": "2025-02-26T01:54:13.193Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-05-04T07:15:22.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49070 (GCVE-0-2022-49070)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Fix unregistering of framebuffers without device
OF framebuffers do not have an underlying device in the Linux
device hierarchy. Do a regular unregister call instead of hot
unplugging such a non-existing device. Fixes a NULL dereference.
An example error message on ppc64le is shown below.
BUG: Kernel NULL pointer dereference on read at 0x00000060
Faulting instruction address: 0xc00000000080dfa4
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
[...]
CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1
NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430
REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)
MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28228282 XER: 20000000
CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0
GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029
GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000
GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283
GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000
GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80
GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0
GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0
GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0
NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0
[c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)
[c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150
[c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0
[c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]
[c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]
[...]
[c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0
[c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250
The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug
firmware fb devices on forced removal"). Most firmware framebuffers
have an underlying platform device, which can be hot-unplugged
before loading the native graphics driver. OF framebuffers do not
(yet) have that device. Fix the code by unregistering the framebuffer
as before without a hot unplug.
Tested with 5.17 on qemu ppc64le emulation.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:37.472130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2388f826cdc9af2651991adc0feb79de9bdf2232",
"status": "affected",
"version": "c894ac44786cfed383a6c6b20c1bfb12eb96018a",
"versionType": "git"
},
{
"lessThan": "de33df481545974ba47c46f05194e769e4307843",
"status": "affected",
"version": "9565a3b5203a4d57acbc1d0e981c6df71864b4ab",
"versionType": "git"
},
{
"lessThan": "feed87ff122b1640c221d4dd559442ab2cd50bb1",
"status": "affected",
"version": "4d695d7c276f15adb1d2b64c584c3cf8f4f9e9ce",
"versionType": "git"
},
{
"lessThan": "0f525289ff0ddeb380813bd81e0f9bdaaa1c9078",
"status": "affected",
"version": "27599aacbaefcbf2af7b06b0029459bbf682000d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.34",
"status": "affected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThan": "5.16.20",
"status": "affected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThan": "5.17.3",
"status": "affected",
"version": "5.17.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix unregistering of framebuffers without device\n\nOF framebuffers do not have an underlying device in the Linux\ndevice hierarchy. Do a regular unregister call instead of hot\nunplugging such a non-existing device. Fixes a NULL dereference.\nAn example error message on ppc64le is shown below.\n\n BUG: Kernel NULL pointer dereference on read at 0x00000060\n Faulting instruction address: 0xc00000000080dfa4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n [...]\n CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1\n NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430\n REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)\n MSR: 8000000002009033 \u003cSF,VEC,EE,ME,IR,DR,RI,LE\u003e CR: 28228282 XER: 20000000\n CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0\n GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029\n GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000\n GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283\n GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000\n GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80\n GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0\n GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0\n GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0\n NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0\n [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)\n [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150\n [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0\n [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]\n [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]\n [...]\n [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0\n [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250\n\nThe bug [1] was introduced by commit 27599aacbaef (\"fbdev: Hot-unplug\nfirmware fb devices on forced removal\"). Most firmware framebuffers\nhave an underlying platform device, which can be hot-unplugged\nbefore loading the native graphics driver. OF framebuffers do not\n(yet) have that device. Fix the code by unregistering the framebuffer\nas before without a hot unplug.\n\nTested with 5.17 on qemu ppc64le emulation."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:05.142Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2388f826cdc9af2651991adc0feb79de9bdf2232"
},
{
"url": "https://git.kernel.org/stable/c/de33df481545974ba47c46f05194e769e4307843"
},
{
"url": "https://git.kernel.org/stable/c/feed87ff122b1640c221d4dd559442ab2cd50bb1"
},
{
"url": "https://git.kernel.org/stable/c/0f525289ff0ddeb380813bd81e0f9bdaaa1c9078"
}
],
"title": "fbdev: Fix unregistering of framebuffers without device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49070",
"datePublished": "2025-02-26T01:54:36.360Z",
"dateReserved": "2025-02-26T01:49:39.244Z",
"dateUpdated": "2025-10-01T19:57:06.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49501 (GCVE-0-2022-49501)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-07-17 16:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Run unregister_netdev() before unbind() again
Commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()")
sought to fix a use-after-free on disconnect of USB Ethernet adapters.
It turns out that a different fix is necessary to address the issue:
https://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/
So the commit was not necessary.
The commit made binding and unbinding of USB Ethernet asymmetrical:
Before, usbnet_probe() first invoked the ->bind() callback and then
register_netdev(). usbnet_disconnect() mirrored that by first invoking
unregister_netdev() and then ->unbind().
Since the commit, the order in usbnet_disconnect() is reversed and no
longer mirrors usbnet_probe().
One consequence is that a PHY disconnected (and stopped) in ->unbind()
is afterwards stopped once more by unregister_netdev() as it closes the
netdev before unregistering. That necessitates a contortion in ->stop()
because the PHY may only be stopped if it hasn't already been
disconnected.
Reverting the commit allows making the call to phy_stop() unconditional
in ->stop().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:41.764586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c",
"drivers/net/usb/smsc95xx.c",
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d5deb242874d924beccf7eb3cef04c1c3b0da79",
"status": "affected",
"version": "2c9d6c2b871d5841ce26ede3e81fd37e2e33c42c",
"versionType": "git"
},
{
"lessThan": "fbda837107f9bd4ec658d2aa88c6856dba606f06",
"status": "affected",
"version": "2c9d6c2b871d5841ce26ede3e81fd37e2e33c42c",
"versionType": "git"
},
{
"lessThan": "969a1b3ea3cb7d58a16fe12fd1b04bfc0ea40509",
"status": "affected",
"version": "2c9d6c2b871d5841ce26ede3e81fd37e2e33c42c",
"versionType": "git"
},
{
"lessThan": "d1408f6b4dd78fb1b9e26bcf64477984e5f85409",
"status": "affected",
"version": "2c9d6c2b871d5841ce26ede3e81fd37e2e33c42c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_devices.c",
"drivers/net/usb/smsc95xx.c",
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Run unregister_netdev() before unbind() again\n\nCommit 2c9d6c2b871d (\"usbnet: run unbind() before unregister_netdev()\")\nsought to fix a use-after-free on disconnect of USB Ethernet adapters.\n\nIt turns out that a different fix is necessary to address the issue:\nhttps://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/\n\nSo the commit was not necessary.\n\nThe commit made binding and unbinding of USB Ethernet asymmetrical:\nBefore, usbnet_probe() first invoked the -\u003ebind() callback and then\nregister_netdev(). usbnet_disconnect() mirrored that by first invoking\nunregister_netdev() and then -\u003eunbind().\n\nSince the commit, the order in usbnet_disconnect() is reversed and no\nlonger mirrors usbnet_probe().\n\nOne consequence is that a PHY disconnected (and stopped) in -\u003eunbind()\nis afterwards stopped once more by unregister_netdev() as it closes the\nnetdev before unregistering. That necessitates a contortion in -\u003estop()\nbecause the PHY may only be stopped if it hasn\u0027t already been\ndisconnected.\n\nReverting the commit allows making the call to phy_stop() unconditional\nin -\u003estop()."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T16:56:35.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d5deb242874d924beccf7eb3cef04c1c3b0da79"
},
{
"url": "https://git.kernel.org/stable/c/fbda837107f9bd4ec658d2aa88c6856dba606f06"
},
{
"url": "https://git.kernel.org/stable/c/969a1b3ea3cb7d58a16fe12fd1b04bfc0ea40509"
},
{
"url": "https://git.kernel.org/stable/c/d1408f6b4dd78fb1b9e26bcf64477984e5f85409"
}
],
"title": "usbnet: Run unregister_netdev() before unbind() again",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49501",
"datePublished": "2025-02-26T02:13:34.885Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-07-17T16:56:35.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21823 (GCVE-0-2025-21823)
Vulnerability from cvelistv5
Published
2025-02-27 20:06
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: Drop unmanaged ELP metric worker
The ELP worker needs to calculate new metric values for all neighbors
"reachable" over an interface. Some of the used metric sources require
locks which might need to sleep. This sleep is incompatible with the RCU
list iterator used for the recorded neighbors. The initial approach to work
around of this problem was to queue another work item per neighbor and then
run this in a new context.
Even when this solved the RCU vs might_sleep() conflict, it has a major
problems: Nothing was stopping the work item in case it is not needed
anymore - for example because one of the related interfaces was removed or
the batman-adv module was unloaded - resulting in potential invalid memory
accesses.
Directly canceling the metric worker also has various problems:
* cancel_work_sync for a to-be-deactivated interface is called with
rtnl_lock held. But the code in the ELP metric worker also tries to use
rtnl_lock() - which will never return in this case. This also means that
cancel_work_sync would never return because it is waiting for the worker
to finish.
* iterating over the neighbor list for the to-be-deactivated interface is
currently done using the RCU specific methods. Which means that it is
possible to miss items when iterating over it without the associated
spinlock - a behaviour which is acceptable for a periodic metric check
but not for a cleanup routine (which must "stop" all still running
workers)
The better approch is to get rid of the per interface neighbor metric
worker and handle everything in the interface worker. The original problems
are solved by:
* creating a list of neighbors which require new metric information inside
the RCU protected context, gathering the metric according to the new list
outside the RCU protected context
* only use rcu_trylock inside metric gathering code to avoid a deadlock
when the cancel_delayed_work_sync is called in the interface removal code
(which is called with the rtnl_lock held)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 Version: c833484e5f3872a38fe232c663586069d5ad9645 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:56.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_v.c",
"net/batman-adv/bat_v_elp.c",
"net/batman-adv/bat_v_elp.h",
"net/batman-adv/types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c334629176c2d644befc31a20d4bf75542f7631",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "a0019971f340ae02ba54cf1861f72da7e03e6b66",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "781a06fd265a8151f7601122d9c2e985663828ff",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "a7aa2317285806640c844acd4cd2cd768e395264",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "0fdc3c166ac17b26014313fa2b93696354511b24",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
},
{
"lessThan": "8c8ecc98f5c65947b0070a24bac11e12e47cc65d",
"status": "affected",
"version": "c833484e5f3872a38fe232c663586069d5ad9645",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_v.c",
"net/batman-adv/bat_v_elp.c",
"net/batman-adv/bat_v_elp.h",
"net/batman-adv/types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Drop unmanaged ELP metric worker\n\nThe ELP worker needs to calculate new metric values for all neighbors\n\"reachable\" over an interface. Some of the used metric sources require\nlocks which might need to sleep. This sleep is incompatible with the RCU\nlist iterator used for the recorded neighbors. The initial approach to work\naround of this problem was to queue another work item per neighbor and then\nrun this in a new context.\n\nEven when this solved the RCU vs might_sleep() conflict, it has a major\nproblems: Nothing was stopping the work item in case it is not needed\nanymore - for example because one of the related interfaces was removed or\nthe batman-adv module was unloaded - resulting in potential invalid memory\naccesses.\n\nDirectly canceling the metric worker also has various problems:\n\n* cancel_work_sync for a to-be-deactivated interface is called with\n rtnl_lock held. But the code in the ELP metric worker also tries to use\n rtnl_lock() - which will never return in this case. This also means that\n cancel_work_sync would never return because it is waiting for the worker\n to finish.\n* iterating over the neighbor list for the to-be-deactivated interface is\n currently done using the RCU specific methods. Which means that it is\n possible to miss items when iterating over it without the associated\n spinlock - a behaviour which is acceptable for a periodic metric check\n but not for a cleanup routine (which must \"stop\" all still running\n workers)\n\nThe better approch is to get rid of the per interface neighbor metric\nworker and handle everything in the interface worker. The original problems\nare solved by:\n\n* creating a list of neighbors which require new metric information inside\n the RCU protected context, gathering the metric according to the new list\n outside the RCU protected context\n* only use rcu_trylock inside metric gathering code to avoid a deadlock\n when the cancel_delayed_work_sync is called in the interface removal code\n (which is called with the rtnl_lock held)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:54.473Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c334629176c2d644befc31a20d4bf75542f7631"
},
{
"url": "https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66"
},
{
"url": "https://git.kernel.org/stable/c/3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6"
},
{
"url": "https://git.kernel.org/stable/c/781a06fd265a8151f7601122d9c2e985663828ff"
},
{
"url": "https://git.kernel.org/stable/c/a7aa2317285806640c844acd4cd2cd768e395264"
},
{
"url": "https://git.kernel.org/stable/c/0fdc3c166ac17b26014313fa2b93696354511b24"
},
{
"url": "https://git.kernel.org/stable/c/af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e"
},
{
"url": "https://git.kernel.org/stable/c/8c8ecc98f5c65947b0070a24bac11e12e47cc65d"
}
],
"title": "batman-adv: Drop unmanaged ELP metric worker",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21823",
"datePublished": "2025-02-27T20:06:14.074Z",
"dateReserved": "2024-12-29T08:45:45.775Z",
"dateUpdated": "2025-11-03T20:59:56.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49294 (GCVE-0-2022-49294)
Vulnerability from cvelistv5
Published
2025-02-26 02:01
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check if modulo is 0 before dividing.
[How & Why]
If a value of 0 is read, then this will cause a divide-by-0 panic.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:08.467620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-369",
"description": "CWE-369 Divide By Zero",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:00.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10ef82d6e0af5536ec64770c07f6bbabfdd6977c",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "96725758eff7b3805e4e94d1443a100757412720",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "07efce8269a038c37814eb656b4de14aa3015fc6",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "49947b906a6bd9668eaf4f9cf691973c25c26955",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check if modulo is 0 before dividing.\n\n[How \u0026 Why]\nIf a value of 0 is read, then this will cause a divide-by-0 panic."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T17:19:11.181Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10ef82d6e0af5536ec64770c07f6bbabfdd6977c"
},
{
"url": "https://git.kernel.org/stable/c/96725758eff7b3805e4e94d1443a100757412720"
},
{
"url": "https://git.kernel.org/stable/c/07efce8269a038c37814eb656b4de14aa3015fc6"
},
{
"url": "https://git.kernel.org/stable/c/49947b906a6bd9668eaf4f9cf691973c25c26955"
}
],
"title": "drm/amd/display: Check if modulo is 0 before dividing.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49294",
"datePublished": "2025-02-26T02:01:25.159Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-10-01T19:47:00.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49480 (GCVE-0-2022-49480)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: imx-hdmi: Fix refcount leak in imx_hdmi_probe
of_find_device_by_node() takes reference, we should use put_device()
to release it. when devm_kzalloc() fails, it doesn't have a
put_device(), it will cause refcount leak.
Add missing put_device() to fix this.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:26.314297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:45.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/imx-hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf760e494ee5fa6bc2dc222f0098c741ad460801",
"status": "affected",
"version": "6a5f850aa83a1d844d27e3e53ca2f247e55d438b",
"versionType": "git"
},
{
"lessThan": "8205a0114db10ec41bd2b748cdd7528632082eca",
"status": "affected",
"version": "6a5f850aa83a1d844d27e3e53ca2f247e55d438b",
"versionType": "git"
},
{
"lessThan": "81b7edaabd44ba133006ad72056914eb36828d60",
"status": "affected",
"version": "6a5f850aa83a1d844d27e3e53ca2f247e55d438b",
"versionType": "git"
},
{
"lessThan": "ed46731d8e86c8d65f5fc717671e1f1f6c3146d2",
"status": "affected",
"version": "6a5f850aa83a1d844d27e3e53ca2f247e55d438b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/imx-hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: imx-hdmi: Fix refcount leak in imx_hdmi_probe\n\nof_find_device_by_node() takes reference, we should use put_device()\nto release it. when devm_kzalloc() fails, it doesn\u0027t have a\nput_device(), it will cause refcount leak.\nAdd missing put_device() to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:38.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf760e494ee5fa6bc2dc222f0098c741ad460801"
},
{
"url": "https://git.kernel.org/stable/c/8205a0114db10ec41bd2b748cdd7528632082eca"
},
{
"url": "https://git.kernel.org/stable/c/81b7edaabd44ba133006ad72056914eb36828d60"
},
{
"url": "https://git.kernel.org/stable/c/ed46731d8e86c8d65f5fc717671e1f1f6c3146d2"
}
],
"title": "ASoC: imx-hdmi: Fix refcount leak in imx_hdmi_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49480",
"datePublished": "2025-02-26T02:13:20.651Z",
"dateReserved": "2025-02-26T02:08:31.581Z",
"dateUpdated": "2025-10-01T19:46:45.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49286 (GCVE-0-2022-49286)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: use try_get_ops() in tpm-space.c
As part of the series conversion to remove nested TPM operations:
https://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/
exposure of the chip->tpm_mutex was removed from much of the upper
level code. In this conversion, tpm2_del_space() was missed. This
didn't matter much because it's usually called closely after a
converted operation, so there's only a very tiny race window where the
chip can be removed before the space flushing is done which causes a
NULL deref on the mutex. However, there are reports of this window
being hit in practice, so fix this by converting tpm2_del_space() to
use tpm_try_get_ops(), which performs all the teardown checks before
acquring the mutex.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-space.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b1d2561a03e534064b51c50c774657833d3d2cf",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "95193d12f10a8a088843b25e0f5fe1d83ec6b079",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "476ddd23f818fb94cf86fb5617f3bb9a7c92113d",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "eda1662cce964c8a65bb86321f8d9cfa6e9ceaab",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "ba84f9a48366dcc3cdef978599433efe101dd5bd",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
},
{
"lessThan": "fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9",
"status": "affected",
"version": "745b361e989af21ad40811c2586b60229f870a68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-space.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.188",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: use try_get_ops() in tpm-space.c\n\nAs part of the series conversion to remove nested TPM operations:\n\nhttps://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/\n\nexposure of the chip-\u003etpm_mutex was removed from much of the upper\nlevel code. In this conversion, tpm2_del_space() was missed. This\ndidn\u0027t matter much because it\u0027s usually called closely after a\nconverted operation, so there\u0027s only a very tiny race window where the\nchip can be removed before the space flushing is done which causes a\nNULL deref on the mutex. However, there are reports of this window\nbeing hit in practice, so fix this by converting tpm2_del_space() to\nuse tpm_try_get_ops(), which performs all the teardown checks before\nacquring the mutex."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:16.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b1d2561a03e534064b51c50c774657833d3d2cf"
},
{
"url": "https://git.kernel.org/stable/c/95193d12f10a8a088843b25e0f5fe1d83ec6b079"
},
{
"url": "https://git.kernel.org/stable/c/476ddd23f818fb94cf86fb5617f3bb9a7c92113d"
},
{
"url": "https://git.kernel.org/stable/c/eda1662cce964c8a65bb86321f8d9cfa6e9ceaab"
},
{
"url": "https://git.kernel.org/stable/c/ba84f9a48366dcc3cdef978599433efe101dd5bd"
},
{
"url": "https://git.kernel.org/stable/c/fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9"
}
],
"title": "tpm: use try_get_ops() in tpm-space.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49286",
"datePublished": "2025-02-26T01:56:25.566Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:16.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49675 (GCVE-0-2022-49675)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tick/nohz: unexport __init-annotated tick_nohz_full_setup()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it had been broken for a decade.
Commit 28438794aba4 ("modpost: fix section mismatch check for exported
init/exit sections") fixed it so modpost started to warn it again, then
this showed up:
MODPOST vmlinux.symvers
WARNING: modpost: vmlinux.o(___ksymtab_gpl+tick_nohz_full_setup+0x0): Section mismatch in reference from the variable __ksymtab_tick_nohz_full_setup to the function .init.text:tick_nohz_full_setup()
The symbol tick_nohz_full_setup is exported and annotated __init
Fix this by removing the __init annotation of tick_nohz_full_setup or drop the export.
Drop the export because tick_nohz_full_setup() is only called from the
built-in code in kernel/sched/isolation.c.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/tick-sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4ff3ffe0138234774602152fe67e3a898c615c6",
"status": "affected",
"version": "ae9e557b5be2e285f48ee945d9c8faf75d4f6a66",
"versionType": "git"
},
{
"lessThan": "f4a80ec8c51d68be4b7a7830c510f75080c5e417",
"status": "affected",
"version": "ae9e557b5be2e285f48ee945d9c8faf75d4f6a66",
"versionType": "git"
},
{
"lessThan": "ea32b27e2f8c58c92bff5ecba7fcf64b97707089",
"status": "affected",
"version": "ae9e557b5be2e285f48ee945d9c8faf75d4f6a66",
"versionType": "git"
},
{
"lessThan": "2390095113e98fc52fffe35c5206d30d9efe3f78",
"status": "affected",
"version": "ae9e557b5be2e285f48ee945d9c8faf75d4f6a66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/tick-sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.128",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.52",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntick/nohz: unexport __init-annotated tick_nohz_full_setup()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it had been broken for a decade.\n\nCommit 28438794aba4 (\"modpost: fix section mismatch check for exported\ninit/exit sections\") fixed it so modpost started to warn it again, then\nthis showed up:\n\n MODPOST vmlinux.symvers\n WARNING: modpost: vmlinux.o(___ksymtab_gpl+tick_nohz_full_setup+0x0): Section mismatch in reference from the variable __ksymtab_tick_nohz_full_setup to the function .init.text:tick_nohz_full_setup()\n The symbol tick_nohz_full_setup is exported and annotated __init\n Fix this by removing the __init annotation of tick_nohz_full_setup or drop the export.\n\nDrop the export because tick_nohz_full_setup() is only called from the\nbuilt-in code in kernel/sched/isolation.c."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:04.795Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4ff3ffe0138234774602152fe67e3a898c615c6"
},
{
"url": "https://git.kernel.org/stable/c/f4a80ec8c51d68be4b7a7830c510f75080c5e417"
},
{
"url": "https://git.kernel.org/stable/c/ea32b27e2f8c58c92bff5ecba7fcf64b97707089"
},
{
"url": "https://git.kernel.org/stable/c/2390095113e98fc52fffe35c5206d30d9efe3f78"
}
],
"title": "tick/nohz: unexport __init-annotated tick_nohz_full_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49675",
"datePublished": "2025-02-26T02:24:07.395Z",
"dateReserved": "2025-02-26T02:21:30.438Z",
"dateUpdated": "2025-05-04T08:43:04.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0179 (GCVE-0-2023-0179)
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2025-02-19 16:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:43.760Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161713"
},
{
"tags": [
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2023/q1/20"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171601/Kernel-Live-Patch-Security-Notice-LNS-0093-1.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230511-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:11:54.896562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:12:13.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "unknown"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161713"
},
{
"url": "https://seclists.org/oss-sec/2023/q1/20"
},
{
"url": "http://packetstormsecurity.com/files/171601/Kernel-Live-Patch-Security-Notice-LNS-0093-1.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230511-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-0179",
"datePublished": "2023-03-27T00:00:00.000Z",
"dateReserved": "2023-01-11T00:00:00.000Z",
"dateUpdated": "2025-02-19T16:12:13.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3303 (GCVE-0-2022-3303)
Vulnerability from cvelistv5
Published
2022-09-27 00:00
Modified
2025-05-21 15:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-667 - ->CWE-362->CWE-476
Summary
A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Linux kernel |
Version: Fixed in kernel 6.0-rc5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d"
},
{
"tags": [
"x_transferred"
],
"url": "https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA%40mail.gmail.com/"
},
{
"name": "DSA-5257",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5257"
},
{
"name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3303",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T15:31:25.170645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T15:31:49.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Linux kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in kernel 6.0-rc5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667-\u003eCWE-362-\u003eCWE-476",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d"
},
{
"url": "https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA%40mail.gmail.com/"
},
{
"name": "DSA-5257",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5257"
},
{
"name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-3303",
"datePublished": "2022-09-27T00:00:00.000Z",
"dateReserved": "2022-09-26T00:00:00.000Z",
"dateUpdated": "2025-05-21T15:31:49.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49447 (GCVE-0-2022-49447)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: hisi: Add missing of_node_put after of_find_compatible_node
of_find_compatible_node will increment the refcount of the returned
device_node. Calling of_node_put() to avoid the refcount leak
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:43.032853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:48.646Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-hisi/platsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46cb7868811d025c3d29c10d18b3422db1cf20d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f8da78b2bae1f54746647a2bb44f8bd6025c57af",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd4be8ecfb41a29e7c4e551b4e866157ce4a3429",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e109058165137ef42841abd989f080adfefa14fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "21a3effe446dd6dc5eed7fe897c2f9b88c9a5d6d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a3265a9440030068547a20dfee646666f3ca5278",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cafaaae4bb9ce84a2791fa29bf6907a9466c3883",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "45d211668d33c49d73f5213e8c2b58468108647c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9bc72e47d4630d58a840a66a869c56b29554cfe4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-hisi/platsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: hisi: Add missing of_node_put after of_find_compatible_node\n\nof_find_compatible_node will increment the refcount of the returned\ndevice_node. Calling of_node_put() to avoid the refcount leak"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:56.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46cb7868811d025c3d29c10d18b3422db1cf20d5"
},
{
"url": "https://git.kernel.org/stable/c/f8da78b2bae1f54746647a2bb44f8bd6025c57af"
},
{
"url": "https://git.kernel.org/stable/c/dd4be8ecfb41a29e7c4e551b4e866157ce4a3429"
},
{
"url": "https://git.kernel.org/stable/c/e109058165137ef42841abd989f080adfefa14fa"
},
{
"url": "https://git.kernel.org/stable/c/21a3effe446dd6dc5eed7fe897c2f9b88c9a5d6d"
},
{
"url": "https://git.kernel.org/stable/c/a3265a9440030068547a20dfee646666f3ca5278"
},
{
"url": "https://git.kernel.org/stable/c/cafaaae4bb9ce84a2791fa29bf6907a9466c3883"
},
{
"url": "https://git.kernel.org/stable/c/45d211668d33c49d73f5213e8c2b58468108647c"
},
{
"url": "https://git.kernel.org/stable/c/9bc72e47d4630d58a840a66a869c56b29554cfe4"
}
],
"title": "ARM: hisi: Add missing of_node_put after of_find_compatible_node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49447",
"datePublished": "2025-02-26T02:12:58.540Z",
"dateReserved": "2025-02-26T02:08:31.571Z",
"dateUpdated": "2025-10-01T19:46:48.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49609 (GCVE-0-2022-49609)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe
of_find_matching_node_and_match() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 Version: 0e545f57b708630c54c8c5c24ea7f7034f6c40d9 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:54.763276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:51.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/reset/arm-versatile-reboot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4d224eec96a18fa8959512cd9e5b6a50bd16a41",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
},
{
"lessThan": "a9ed3ad3a8d1dfbc829d86edb3236873a315db11",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
},
{
"lessThan": "6689754b121bd487f99680280102b3a5cd7374af",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
},
{
"lessThan": "78bdf732cf5d74d1c6ecda06830a91f80a4aef6f",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
},
{
"lessThan": "493ceca3271316e74639c89ff8ac35883de64256",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
},
{
"lessThan": "71ab83ac65e2d671552374123bf920c1d698335a",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
},
{
"lessThan": "49fa778ee044b00471dd9ccae5f6a121fffea1ac",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
},
{
"lessThan": "80192eff64eee9b3bc0594a47381937b94b9d65a",
"status": "affected",
"version": "0e545f57b708630c54c8c5c24ea7f7034f6c40d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/reset/arm-versatile-reboot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.290",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.325",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.290",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.254",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe\n\nof_find_matching_node_and_match() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:43.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4d224eec96a18fa8959512cd9e5b6a50bd16a41"
},
{
"url": "https://git.kernel.org/stable/c/a9ed3ad3a8d1dfbc829d86edb3236873a315db11"
},
{
"url": "https://git.kernel.org/stable/c/6689754b121bd487f99680280102b3a5cd7374af"
},
{
"url": "https://git.kernel.org/stable/c/78bdf732cf5d74d1c6ecda06830a91f80a4aef6f"
},
{
"url": "https://git.kernel.org/stable/c/493ceca3271316e74639c89ff8ac35883de64256"
},
{
"url": "https://git.kernel.org/stable/c/71ab83ac65e2d671552374123bf920c1d698335a"
},
{
"url": "https://git.kernel.org/stable/c/49fa778ee044b00471dd9ccae5f6a121fffea1ac"
},
{
"url": "https://git.kernel.org/stable/c/80192eff64eee9b3bc0594a47381937b94b9d65a"
}
],
"title": "power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49609",
"datePublished": "2025-02-26T02:23:32.818Z",
"dateReserved": "2025-02-26T02:21:30.417Z",
"dateUpdated": "2025-10-01T19:36:51.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53015 (GCVE-0-2023-53015)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: betop: check shape of output reports
betopff_init() only checks the total sum of the report counts for each
report field to be at least 4, but hid_betopff_play() expects 4 report
fields.
A device advertising an output report with one field and 4 report counts
would pass the check but crash the kernel with a NULL pointer dereference
in hid_betopff_play().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:20:32.648003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:20:35.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-betopff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbab4dba400d6ea9a9697fbbd287adbf7db1dac4",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "7317326f685824c7c29bd80841fd18041af6bb73",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "d3065cc56221d1a5eda237e94eaf2a627b88ab79",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "28fc6095da22dc88433d79578ae1c495ebe8ca43",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "1a2a47b85cab50a3c146731bfeaf2d860f5344ee",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "07bc32e53c7bd5c91472cc485231ef6274db9b76",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "3782c0d6edf658b71354a64d60aa7a296188fc90",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-betopff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: betop: check shape of output reports\n\nbetopff_init() only checks the total sum of the report counts for each\nreport field to be at least 4, but hid_betopff_play() expects 4 report\nfields.\nA device advertising an output report with one field and 4 report counts\nwould pass the check but crash the kernel with a NULL pointer dereference\nin hid_betopff_play()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:38.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbab4dba400d6ea9a9697fbbd287adbf7db1dac4"
},
{
"url": "https://git.kernel.org/stable/c/7317326f685824c7c29bd80841fd18041af6bb73"
},
{
"url": "https://git.kernel.org/stable/c/d3065cc56221d1a5eda237e94eaf2a627b88ab79"
},
{
"url": "https://git.kernel.org/stable/c/28fc6095da22dc88433d79578ae1c495ebe8ca43"
},
{
"url": "https://git.kernel.org/stable/c/1a2a47b85cab50a3c146731bfeaf2d860f5344ee"
},
{
"url": "https://git.kernel.org/stable/c/07bc32e53c7bd5c91472cc485231ef6274db9b76"
},
{
"url": "https://git.kernel.org/stable/c/3782c0d6edf658b71354a64d60aa7a296188fc90"
}
],
"title": "HID: betop: check shape of output reports",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53015",
"datePublished": "2025-03-27T16:43:43.886Z",
"dateReserved": "2025-03-27T16:40:15.750Z",
"dateUpdated": "2025-10-01T17:20:35.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21819 (GCVE-0-2025-21819)
Vulnerability from cvelistv5
Published
2025-02-27 20:04
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "drm/amd/display: Use HW lock mgr for PSR1"
This reverts commit
a2b5a9956269 ("drm/amd/display: Use HW lock mgr for PSR1")
Because it may cause system hang while connect with two edp panel.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:51.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "915697c2e69ac8d14dad498e6d6f43dbb7de3787",
"status": "affected",
"version": "b7d2461858ac75c9d6bc4ab8af1a738d0814b716",
"versionType": "git"
},
{
"lessThan": "dcc3f2c06d80da39eee742b51ddf0781affb260c",
"status": "affected",
"version": "758abba3dd413dc5de2016f8588403294263a30a",
"versionType": "git"
},
{
"lessThan": "95c75578c420110c43791295985abb961d6dc033",
"status": "affected",
"version": "4b46fc30b37e457d25cf3908c0c4dc3fbedd2044",
"versionType": "git"
},
{
"lessThan": "a978864653e45d2671f99b09afcc1110e45d3dd9",
"status": "affected",
"version": "b5c764d6ed556c4e81fbe3fd976da77ec450c08e",
"versionType": "git"
},
{
"lessThan": "f245b400a223a71d6d5f4c72a2cb9b573a7fc2b6",
"status": "affected",
"version": "b5c764d6ed556c4e81fbe3fd976da77ec450c08e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.1.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.6.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.12.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/display: Use HW lock mgr for PSR1\"\n\nThis reverts commit\na2b5a9956269 (\"drm/amd/display: Use HW lock mgr for PSR1\")\n\nBecause it may cause system hang while connect with two edp panel."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:49.995Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/915697c2e69ac8d14dad498e6d6f43dbb7de3787"
},
{
"url": "https://git.kernel.org/stable/c/dcc3f2c06d80da39eee742b51ddf0781affb260c"
},
{
"url": "https://git.kernel.org/stable/c/95c75578c420110c43791295985abb961d6dc033"
},
{
"url": "https://git.kernel.org/stable/c/a978864653e45d2671f99b09afcc1110e45d3dd9"
},
{
"url": "https://git.kernel.org/stable/c/f245b400a223a71d6d5f4c72a2cb9b573a7fc2b6"
}
],
"title": "Revert \"drm/amd/display: Use HW lock mgr for PSR1\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21819",
"datePublished": "2025-02-27T20:04:17.284Z",
"dateReserved": "2024-12-29T08:45:45.775Z",
"dateUpdated": "2025-11-03T20:59:51.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49624 (GCVE-0-2022-49624)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: remove aq_nic_deinit() when resume
aq_nic_deinit() has been called while suspending, so we don't have to call
it again on resume.
Actually, call it again leads to another hang issue when resuming from
S3.
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992345] Call Trace:
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992346] <TASK>
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992348] aq_nic_deinit+0xb4/0xd0 [atlantic]
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992356] aq_pm_thaw+0x7f/0x100 [atlantic]
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992362] pci_pm_resume+0x5c/0x90
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992366] ? pci_pm_thaw+0x80/0x80
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992368] dpm_run_callback+0x4e/0x120
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992371] device_resume+0xad/0x200
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992373] async_resume+0x1e/0x40
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992374] async_run_entry_fn+0x33/0x120
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992377] process_one_work+0x220/0x3c0
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992380] worker_thread+0x4d/0x3f0
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992382] ? process_one_work+0x3c0/0x3c0
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992384] kthread+0x12a/0x150
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992386] ? set_kthread_struct+0x40/0x40
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992387] ret_from_fork+0x22/0x30
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992391] </TASK>
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992392] ---[ end trace 1ec8c79604ed5e0d ]---
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992394] PM: dpm_run_callback(): pci_pm_resume+0x0/0x90 returns -110
Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992397] atlantic 0000:02:00.0: PM: failed to resume async: error -110
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2978d0124f26e453ed30fda6a37f62d8c7f19cb",
"status": "affected",
"version": "6aa239d82e35b9e3eb8e8c7750fd5caa377e1e15",
"versionType": "git"
},
{
"lessThan": "58c90993933e7a76305519bc70da8c0cd2907c1f",
"status": "affected",
"version": "890a5c6d19817a9db5c981174737d1bc9b6fb1a1",
"versionType": "git"
},
{
"lessThan": "702419db7ded2e3686fbc05040b61d7428d611d5",
"status": "affected",
"version": "1809c30b6e5a83a1de1435fe01aaa4de4d626a7c",
"versionType": "git"
},
{
"lessThan": "2e15c51fefaffaf9f72255eaef4fada05055e4c5",
"status": "affected",
"version": "1809c30b6e5a83a1de1435fe01aaa4de4d626a7c",
"versionType": "git"
},
{
"status": "affected",
"version": "fb45f24264b94e8c37657789dbb1966a07933d12",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: remove aq_nic_deinit() when resume\n\naq_nic_deinit() has been called while suspending, so we don\u0027t have to call\nit again on resume.\nActually, call it again leads to another hang issue when resuming from\nS3.\n\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992345] Call Trace:\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992346] \u003cTASK\u003e\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992348] aq_nic_deinit+0xb4/0xd0 [atlantic]\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992356] aq_pm_thaw+0x7f/0x100 [atlantic]\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992362] pci_pm_resume+0x5c/0x90\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992366] ? pci_pm_thaw+0x80/0x80\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992368] dpm_run_callback+0x4e/0x120\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992371] device_resume+0xad/0x200\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992373] async_resume+0x1e/0x40\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992374] async_run_entry_fn+0x33/0x120\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992377] process_one_work+0x220/0x3c0\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992380] worker_thread+0x4d/0x3f0\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992382] ? process_one_work+0x3c0/0x3c0\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992384] kthread+0x12a/0x150\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992386] ? set_kthread_struct+0x40/0x40\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992387] ret_from_fork+0x22/0x30\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992391] \u003c/TASK\u003e\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992392] ---[ end trace 1ec8c79604ed5e0d ]---\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992394] PM: dpm_run_callback(): pci_pm_resume+0x0/0x90 returns -110\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992397] atlantic 0000:02:00.0: PM: failed to resume async: error -110"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:59.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2978d0124f26e453ed30fda6a37f62d8c7f19cb"
},
{
"url": "https://git.kernel.org/stable/c/58c90993933e7a76305519bc70da8c0cd2907c1f"
},
{
"url": "https://git.kernel.org/stable/c/702419db7ded2e3686fbc05040b61d7428d611d5"
},
{
"url": "https://git.kernel.org/stable/c/2e15c51fefaffaf9f72255eaef4fada05055e4c5"
}
],
"title": "net: atlantic: remove aq_nic_deinit() when resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49624",
"datePublished": "2025-02-26T02:23:40.311Z",
"dateReserved": "2025-02-26T02:21:30.421Z",
"dateUpdated": "2025-05-04T12:44:59.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49378 (GCVE-0-2022-49378)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sfc: fix considering that all channels have TX queues
Normally, all channels have RX and TX queues, but this is not true if
modparam efx_separate_tx_channels=1 is used. In that cases, some
channels only have RX queues and others only TX queues (or more
preciselly, they have them allocated, but not initialized).
Fix efx_channel_has_tx_queues to return the correct value for this case
too.
Messages shown at probe time before the fix:
sfc 0000:03:00.0 ens6f0np0: MC command 0x82 inlen 544 failed rc=-22 (raw=0) arg=0
------------[ cut here ]------------
netdevice: ens6f0np0: failed to initialise TXQ -1
WARNING: CPU: 1 PID: 626 at drivers/net/ethernet/sfc/ef10.c:2393 efx_ef10_tx_init+0x201/0x300 [sfc]
[...] stripped
RIP: 0010:efx_ef10_tx_init+0x201/0x300 [sfc]
[...] stripped
Call Trace:
efx_init_tx_queue+0xaa/0xf0 [sfc]
efx_start_channels+0x49/0x120 [sfc]
efx_start_all+0x1f8/0x430 [sfc]
efx_net_open+0x5a/0xe0 [sfc]
__dev_open+0xd0/0x190
__dev_change_flags+0x1b3/0x220
dev_change_flags+0x21/0x60
[...] stripped
Messages shown at remove time before the fix:
sfc 0000:03:00.0 ens6f0np0: failed to flush 10 queues
sfc 0000:03:00.0 ens6f0np0: failed to flush queues
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/net_driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f81a4113e1e574d2cbde4f2cd599380a9189c0f",
"status": "affected",
"version": "8700aff089843399f95bc7701ae87b642b35a716",
"versionType": "git"
},
{
"lessThan": "5567d69b95b9c07e1c56f15cf0301251d12e5f97",
"status": "affected",
"version": "8700aff089843399f95bc7701ae87b642b35a716",
"versionType": "git"
},
{
"lessThan": "e7e8d5e25dc762b70f9c88ec6b7d451d0816eead",
"status": "affected",
"version": "8700aff089843399f95bc7701ae87b642b35a716",
"versionType": "git"
},
{
"lessThan": "913d45f02d346ce41c4aad057eaf53a8ed449dc3",
"status": "affected",
"version": "8700aff089843399f95bc7701ae87b642b35a716",
"versionType": "git"
},
{
"lessThan": "2e102b53f8a778f872dc137f4c7ac548705817aa",
"status": "affected",
"version": "8700aff089843399f95bc7701ae87b642b35a716",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/net_driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix considering that all channels have TX queues\n\nNormally, all channels have RX and TX queues, but this is not true if\nmodparam efx_separate_tx_channels=1 is used. In that cases, some\nchannels only have RX queues and others only TX queues (or more\npreciselly, they have them allocated, but not initialized).\n\nFix efx_channel_has_tx_queues to return the correct value for this case\ntoo.\n\nMessages shown at probe time before the fix:\n sfc 0000:03:00.0 ens6f0np0: MC command 0x82 inlen 544 failed rc=-22 (raw=0) arg=0\n ------------[ cut here ]------------\n netdevice: ens6f0np0: failed to initialise TXQ -1\n WARNING: CPU: 1 PID: 626 at drivers/net/ethernet/sfc/ef10.c:2393 efx_ef10_tx_init+0x201/0x300 [sfc]\n [...] stripped\n RIP: 0010:efx_ef10_tx_init+0x201/0x300 [sfc]\n [...] stripped\n Call Trace:\n efx_init_tx_queue+0xaa/0xf0 [sfc]\n efx_start_channels+0x49/0x120 [sfc]\n efx_start_all+0x1f8/0x430 [sfc]\n efx_net_open+0x5a/0xe0 [sfc]\n __dev_open+0xd0/0x190\n __dev_change_flags+0x1b3/0x220\n dev_change_flags+0x21/0x60\n [...] stripped\n\nMessages shown at remove time before the fix:\n sfc 0000:03:00.0 ens6f0np0: failed to flush 10 queues\n sfc 0000:03:00.0 ens6f0np0: failed to flush queues"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:24.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f81a4113e1e574d2cbde4f2cd599380a9189c0f"
},
{
"url": "https://git.kernel.org/stable/c/5567d69b95b9c07e1c56f15cf0301251d12e5f97"
},
{
"url": "https://git.kernel.org/stable/c/e7e8d5e25dc762b70f9c88ec6b7d451d0816eead"
},
{
"url": "https://git.kernel.org/stable/c/913d45f02d346ce41c4aad057eaf53a8ed449dc3"
},
{
"url": "https://git.kernel.org/stable/c/2e102b53f8a778f872dc137f4c7ac548705817aa"
}
],
"title": "sfc: fix considering that all channels have TX queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49378",
"datePublished": "2025-02-26T02:11:17.084Z",
"dateReserved": "2025-02-26T02:08:31.558Z",
"dateUpdated": "2025-05-04T08:36:24.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58076 (GCVE-0-2024-58076)
Vulnerability from cvelistv5
Published
2025-03-06 16:13
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: gcc-sm6350: Add missing parent_map for two clocks
If a clk_rcg2 has a parent, it should also have parent_map defined,
otherwise we'll get a NULL pointer dereference when calling clk_set_rate
like the following:
[ 3.388105] Call trace:
[ 3.390664] qcom_find_src_index+0x3c/0x70 (P)
[ 3.395301] qcom_find_src_index+0x1c/0x70 (L)
[ 3.399934] _freq_tbl_determine_rate+0x48/0x100
[ 3.404753] clk_rcg2_determine_rate+0x1c/0x28
[ 3.409387] clk_core_determine_round_nolock+0x58/0xe4
[ 3.421414] clk_core_round_rate_nolock+0x48/0xfc
[ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc
[ 3.444483] clk_core_set_rate_nolock+0x8c/0x300
[ 3.455886] clk_set_rate+0x38/0x14c
Add the parent_map property for two clocks where it's missing and also
un-inline the parent_data as well to keep the matching parent_map and
parent_data together.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 131abae905df99f63d825e47b4df100d34f518ce Version: 131abae905df99f63d825e47b4df100d34f518ce Version: 131abae905df99f63d825e47b4df100d34f518ce Version: 131abae905df99f63d825e47b4df100d34f518ce Version: 131abae905df99f63d825e47b4df100d34f518ce Version: 131abae905df99f63d825e47b4df100d34f518ce |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:27:21.531174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:36.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:10.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/gcc-sm6350.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "175af15551ed5aa6af16ff97aff75cfffb42da21",
"status": "affected",
"version": "131abae905df99f63d825e47b4df100d34f518ce",
"versionType": "git"
},
{
"lessThan": "39336edd14a59dc086fb19957655e0f340bb28e8",
"status": "affected",
"version": "131abae905df99f63d825e47b4df100d34f518ce",
"versionType": "git"
},
{
"lessThan": "08b77ed7cfaac62bba51ac7a0487409ec9fcbc84",
"status": "affected",
"version": "131abae905df99f63d825e47b4df100d34f518ce",
"versionType": "git"
},
{
"lessThan": "b6fe13566bf5676b1e3b72d2a06d875733e93ee6",
"status": "affected",
"version": "131abae905df99f63d825e47b4df100d34f518ce",
"versionType": "git"
},
{
"lessThan": "3e567032233a240b903dc11c9f18eeb3faa10ffa",
"status": "affected",
"version": "131abae905df99f63d825e47b4df100d34f518ce",
"versionType": "git"
},
{
"lessThan": "96fe1a7ee477d701cfc98ab9d3c730c35d966861",
"status": "affected",
"version": "131abae905df99f63d825e47b4df100d34f518ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/gcc-sm6350.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-sm6350: Add missing parent_map for two clocks\n\nIf a clk_rcg2 has a parent, it should also have parent_map defined,\notherwise we\u0027ll get a NULL pointer dereference when calling clk_set_rate\nlike the following:\n\n [ 3.388105] Call trace:\n [ 3.390664] qcom_find_src_index+0x3c/0x70 (P)\n [ 3.395301] qcom_find_src_index+0x1c/0x70 (L)\n [ 3.399934] _freq_tbl_determine_rate+0x48/0x100\n [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28\n [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4\n [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc\n [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc\n [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300\n [ 3.455886] clk_set_rate+0x38/0x14c\n\nAdd the parent_map property for two clocks where it\u0027s missing and also\nun-inline the parent_data as well to keep the matching parent_map and\nparent_data together."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:26.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/175af15551ed5aa6af16ff97aff75cfffb42da21"
},
{
"url": "https://git.kernel.org/stable/c/39336edd14a59dc086fb19957655e0f340bb28e8"
},
{
"url": "https://git.kernel.org/stable/c/08b77ed7cfaac62bba51ac7a0487409ec9fcbc84"
},
{
"url": "https://git.kernel.org/stable/c/b6fe13566bf5676b1e3b72d2a06d875733e93ee6"
},
{
"url": "https://git.kernel.org/stable/c/3e567032233a240b903dc11c9f18eeb3faa10ffa"
},
{
"url": "https://git.kernel.org/stable/c/96fe1a7ee477d701cfc98ab9d3c730c35d966861"
}
],
"title": "clk: qcom: gcc-sm6350: Add missing parent_map for two clocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58076",
"datePublished": "2025-03-06T16:13:40.307Z",
"dateReserved": "2025-03-06T15:52:09.182Z",
"dateUpdated": "2025-11-03T19:34:10.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49382 (GCVE-0-2022-49382)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: rockchip: Fix refcount leak in rockchip_grf_init
of_find_matching_node_and_match returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f Version: 4c58063d4258f6beb4fd5647db6b58f49e337c8f |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:52.025245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:51.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/rockchip/grf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5422f323858cad3ac3581075f9a3a5e0d41c0d8",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
},
{
"lessThan": "28133325526b92921f3269fdf97a20d90b92b217",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
},
{
"lessThan": "69a30b2ed620c2206cbbd1e9c112e4fc584e02bd",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
},
{
"lessThan": "5b3e990f85eb034faa461e691e719e8ce9e2a3c8",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
},
{
"lessThan": "aab25b669cb9fd3698c2631be4435f4fe92d9e59",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
},
{
"lessThan": "042571fe1d171773655ad706715ecc865913d9a4",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
},
{
"lessThan": "8f64e84924604bb969ee1fbc4b8d7d09b9214889",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
},
{
"lessThan": "9b59588d8be91c96bfb0371e912ceb4f16315dbf",
"status": "affected",
"version": "4c58063d4258f6beb4fd5647db6b58f49e337c8f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/rockchip/grf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: rockchip: Fix refcount leak in rockchip_grf_init\n\nof_find_matching_node_and_match returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:29.676Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5422f323858cad3ac3581075f9a3a5e0d41c0d8"
},
{
"url": "https://git.kernel.org/stable/c/28133325526b92921f3269fdf97a20d90b92b217"
},
{
"url": "https://git.kernel.org/stable/c/69a30b2ed620c2206cbbd1e9c112e4fc584e02bd"
},
{
"url": "https://git.kernel.org/stable/c/5b3e990f85eb034faa461e691e719e8ce9e2a3c8"
},
{
"url": "https://git.kernel.org/stable/c/aab25b669cb9fd3698c2631be4435f4fe92d9e59"
},
{
"url": "https://git.kernel.org/stable/c/042571fe1d171773655ad706715ecc865913d9a4"
},
{
"url": "https://git.kernel.org/stable/c/8f64e84924604bb969ee1fbc4b8d7d09b9214889"
},
{
"url": "https://git.kernel.org/stable/c/9b59588d8be91c96bfb0371e912ceb4f16315dbf"
}
],
"title": "soc: rockchip: Fix refcount leak in rockchip_grf_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49382",
"datePublished": "2025-02-26T02:11:19.294Z",
"dateReserved": "2025-02-26T02:08:31.559Z",
"dateUpdated": "2025-10-01T19:46:51.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52973 (GCVE-0-2023-52973)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
After a call to console_unlock() in vcs_read() the vc_data struct can be
freed by vc_deallocate(). Because of that, the struct vc_data pointer
load must be done at the top of while loop in vcs_read() to avoid a UAF
when vcs_size() is called.
Syzkaller reported a UAF in vcs_size().
BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537
CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1
Hardware name: Red Hat KVM, BIOS 1.15.0-2.module
Call Trace:
<TASK>
__asan_report_load4_noabort (mm/kasan/report_generic.c:350)
vcs_size (drivers/tty/vt/vc_screen.c:215)
vcs_read (drivers/tty/vt/vc_screen.c:415)
vfs_read (fs/read_write.c:468 fs/read_write.c:450)
...
</TASK>
Allocated by task 1191:
...
kmalloc_trace (mm/slab_common.c:1069)
vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720
drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)
con_install (drivers/tty/vt/vt.c:3383)
tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413
drivers/tty/tty_io.c:1390)
tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)
chrdev_open (fs/char_dev.c:415)
do_dentry_open (fs/open.c:883)
vfs_open (fs/open.c:1014)
...
Freed by task 1548:
...
kfree (mm/slab_common.c:1021)
vc_port_destruct (drivers/tty/vt/vt.c:1094)
tty_port_destructor (drivers/tty/tty_port.c:296)
tty_port_put (drivers/tty/tty_port.c:312)
vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
tty_ioctl (drivers/tty/tty_io.c:2776)
...
The buggy address belongs to the object at ffff888113747800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
1024-byte region [ffff888113747800, ffff888113747c00)
The buggy address belongs to the physical page:
page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x113740
head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0
compound_pincount:0
anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:54.662104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vc_screen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af79ea9a2443016f64d8fd8d72020cc874f0e066",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "6332f52f44b9776568bf3c0b714ddfb0bb175e78",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "d0332cbf53dad06a22189cc341391237f4ea6d9f",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "55515d7d8743b71b80bfe68e89eb9d92630626ab",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "fc9e27f3ba083534b8bbf72ab0f5c810ffdc7d18",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "8506f16aae9daf354e3732bcfd447e2a97f023df",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "226fae124b2dac217ea5436060d623ff3385bc34",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vc_screen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.329",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.329",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF\n\nAfter a call to console_unlock() in vcs_read() the vc_data struct can be\nfreed by vc_deallocate(). Because of that, the struct vc_data pointer\nload must be done at the top of while loop in vcs_read() to avoid a UAF\nwhen vcs_size() is called.\n\nSyzkaller reported a UAF in vcs_size().\n\nBUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\nRead of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537\n\nCPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1\nHardware name: Red Hat KVM, BIOS 1.15.0-2.module\nCall Trace:\n \u003cTASK\u003e\n__asan_report_load4_noabort (mm/kasan/report_generic.c:350)\nvcs_size (drivers/tty/vt/vc_screen.c:215)\nvcs_read (drivers/tty/vt/vc_screen.c:415)\nvfs_read (fs/read_write.c:468 fs/read_write.c:450)\n...\n \u003c/TASK\u003e\n\nAllocated by task 1191:\n...\nkmalloc_trace (mm/slab_common.c:1069)\nvc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720\n drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)\ncon_install (drivers/tty/vt/vt.c:3383)\ntty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413\n drivers/tty/tty_io.c:1390)\ntty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)\nchrdev_open (fs/char_dev.c:415)\ndo_dentry_open (fs/open.c:883)\nvfs_open (fs/open.c:1014)\n...\n\nFreed by task 1548:\n...\nkfree (mm/slab_common.c:1021)\nvc_port_destruct (drivers/tty/vt/vt.c:1094)\ntty_port_destructor (drivers/tty/tty_port.c:296)\ntty_port_put (drivers/tty/tty_port.c:312)\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\ntty_ioctl (drivers/tty/tty_io.c:2776)\n...\n\nThe buggy address belongs to the object at ffff888113747800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 424 bytes inside of\n 1024-byte region [ffff888113747800, ffff888113747c00)\n\nThe buggy address belongs to the physical page:\npage:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000\n index:0x0 pfn:0x113740\nhead:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0\n compound_pincount:0\nanon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\nraw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003e ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nDisabling lock debugging due to kernel taint"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:35.811Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af79ea9a2443016f64d8fd8d72020cc874f0e066"
},
{
"url": "https://git.kernel.org/stable/c/6332f52f44b9776568bf3c0b714ddfb0bb175e78"
},
{
"url": "https://git.kernel.org/stable/c/d0332cbf53dad06a22189cc341391237f4ea6d9f"
},
{
"url": "https://git.kernel.org/stable/c/55515d7d8743b71b80bfe68e89eb9d92630626ab"
},
{
"url": "https://git.kernel.org/stable/c/fc9e27f3ba083534b8bbf72ab0f5c810ffdc7d18"
},
{
"url": "https://git.kernel.org/stable/c/8506f16aae9daf354e3732bcfd447e2a97f023df"
},
{
"url": "https://git.kernel.org/stable/c/226fae124b2dac217ea5436060d623ff3385bc34"
}
],
"title": "vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52973",
"datePublished": "2025-03-27T16:43:12.756Z",
"dateReserved": "2025-03-27T16:40:15.737Z",
"dateUpdated": "2025-05-04T07:46:35.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49290 (GCVE-0-2022-49290)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mac80211: fix potential double free on mesh join
While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving
mesh") fixed a memory leak on mesh leave / teardown it introduced a
potential memory corruption caused by a double free when rejoining the
mesh:
ieee80211_leave_mesh()
-> kfree(sdata->u.mesh.ie);
...
ieee80211_join_mesh()
-> copy_mesh_setup()
-> old_ie = ifmsh->ie;
-> kfree(old_ie);
This double free / kernel panics can be reproduced by using wpa_supplicant
with an encrypted mesh (if set up without encryption via "iw" then
ifmsh->ie is always NULL, which avoids this issue). And then calling:
$ iw dev mesh0 mesh leave
$ iw dev mesh0 mesh join my-mesh
Note that typically these commands are not used / working when using
wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going
through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join
where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of
default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids
the memory corruption, too.
The issue was first observed in an application which was not using
wpa_supplicant but "Senf" instead, which implements its own calls to
nl80211.
Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh
join function and leaving it solely up to the mesh leave to free the
mesh IE.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3212d6248faf0efce6b7a718e198feecce0eea05 Version: 86e7d4cd2ed5f4b0188afce8199faffcf1ae7c7e Version: 37bccfa89559a70c044b5ccde3c916a91388e14a Version: 3f15e3e62c80e180282f0cbc5559264e11c328b7 Version: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 Version: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 Version: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 Version: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 Version: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 Version: 12e9cb1e7c93413112260991d094cfda712fdc97 Version: 4f3193e08602462a806e8f53212e79c60a6f7488 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:11.938129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:00.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "615716af8644813355e014314a0bc1e961250f5a",
"status": "affected",
"version": "3212d6248faf0efce6b7a718e198feecce0eea05",
"versionType": "git"
},
{
"lessThan": "c1d9c3628ef0a0ca197595d0f9e01cd3b5dda186",
"status": "affected",
"version": "86e7d4cd2ed5f4b0188afce8199faffcf1ae7c7e",
"versionType": "git"
},
{
"lessThan": "273ebddc5fda2967492cb0b6cdd7d81cfb821b76",
"status": "affected",
"version": "37bccfa89559a70c044b5ccde3c916a91388e14a",
"versionType": "git"
},
{
"lessThan": "3bbd0000d012f92aec423b224784fbf0f7bf40f8",
"status": "affected",
"version": "3f15e3e62c80e180282f0cbc5559264e11c328b7",
"versionType": "git"
},
{
"lessThan": "5d3ff9542a40ce034416bca03864709540a36016",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "12e407a8ef17623823fd0c066fbd7f103953d28d",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "582d8c60c0c053684f7138875e8150d5749ffc17",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "46bb87d40683337757a2f902fcd4244b32bb4e86",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"status": "affected",
"version": "12e9cb1e7c93413112260991d094cfda712fdc97",
"versionType": "git"
},
{
"status": "affected",
"version": "4f3193e08602462a806e8f53212e79c60a6f7488",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.309",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.309",
"versionStartIncluding": "4.9.233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.274",
"versionStartIncluding": "4.14.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.237",
"versionStartIncluding": "4.19.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.188",
"versionStartIncluding": "5.4.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix potential double free on mesh join\n\nWhile commit 6a01afcf8468 (\"mac80211: mesh: Free ie data when leaving\nmesh\") fixed a memory leak on mesh leave / teardown it introduced a\npotential memory corruption caused by a double free when rejoining the\nmesh:\n\n ieee80211_leave_mesh()\n -\u003e kfree(sdata-\u003eu.mesh.ie);\n ...\n ieee80211_join_mesh()\n -\u003e copy_mesh_setup()\n -\u003e old_ie = ifmsh-\u003eie;\n -\u003e kfree(old_ie);\n\nThis double free / kernel panics can be reproduced by using wpa_supplicant\nwith an encrypted mesh (if set up without encryption via \"iw\" then\nifmsh-\u003eie is always NULL, which avoids this issue). And then calling:\n\n $ iw dev mesh0 mesh leave\n $ iw dev mesh0 mesh join my-mesh\n\nNote that typically these commands are not used / working when using\nwpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going\nthrough a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join\nwhere the NETDEV_UP resets the mesh.ie to NULL via a memcpy of\ndefault_mesh_setup in cfg80211_netdev_notifier_call, which then avoids\nthe memory corruption, too.\n\nThe issue was first observed in an application which was not using\nwpa_supplicant but \"Senf\" instead, which implements its own calls to\nnl80211.\n\nFixing the issue by removing the kfree()\u0027ing of the mesh IE in the mesh\njoin function and leaving it solely up to the mesh leave to free the\nmesh IE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:25.773Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/615716af8644813355e014314a0bc1e961250f5a"
},
{
"url": "https://git.kernel.org/stable/c/c1d9c3628ef0a0ca197595d0f9e01cd3b5dda186"
},
{
"url": "https://git.kernel.org/stable/c/273ebddc5fda2967492cb0b6cdd7d81cfb821b76"
},
{
"url": "https://git.kernel.org/stable/c/3bbd0000d012f92aec423b224784fbf0f7bf40f8"
},
{
"url": "https://git.kernel.org/stable/c/5d3ff9542a40ce034416bca03864709540a36016"
},
{
"url": "https://git.kernel.org/stable/c/12e407a8ef17623823fd0c066fbd7f103953d28d"
},
{
"url": "https://git.kernel.org/stable/c/582d8c60c0c053684f7138875e8150d5749ffc17"
},
{
"url": "https://git.kernel.org/stable/c/46bb87d40683337757a2f902fcd4244b32bb4e86"
},
{
"url": "https://git.kernel.org/stable/c/4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3"
}
],
"title": "mac80211: fix potential double free on mesh join",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49290",
"datePublished": "2025-02-26T01:56:27.500Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-10-01T19:47:00.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49126 (GCVE-0-2022-49126)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Fix memory leaks
Fix memory leaks related to operational reply queue's memory segments which
are not getting freed while unloading the driver.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:28.246318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:03.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d76a88b8536d75ff5362e232097e85946b8aadf",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "27fc9e90171ab0a94a411f3fdb3522ef5acb9537",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "71c7ac65a084ae7d387c3c1d02d59edfdecb009f",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "d44b5fefb22e139408ae12b864da1ecb9ad9d1d2",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix memory leaks\n\nFix memory leaks related to operational reply queue\u0027s memory segments which\nare not getting freed while unloading the driver."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:33.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d76a88b8536d75ff5362e232097e85946b8aadf"
},
{
"url": "https://git.kernel.org/stable/c/27fc9e90171ab0a94a411f3fdb3522ef5acb9537"
},
{
"url": "https://git.kernel.org/stable/c/71c7ac65a084ae7d387c3c1d02d59edfdecb009f"
},
{
"url": "https://git.kernel.org/stable/c/d44b5fefb22e139408ae12b864da1ecb9ad9d1d2"
}
],
"title": "scsi: mpi3mr: Fix memory leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49126",
"datePublished": "2025-02-26T01:55:04.161Z",
"dateReserved": "2025-02-26T01:49:39.266Z",
"dateUpdated": "2025-10-01T19:57:03.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49720 (GCVE-0-2022-49720)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Fix handling of offline queues in blk_mq_alloc_request_hctx()
This patch prevents that test nvme/004 triggers the following:
UBSAN: array-index-out-of-bounds in block/blk-mq.h:135:9
index 512 is out of range for type 'long unsigned int [512]'
Call Trace:
show_stack+0x52/0x58
dump_stack_lvl+0x49/0x5e
dump_stack+0x10/0x12
ubsan_epilogue+0x9/0x3b
__ubsan_handle_out_of_bounds.cold+0x44/0x49
blk_mq_alloc_request_hctx+0x304/0x310
__nvme_submit_sync_cmd+0x70/0x200 [nvme_core]
nvmf_connect_io_queue+0x23e/0x2a0 [nvme_fabrics]
nvme_loop_connect_io_queues+0x8d/0xb0 [nvme_loop]
nvme_loop_create_ctrl+0x58e/0x7d0 [nvme_loop]
nvmf_create_ctrl+0x1d7/0x4d0 [nvme_fabrics]
nvmf_dev_write+0xae/0x111 [nvme_fabrics]
vfs_write+0x144/0x560
ksys_write+0xb7/0x140
__x64_sys_write+0x42/0x50
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:03.276274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:44.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fa28a7c3d74933a4fc22d341b60927952f31c19",
"status": "affected",
"version": "20e4d813931961fe26d26a1e98b3aba6ec00b130",
"versionType": "git"
},
{
"lessThan": "b5e65ef044d627effdc2599040b6d204e003f955",
"status": "affected",
"version": "20e4d813931961fe26d26a1e98b3aba6ec00b130",
"versionType": "git"
},
{
"lessThan": "b202a0bd2580ee5b0453772c46d464152fafff73",
"status": "affected",
"version": "20e4d813931961fe26d26a1e98b3aba6ec00b130",
"versionType": "git"
},
{
"lessThan": "14dc7a18abbe4176f5626c13c333670da8e06aa1",
"status": "affected",
"version": "20e4d813931961fe26d26a1e98b3aba6ec00b130",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix handling of offline queues in blk_mq_alloc_request_hctx()\n\nThis patch prevents that test nvme/004 triggers the following:\n\nUBSAN: array-index-out-of-bounds in block/blk-mq.h:135:9\nindex 512 is out of range for type \u0027long unsigned int [512]\u0027\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n dump_stack+0x10/0x12\n ubsan_epilogue+0x9/0x3b\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n blk_mq_alloc_request_hctx+0x304/0x310\n __nvme_submit_sync_cmd+0x70/0x200 [nvme_core]\n nvmf_connect_io_queue+0x23e/0x2a0 [nvme_fabrics]\n nvme_loop_connect_io_queues+0x8d/0xb0 [nvme_loop]\n nvme_loop_create_ctrl+0x58e/0x7d0 [nvme_loop]\n nvmf_create_ctrl+0x1d7/0x4d0 [nvme_fabrics]\n nvmf_dev_write+0xae/0x111 [nvme_fabrics]\n vfs_write+0x144/0x560\n ksys_write+0xb7/0x140\n __x64_sys_write+0x42/0x50\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:03.149Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fa28a7c3d74933a4fc22d341b60927952f31c19"
},
{
"url": "https://git.kernel.org/stable/c/b5e65ef044d627effdc2599040b6d204e003f955"
},
{
"url": "https://git.kernel.org/stable/c/b202a0bd2580ee5b0453772c46d464152fafff73"
},
{
"url": "https://git.kernel.org/stable/c/14dc7a18abbe4176f5626c13c333670da8e06aa1"
}
],
"title": "block: Fix handling of offline queues in blk_mq_alloc_request_hctx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49720",
"datePublished": "2025-02-26T02:24:34.194Z",
"dateReserved": "2025-02-26T02:21:30.445Z",
"dateUpdated": "2025-10-01T19:36:44.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49697 (GCVE-0-2022-49697)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix request_sock leak in sk lookup helpers
A customer reported a request_socket leak in a Calico cloud environment. We
found that a BPF program was doing a socket lookup with takes a refcnt on
the socket and that it was finding the request_socket but returning the parent
LISTEN socket via sk_to_full_sk() without decrementing the child request socket
1st, resulting in request_sock slab object leak. This patch retains the
existing behaviour of returning full socks to the caller but it also decrements
the child request_socket if one is present before doing so to prevent the leak.
Thanks to Curtis Taylor for all the help in diagnosing and testing this. And
thanks to Antoine Tenart for the reproducer and patch input.
v2 of this patch contains, refactor as per Daniel Borkmann's suggestions to
validate RCU flags on the listen socket so that it balances with bpf_sk_release()
and update comments as per Martin KaFai Lau's suggestion. One small change to
Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra
instruction.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ffe2e50e9678c8373027492035f094b130437f1",
"status": "affected",
"version": "edbf8c01de5a104a71ed6df2bf6421ceb2836a8e",
"versionType": "git"
},
{
"lessThan": "516760f1d2979903eaad5b437256913c5cd98416",
"status": "affected",
"version": "edbf8c01de5a104a71ed6df2bf6421ceb2836a8e",
"versionType": "git"
},
{
"lessThan": "b03607437ea81b850599f705096b05b85e7a4a71",
"status": "affected",
"version": "edbf8c01de5a104a71ed6df2bf6421ceb2836a8e",
"versionType": "git"
},
{
"lessThan": "5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd",
"status": "affected",
"version": "edbf8c01de5a104a71ed6df2bf6421ceb2836a8e",
"versionType": "git"
},
{
"lessThan": "3046a827316c0e55fc563b4fb78c93b9ca5c7c37",
"status": "affected",
"version": "edbf8c01de5a104a71ed6df2bf6421ceb2836a8e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix request_sock leak in sk lookup helpers\n\nA customer reported a request_socket leak in a Calico cloud environment. We\nfound that a BPF program was doing a socket lookup with takes a refcnt on\nthe socket and that it was finding the request_socket but returning the parent\nLISTEN socket via sk_to_full_sk() without decrementing the child request socket\n1st, resulting in request_sock slab object leak. This patch retains the\nexisting behaviour of returning full socks to the caller but it also decrements\nthe child request_socket if one is present before doing so to prevent the leak.\n\nThanks to Curtis Taylor for all the help in diagnosing and testing this. And\nthanks to Antoine Tenart for the reproducer and patch input.\n\nv2 of this patch contains, refactor as per Daniel Borkmann\u0027s suggestions to\nvalidate RCU flags on the listen socket so that it balances with bpf_sk_release()\nand update comments as per Martin KaFai Lau\u0027s suggestion. One small change to\nDaniels suggestion, put \"sk = sk2\" under \"if (sk2 != sk)\" to avoid an extra\ninstruction."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:29.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ffe2e50e9678c8373027492035f094b130437f1"
},
{
"url": "https://git.kernel.org/stable/c/516760f1d2979903eaad5b437256913c5cd98416"
},
{
"url": "https://git.kernel.org/stable/c/b03607437ea81b850599f705096b05b85e7a4a71"
},
{
"url": "https://git.kernel.org/stable/c/5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd"
},
{
"url": "https://git.kernel.org/stable/c/3046a827316c0e55fc563b4fb78c93b9ca5c7c37"
}
],
"title": "bpf: Fix request_sock leak in sk lookup helpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49697",
"datePublished": "2025-02-26T02:24:18.842Z",
"dateReserved": "2025-02-26T02:21:30.443Z",
"dateUpdated": "2025-05-04T08:43:29.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58052 (GCVE-0-2024-58052)
Vulnerability from cvelistv5
Published
2025-03-06 15:53
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table
The function atomctrl_get_smc_sclk_range_table() does not check the return
value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to
retrieve SMU_Info table, it returns NULL which is later dereferenced.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
In practice this should never happen as this code only gets called
on polaris chips and the vbios data table will always be present on
those chips.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c Version: a23eefa2f4615af91ea496ca5b55c9e7c6fa934c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:28:28.288167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:38.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:46.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a713ba7167c2d74c477dd7764dbbdbe3199f17f4",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
},
{
"lessThan": "c47066ed7c8f3b320ef87fa6217a2b8b24e127cc",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
},
{
"lessThan": "2396bc91935c6da0588ce07850d07897974bd350",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
},
{
"lessThan": "ae522ad211ec4b72eaf742b25f24b0a406afcba1",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
},
{
"lessThan": "6a30634a2e0f1dd3c6b39fd0f114c32893a9907a",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
},
{
"lessThan": "0b97cd8a61b2b40fd73cf92a4bb2256462d22adb",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
},
{
"lessThan": "396350adf0e5ad4bf05f01e4d79bfb82f0f6c41a",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
},
{
"lessThan": "357445e28ff004d7f10967aa93ddb4bffa5c3688",
"status": "affected",
"version": "a23eefa2f4615af91ea496ca5b55c9e7c6fa934c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table\n\nThe function atomctrl_get_smc_sclk_range_table() does not check the return\nvalue of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to\nretrieve SMU_Info table, it returns NULL which is later dereferenced.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\nIn practice this should never happen as this code only gets called\non polaris chips and the vbios data table will always be present on\nthose chips."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:45.473Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a713ba7167c2d74c477dd7764dbbdbe3199f17f4"
},
{
"url": "https://git.kernel.org/stable/c/c47066ed7c8f3b320ef87fa6217a2b8b24e127cc"
},
{
"url": "https://git.kernel.org/stable/c/2396bc91935c6da0588ce07850d07897974bd350"
},
{
"url": "https://git.kernel.org/stable/c/ae522ad211ec4b72eaf742b25f24b0a406afcba1"
},
{
"url": "https://git.kernel.org/stable/c/6a30634a2e0f1dd3c6b39fd0f114c32893a9907a"
},
{
"url": "https://git.kernel.org/stable/c/0b97cd8a61b2b40fd73cf92a4bb2256462d22adb"
},
{
"url": "https://git.kernel.org/stable/c/396350adf0e5ad4bf05f01e4d79bfb82f0f6c41a"
},
{
"url": "https://git.kernel.org/stable/c/357445e28ff004d7f10967aa93ddb4bffa5c3688"
}
],
"title": "drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58052",
"datePublished": "2025-03-06T15:53:56.877Z",
"dateReserved": "2025-03-06T15:52:09.178Z",
"dateUpdated": "2025-11-03T19:33:46.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58061 (GCVE-0-2024-58061)
Vulnerability from cvelistv5
Published
2025-03-06 15:54
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: prohibit deactivating all links
In the internal API this calls this is a WARN_ON, but that
should remain since internally we want to know about bugs
that may cause this. Prevent deactivating all links in the
debugfs write directly.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:56.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/debugfs_netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfe9a043300261afe5eadc07b867a6810c4e999a",
"status": "affected",
"version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
"versionType": "git"
},
{
"lessThan": "d36e48a4d81c647df8a76cc58fd4d2442ba10744",
"status": "affected",
"version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
"versionType": "git"
},
{
"lessThan": "270ad6776e7cf1be3b769e0447070f9d0e8269db",
"status": "affected",
"version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
"versionType": "git"
},
{
"lessThan": "18100796c11dfdea9101fdc95d2428b2093477ee",
"status": "affected",
"version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
"versionType": "git"
},
{
"lessThan": "7553477cbfd784b128297f9ed43751688415bbaa",
"status": "affected",
"version": "3d901102922723eedce6ef10ebd03315a7abb8a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/debugfs_netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: prohibit deactivating all links\n\nIn the internal API this calls this is a WARN_ON, but that\nshould remain since internally we want to know about bugs\nthat may cause this. Prevent deactivating all links in the\ndebugfs write directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:04.037Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfe9a043300261afe5eadc07b867a6810c4e999a"
},
{
"url": "https://git.kernel.org/stable/c/d36e48a4d81c647df8a76cc58fd4d2442ba10744"
},
{
"url": "https://git.kernel.org/stable/c/270ad6776e7cf1be3b769e0447070f9d0e8269db"
},
{
"url": "https://git.kernel.org/stable/c/18100796c11dfdea9101fdc95d2428b2093477ee"
},
{
"url": "https://git.kernel.org/stable/c/7553477cbfd784b128297f9ed43751688415bbaa"
}
],
"title": "wifi: mac80211: prohibit deactivating all links",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58061",
"datePublished": "2025-03-06T15:54:03.924Z",
"dateReserved": "2025-03-06T15:52:09.179Z",
"dateUpdated": "2025-11-03T19:33:56.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49370 (GCVE-0-2022-49370)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
kobject_init_and_add() takes reference even when it fails.
According to the doc of kobject_init_and_add()
If this function returns an error, kobject_put() must be called to
properly clean up the memory associated with the object.
Fix this issue by calling kobject_put().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 Version: 948af1f0bbc8526448e8cbe3f8d3bf211bdf5181 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:21.167334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:53.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/dmi-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9bfb37d6ba7c376b0d53337a4c5f5ff324bd725",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "ed38d04342dfbe9e5aca745c8b5eb4188a74f0ef",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "c66cc3c62870a27ea8f060a7e4c1ad8d26dd3f0d",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "a724634b2a49f6ff0177a9e19a5a92fc1545e1b7",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "985706bd3bbeffc8737bc05965ca8d24837bc7db",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "fdffa4ad8f6bf1ece877edfb807f2b2c729d8578",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "3ba359ebe914ac3f8c6c832b28007c14c39d3766",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "ec752973aa721ee281d5441e497364637c626c7b",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
},
{
"lessThan": "660ba678f9998aca6db74f2dd912fa5124f0fa31",
"status": "affected",
"version": "948af1f0bbc8526448e8cbe3f8d3bf211bdf5181",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/dmi-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix this issue by calling kobject_put()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:14.867Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9bfb37d6ba7c376b0d53337a4c5f5ff324bd725"
},
{
"url": "https://git.kernel.org/stable/c/ed38d04342dfbe9e5aca745c8b5eb4188a74f0ef"
},
{
"url": "https://git.kernel.org/stable/c/c66cc3c62870a27ea8f060a7e4c1ad8d26dd3f0d"
},
{
"url": "https://git.kernel.org/stable/c/a724634b2a49f6ff0177a9e19a5a92fc1545e1b7"
},
{
"url": "https://git.kernel.org/stable/c/985706bd3bbeffc8737bc05965ca8d24837bc7db"
},
{
"url": "https://git.kernel.org/stable/c/fdffa4ad8f6bf1ece877edfb807f2b2c729d8578"
},
{
"url": "https://git.kernel.org/stable/c/3ba359ebe914ac3f8c6c832b28007c14c39d3766"
},
{
"url": "https://git.kernel.org/stable/c/ec752973aa721ee281d5441e497364637c626c7b"
},
{
"url": "https://git.kernel.org/stable/c/660ba678f9998aca6db74f2dd912fa5124f0fa31"
}
],
"title": "firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49370",
"datePublished": "2025-02-26T02:11:13.176Z",
"dateReserved": "2025-02-26T02:08:31.555Z",
"dateUpdated": "2025-10-01T19:46:53.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49525 (GCVE-0-2022-49525)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: cx25821: Fix the warning when removing the module
When removing the module, we will get the following warning:
[ 14.746697] remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'cx25821[1]'
[ 14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0
[ 14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0
[ 14.759589] Call Trace:
[ 14.759792] <TASK>
[ 14.759975] unregister_irq_proc+0x14c/0x170
[ 14.760340] irq_free_descs+0x94/0xe0
[ 14.760640] mp_unmap_irq+0xb6/0x100
[ 14.760937] acpi_unregister_gsi_ioapic+0x27/0x40
[ 14.761334] acpi_pci_irq_disable+0x1d3/0x320
[ 14.761688] pci_disable_device+0x1ad/0x380
[ 14.762027] ? _raw_spin_unlock_irqrestore+0x2d/0x60
[ 14.762442] ? cx25821_shutdown+0x20/0x9f0 [cx25821]
[ 14.762848] cx25821_finidev+0x48/0xc0 [cx25821]
[ 14.763242] pci_device_remove+0x92/0x240
Fix this by freeing the irq before call pci_disable_device().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/cx25821/cx25821-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d6295b6d986476232332fffd08575b185f90d81",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5beb85ff7d005ddb7bf604a4f2dc76f01b84b318",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "258639bc55a586ee6df92d89786ccf1c71546d70",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "222292930c8ecc3516e03ec1f9fa8448be7ff496",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3f94169affa33c9db4a439d88f09cb2ed3a33332",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1f0fc1dfb5fdd456657519a97fab83691b96c6a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d92291698e5cc35a2b8a1106a01ddd7d60ade2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "005fd553f5f10fe8618d92f94ad10f9051eac331",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2203436a4d24302871617373a7eb21bc17e38762",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/cx25821/cx25821-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx25821: Fix the warning when removing the module\n\nWhen removing the module, we will get the following warning:\n\n[ 14.746697] remove_proc_entry: removing non-empty directory \u0027irq/21\u0027, leaking at least \u0027cx25821[1]\u0027\n[ 14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0\n[ 14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0\n[ 14.759589] Call Trace:\n[ 14.759792] \u003cTASK\u003e\n[ 14.759975] unregister_irq_proc+0x14c/0x170\n[ 14.760340] irq_free_descs+0x94/0xe0\n[ 14.760640] mp_unmap_irq+0xb6/0x100\n[ 14.760937] acpi_unregister_gsi_ioapic+0x27/0x40\n[ 14.761334] acpi_pci_irq_disable+0x1d3/0x320\n[ 14.761688] pci_disable_device+0x1ad/0x380\n[ 14.762027] ? _raw_spin_unlock_irqrestore+0x2d/0x60\n[ 14.762442] ? cx25821_shutdown+0x20/0x9f0 [cx25821]\n[ 14.762848] cx25821_finidev+0x48/0xc0 [cx25821]\n[ 14.763242] pci_device_remove+0x92/0x240\n\nFix this by freeing the irq before call pci_disable_device()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:48.140Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d6295b6d986476232332fffd08575b185f90d81"
},
{
"url": "https://git.kernel.org/stable/c/5beb85ff7d005ddb7bf604a4f2dc76f01b84b318"
},
{
"url": "https://git.kernel.org/stable/c/258639bc55a586ee6df92d89786ccf1c71546d70"
},
{
"url": "https://git.kernel.org/stable/c/222292930c8ecc3516e03ec1f9fa8448be7ff496"
},
{
"url": "https://git.kernel.org/stable/c/3f94169affa33c9db4a439d88f09cb2ed3a33332"
},
{
"url": "https://git.kernel.org/stable/c/1f0fc1dfb5fdd456657519a97fab83691b96c6a0"
},
{
"url": "https://git.kernel.org/stable/c/9d92291698e5cc35a2b8a1106a01ddd7d60ade2d"
},
{
"url": "https://git.kernel.org/stable/c/005fd553f5f10fe8618d92f94ad10f9051eac331"
},
{
"url": "https://git.kernel.org/stable/c/2203436a4d24302871617373a7eb21bc17e38762"
}
],
"title": "media: cx25821: Fix the warning when removing the module",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49525",
"datePublished": "2025-02-26T02:13:48.674Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-05-04T08:39:48.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49693 (GCVE-0-2022-49693)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/mdp4: Fix refcount leak in mdp4_modeset_init_intf
of_graph_get_remote_node() returns remote device node pointer with
refcount incremented, we should use of_node_put() on it
when not need anymore.
Add missing of_node_put() to avoid refcount leak.
Patchwork: https://patchwork.freedesktop.org/patch/488473/
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:42.459745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:45.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1592d3e362cc59b29f15019707b16c695d70ca3",
"status": "affected",
"version": "86418f90a4c1a0073db65d8a1e2bf94421117a60",
"versionType": "git"
},
{
"lessThan": "d16a4339825e64f9ddcdff5277982d640bae933b",
"status": "affected",
"version": "86418f90a4c1a0073db65d8a1e2bf94421117a60",
"versionType": "git"
},
{
"lessThan": "3c39a17197733bc37786ed68c83267c2f491840b",
"status": "affected",
"version": "86418f90a4c1a0073db65d8a1e2bf94421117a60",
"versionType": "git"
},
{
"lessThan": "d607da76fd2b1cf1d377af9d9b7c6f8fecbb0e1d",
"status": "affected",
"version": "86418f90a4c1a0073db65d8a1e2bf94421117a60",
"versionType": "git"
},
{
"lessThan": "b9cc4598607cb7f7eae5c75fc1e3209cd52ff5e0",
"status": "affected",
"version": "86418f90a4c1a0073db65d8a1e2bf94421117a60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp4: Fix refcount leak in mdp4_modeset_init_intf\n\nof_graph_get_remote_node() returns remote device node pointer with\nrefcount incremented, we should use of_node_put() on it\nwhen not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\n\nPatchwork: https://patchwork.freedesktop.org/patch/488473/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:24.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1592d3e362cc59b29f15019707b16c695d70ca3"
},
{
"url": "https://git.kernel.org/stable/c/d16a4339825e64f9ddcdff5277982d640bae933b"
},
{
"url": "https://git.kernel.org/stable/c/3c39a17197733bc37786ed68c83267c2f491840b"
},
{
"url": "https://git.kernel.org/stable/c/d607da76fd2b1cf1d377af9d9b7c6f8fecbb0e1d"
},
{
"url": "https://git.kernel.org/stable/c/b9cc4598607cb7f7eae5c75fc1e3209cd52ff5e0"
}
],
"title": "drm/msm/mdp4: Fix refcount leak in mdp4_modeset_init_intf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49693",
"datePublished": "2025-02-26T02:24:16.263Z",
"dateReserved": "2025-02-26T02:21:30.442Z",
"dateUpdated": "2025-10-01T19:36:45.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49217 (GCVE-0-2022-49217)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix abort all task initialization
In pm80xx_send_abort_all(), the n_elem field of the ccb used is not
initialized to 0. This missing initialization sometimes lead to the task
completion path seeing the ccb with a non-zero n_elem resulting in the
execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(),
causing a crash such as:
[ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280
[ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012
[ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0
[ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0
[ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b
[ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000
[ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000
[ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000
[ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0
[ 197.762656] Call Trace:
[ 197.765127] <IRQ>
[ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx]
[ 197.772364] ? do_raw_spin_unlock+0x54/0x220
[ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx]
[ 197.782406] process_oq+0xe85/0x7890 [pm80xx]
[ 197.786817] ? lock_acquire+0x194/0x490
[ 197.790697] ? handle_irq_event+0x10e/0x1b0
[ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx]
[ 197.800378] ? __wake_up_bit+0x100/0x100
[ 197.804340] ? lock_is_held_type+0x98/0x110
[ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx]
[ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0
[ 197.818785] __do_softirq+0x1b5/0x82d
[ 197.822485] ? do_raw_spin_unlock+0x54/0x220
[ 197.826799] __irq_exit_rcu+0x17e/0x1e0
[ 197.830678] irq_exit_rcu+0xa/0x20
[ 197.834114] common_interrupt+0x78/0x90
[ 197.840051] </IRQ>
[ 197.844236] <TASK>
[ 197.848397] asm_common_interrupt+0x1e/0x40
Avoid this issue by always initializing the ccb n_elem field to 0 in
pm8001_send_abort_all(), pm8001_send_read_log() and
pm80xx_send_abort_all().
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 Version: c6b9ef5779c3e1edfa9de949d2a51252bc347663 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c",
"drivers/scsi/pm8001/pm80xx_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9914461db82caee6c519acfbe10a86fe11bcdeca",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "d6ec4471550cc53e96485a7124c5891e6a38d1c3",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "1824a21b2cedc5774a5adfa74f5f7b90472d8677",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "765674e3b30121782a2b792684554baa48c61f5e",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "279f318bd7d6e04e6e0bc7b8cd8e190da8fa37a4",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "c8db786858d895ac58342f67767b4999ae6538fa",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "326d894adf89f3c707b7784becbe241830daaab6",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "16cd02e0951b520bef324adb9a35afcc92501caf",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
},
{
"lessThan": "7f12845c8389855dbcc67baa068b6832dc4a396e",
"status": "affected",
"version": "c6b9ef5779c3e1edfa9de949d2a51252bc347663",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c",
"drivers/scsi/pm8001/pm80xx_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix abort all task initialization\n\nIn pm80xx_send_abort_all(), the n_elem field of the ccb used is not\ninitialized to 0. This missing initialization sometimes lead to the task\ncompletion path seeing the ccb with a non-zero n_elem resulting in the\nexecution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(),\ncausing a crash such as:\n\n[ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280\n[ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012\n[ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0\n[ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0\n[ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b\n[ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000\n[ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000\n[ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000\n[ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0\n[ 197.762656] Call Trace:\n[ 197.765127] \u003cIRQ\u003e\n[ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx]\n[ 197.772364] ? do_raw_spin_unlock+0x54/0x220\n[ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx]\n[ 197.782406] process_oq+0xe85/0x7890 [pm80xx]\n[ 197.786817] ? lock_acquire+0x194/0x490\n[ 197.790697] ? handle_irq_event+0x10e/0x1b0\n[ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx]\n[ 197.800378] ? __wake_up_bit+0x100/0x100\n[ 197.804340] ? lock_is_held_type+0x98/0x110\n[ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx]\n[ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0\n[ 197.818785] __do_softirq+0x1b5/0x82d\n[ 197.822485] ? do_raw_spin_unlock+0x54/0x220\n[ 197.826799] __irq_exit_rcu+0x17e/0x1e0\n[ 197.830678] irq_exit_rcu+0xa/0x20\n[ 197.834114] common_interrupt+0x78/0x90\n[ 197.840051] \u003c/IRQ\u003e\n[ 197.844236] \u003cTASK\u003e\n[ 197.848397] asm_common_interrupt+0x1e/0x40\n\nAvoid this issue by always initializing the ccb n_elem field to 0 in\npm8001_send_abort_all(), pm8001_send_read_log() and\npm80xx_send_abort_all()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:34.514Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9914461db82caee6c519acfbe10a86fe11bcdeca"
},
{
"url": "https://git.kernel.org/stable/c/d6ec4471550cc53e96485a7124c5891e6a38d1c3"
},
{
"url": "https://git.kernel.org/stable/c/1824a21b2cedc5774a5adfa74f5f7b90472d8677"
},
{
"url": "https://git.kernel.org/stable/c/765674e3b30121782a2b792684554baa48c61f5e"
},
{
"url": "https://git.kernel.org/stable/c/279f318bd7d6e04e6e0bc7b8cd8e190da8fa37a4"
},
{
"url": "https://git.kernel.org/stable/c/c8db786858d895ac58342f67767b4999ae6538fa"
},
{
"url": "https://git.kernel.org/stable/c/326d894adf89f3c707b7784becbe241830daaab6"
},
{
"url": "https://git.kernel.org/stable/c/16cd02e0951b520bef324adb9a35afcc92501caf"
},
{
"url": "https://git.kernel.org/stable/c/7f12845c8389855dbcc67baa068b6832dc4a396e"
}
],
"title": "scsi: pm8001: Fix abort all task initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49217",
"datePublished": "2025-02-26T01:55:51.156Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-05-04T08:32:34.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49518 (GCVE-0-2022-49518)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload
It is possible to craft a topology where sof_get_control_data() would do
out of bounds access because it expects that it is only called when the
payload is bytes type.
Confusingly it also handles other types of controls, but the payload
parsing implementation is only valid for bytes.
Fix the code to count the non bytes controls and instead of storing a
pointer to sof_abi_hdr in sof_widget_data (which is only valid for bytes),
store the pointer to the data itself and add a new member to save the size
of the data.
In case of non bytes controls we store the pointer to the chanv itself,
which is just an array of values at the end.
In case of bytes control, drop the wrong cdata->data (wdata[i].pdata) check
against NULL since it is incorrect and invalid in this context.
The data is pointing to the end of cdata struct, so it should never be
null.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc3-topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "896b03bb7c7010042786cfae2115083d4c241dd3",
"status": "affected",
"version": "7006d20e5e9d25c079a82e2bc0ea7e292fdea6e6",
"versionType": "git"
},
{
"lessThan": "a962890a5a3cce903ff7c7a19fadee63ed9efdc7",
"status": "affected",
"version": "7006d20e5e9d25c079a82e2bc0ea7e292fdea6e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc3-topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload\n\nIt is possible to craft a topology where sof_get_control_data() would do\nout of bounds access because it expects that it is only called when the\npayload is bytes type.\nConfusingly it also handles other types of controls, but the payload\nparsing implementation is only valid for bytes.\n\nFix the code to count the non bytes controls and instead of storing a\npointer to sof_abi_hdr in sof_widget_data (which is only valid for bytes),\nstore the pointer to the data itself and add a new member to save the size\nof the data.\n\nIn case of non bytes controls we store the pointer to the chanv itself,\nwhich is just an array of values at the end.\n\nIn case of bytes control, drop the wrong cdata-\u003edata (wdata[i].pdata) check\nagainst NULL since it is incorrect and invalid in this context.\nThe data is pointing to the end of cdata struct, so it should never be\nnull."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:39.327Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/896b03bb7c7010042786cfae2115083d4c241dd3"
},
{
"url": "https://git.kernel.org/stable/c/a962890a5a3cce903ff7c7a19fadee63ed9efdc7"
}
],
"title": "ASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49518",
"datePublished": "2025-02-26T02:13:45.396Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-05-04T08:39:39.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49522 (GCVE-0-2022-49522)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: jz4740: Apply DMA engine limits to maximum segment size
Do what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and
limit the maximum segment size based on the DMA engine's capabilities. This
is needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c
DMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]
CPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19
Workqueue: kblockd blk_mq_run_work_fn
Stack : 81575aec 00000004 80620000 80620000 80620000 805e7358 00000009 801537ac
814c832c 806276e3 806e34b4 80620000 81575aec 00000001 81575ab8 09291444
00000000 00000000 805e7358 81575958 ffffffea 8157596c 00000000 636f6c62
6220646b 80387a70 0000000f 6d5f6b6c 80620000 00000000 81575ba4 00000009
805e170c 80896640 00000001 00010000 00000000 00000000 00006098 806e0000
...
Call Trace:
[<80107670>] show_stack+0x84/0x120
[<80528cd8>] __warn+0xb8/0xec
[<80528d78>] warn_slowpath_fmt+0x6c/0xb8
[<8016f1d4>] debug_dma_map_sg+0x2f4/0x39c
[<80169d4c>] __dma_map_sg_attrs+0xf0/0x118
[<8016a27c>] dma_map_sg_attrs+0x14/0x28
[<804f66b4>] jz4740_mmc_prepare_dma_data+0x74/0xa4
[<804f6714>] jz4740_mmc_pre_request+0x30/0x54
[<804f4ff4>] mmc_blk_mq_issue_rq+0x6e0/0x7bc
[<804f5590>] mmc_mq_queue_rq+0x220/0x2d4
[<8038b2c0>] blk_mq_dispatch_rq_list+0x480/0x664
[<80391040>] blk_mq_do_dispatch_sched+0x2dc/0x370
[<80391468>] __blk_mq_sched_dispatch_requests+0xec/0x164
[<80391540>] blk_mq_sched_dispatch_requests+0x44/0x94
[<80387900>] __blk_mq_run_hw_queue+0xb0/0xcc
[<80134c14>] process_one_work+0x1b8/0x264
[<80134ff8>] worker_thread+0x2ec/0x3b8
[<8013b13c>] kthread+0x104/0x10c
[<80101dcc>] ret_from_kernel_thread+0x14/0x1c
---[ end trace 0000000000000000 ]---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/jz4740_mmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7923f95997a79cef2ad161a2facae64c25a0bca0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90281cadf5077f2d2bec8b08c2ead1f8cd12660e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "353298cadbd4c7d8e8a16d6000066414694933c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "807f90f1960a59dc557542b818c484a8db9ac978",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a828920b9ec0d89d3011198d482b7fe224d2de19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "afadb04f1d6e74b18a253403f5274cde5e3fd7bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/jz4740_mmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: jz4740: Apply DMA engine limits to maximum segment size\n\nDo what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and\nlimit the maximum segment size based on the DMA engine\u0027s capabilities. This\nis needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c\nDMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]\nCPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19\nWorkqueue: kblockd blk_mq_run_work_fn\nStack : 81575aec 00000004 80620000 80620000 80620000 805e7358 00000009 801537ac\n 814c832c 806276e3 806e34b4 80620000 81575aec 00000001 81575ab8 09291444\n 00000000 00000000 805e7358 81575958 ffffffea 8157596c 00000000 636f6c62\n 6220646b 80387a70 0000000f 6d5f6b6c 80620000 00000000 81575ba4 00000009\n 805e170c 80896640 00000001 00010000 00000000 00000000 00006098 806e0000\n ...\nCall Trace:\n[\u003c80107670\u003e] show_stack+0x84/0x120\n[\u003c80528cd8\u003e] __warn+0xb8/0xec\n[\u003c80528d78\u003e] warn_slowpath_fmt+0x6c/0xb8\n[\u003c8016f1d4\u003e] debug_dma_map_sg+0x2f4/0x39c\n[\u003c80169d4c\u003e] __dma_map_sg_attrs+0xf0/0x118\n[\u003c8016a27c\u003e] dma_map_sg_attrs+0x14/0x28\n[\u003c804f66b4\u003e] jz4740_mmc_prepare_dma_data+0x74/0xa4\n[\u003c804f6714\u003e] jz4740_mmc_pre_request+0x30/0x54\n[\u003c804f4ff4\u003e] mmc_blk_mq_issue_rq+0x6e0/0x7bc\n[\u003c804f5590\u003e] mmc_mq_queue_rq+0x220/0x2d4\n[\u003c8038b2c0\u003e] blk_mq_dispatch_rq_list+0x480/0x664\n[\u003c80391040\u003e] blk_mq_do_dispatch_sched+0x2dc/0x370\n[\u003c80391468\u003e] __blk_mq_sched_dispatch_requests+0xec/0x164\n[\u003c80391540\u003e] blk_mq_sched_dispatch_requests+0x44/0x94\n[\u003c80387900\u003e] __blk_mq_run_hw_queue+0xb0/0xcc\n[\u003c80134c14\u003e] process_one_work+0x1b8/0x264\n[\u003c80134ff8\u003e] worker_thread+0x2ec/0x3b8\n[\u003c8013b13c\u003e] kthread+0x104/0x10c\n[\u003c80101dcc\u003e] ret_from_kernel_thread+0x14/0x1c\n\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:43.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7923f95997a79cef2ad161a2facae64c25a0bca0"
},
{
"url": "https://git.kernel.org/stable/c/90281cadf5077f2d2bec8b08c2ead1f8cd12660e"
},
{
"url": "https://git.kernel.org/stable/c/353298cadbd4c7d8e8a16d6000066414694933c3"
},
{
"url": "https://git.kernel.org/stable/c/807f90f1960a59dc557542b818c484a8db9ac978"
},
{
"url": "https://git.kernel.org/stable/c/a828920b9ec0d89d3011198d482b7fe224d2de19"
},
{
"url": "https://git.kernel.org/stable/c/afadb04f1d6e74b18a253403f5274cde5e3fd7bd"
}
],
"title": "mmc: jz4740: Apply DMA engine limits to maximum segment size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49522",
"datePublished": "2025-02-26T02:13:47.278Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-05-04T08:39:43.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49379 (GCVE-0-2022-49379)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction
Mounting NFS rootfs was timing out when deferred_probe_timeout was
non-zero [1]. This was because ip_auto_config() initcall times out
waiting for the network interfaces to show up when
deferred_probe_timeout was non-zero. While ip_auto_config() calls
wait_for_device_probe() to make sure any currently running deferred
probe work or asynchronous probe finishes, that wasn't sufficient to
account for devices being deferred until deferred_probe_timeout.
Commit 35a672363ab3 ("driver core: Ensure wait_for_device_probe() waits
until the deferred_probe_timeout fires") tried to fix that by making
sure wait_for_device_probe() waits for deferred_probe_timeout to expire
before returning.
However, if wait_for_device_probe() is called from the kernel_init()
context:
- Before deferred_probe_initcall() [2], it causes the boot process to
hang due to a deadlock.
- After deferred_probe_initcall() [3], it blocks kernel_init() from
continuing till deferred_probe_timeout expires and beats the point of
deferred_probe_timeout that's trying to wait for userspace to load
modules.
Neither of this is good. So revert the changes to
wait_for_device_probe().
[1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/
[2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/
[3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/dd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71cbce75031aed26c72c2dc8a83111d181685f1b",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "29357883a89193863f3cc6a2c5e0b42ceb022761",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "528229474e1cbb1b3451cb713d94aecb5f6ee264",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "4ad6af07efcca85369c21e4897b3020cff2c170b",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
},
{
"lessThan": "5ee76c256e928455212ab759c51d198fedbe7523",
"status": "affected",
"version": "35a672363ab3e8dfe4ebcadb4dd0b2d06bb85ebe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/dd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: Fix wait_for_device_probe() \u0026 deferred_probe_timeout interaction\n\nMounting NFS rootfs was timing out when deferred_probe_timeout was\nnon-zero [1]. This was because ip_auto_config() initcall times out\nwaiting for the network interfaces to show up when\ndeferred_probe_timeout was non-zero. While ip_auto_config() calls\nwait_for_device_probe() to make sure any currently running deferred\nprobe work or asynchronous probe finishes, that wasn\u0027t sufficient to\naccount for devices being deferred until deferred_probe_timeout.\n\nCommit 35a672363ab3 (\"driver core: Ensure wait_for_device_probe() waits\nuntil the deferred_probe_timeout fires\") tried to fix that by making\nsure wait_for_device_probe() waits for deferred_probe_timeout to expire\nbefore returning.\n\nHowever, if wait_for_device_probe() is called from the kernel_init()\ncontext:\n\n- Before deferred_probe_initcall() [2], it causes the boot process to\n hang due to a deadlock.\n\n- After deferred_probe_initcall() [3], it blocks kernel_init() from\n continuing till deferred_probe_timeout expires and beats the point of\n deferred_probe_timeout that\u0027s trying to wait for userspace to load\n modules.\n\nNeither of this is good. So revert the changes to\nwait_for_device_probe().\n\n[1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/\n[2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/\n[3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:25.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71cbce75031aed26c72c2dc8a83111d181685f1b"
},
{
"url": "https://git.kernel.org/stable/c/29357883a89193863f3cc6a2c5e0b42ceb022761"
},
{
"url": "https://git.kernel.org/stable/c/528229474e1cbb1b3451cb713d94aecb5f6ee264"
},
{
"url": "https://git.kernel.org/stable/c/4ad6af07efcca85369c21e4897b3020cff2c170b"
},
{
"url": "https://git.kernel.org/stable/c/5ee76c256e928455212ab759c51d198fedbe7523"
}
],
"title": "driver core: Fix wait_for_device_probe() \u0026 deferred_probe_timeout interaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49379",
"datePublished": "2025-02-26T02:11:17.795Z",
"dateReserved": "2025-02-26T02:08:31.558Z",
"dateUpdated": "2025-05-04T08:36:25.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56758 (GCVE-0-2024-56758)
Vulnerability from cvelistv5
Published
2025-01-06 16:20
Modified
2025-11-03 17:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: check folio mapping after unlock in relocate_one_folio()
When we call btrfs_read_folio() to bring a folio uptodate, we unlock the
folio. The result of that is that a different thread can modify the
mapping (like remove it with invalidate) before we call folio_lock().
This results in an invalid page and we need to try again.
In particular, if we are relocating concurrently with aborting a
transaction, this can result in a crash like the following:
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 76 PID: 1411631 Comm: kworker/u322:5
Workqueue: events_unbound btrfs_reclaim_bgs_work
RIP: 0010:set_page_extent_mapped+0x20/0xb0
RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246
RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880
RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0
R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000
R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff
FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x78/0xc0
? page_fault_oops+0x2a8/0x3a0
? __switch_to+0x133/0x530
? wq_worker_running+0xa/0x40
? exc_page_fault+0x63/0x130
? asm_exc_page_fault+0x22/0x30
? set_page_extent_mapped+0x20/0xb0
relocate_file_extent_cluster+0x1a7/0x940
relocate_data_extent+0xaf/0x120
relocate_block_group+0x20f/0x480
btrfs_relocate_block_group+0x152/0x320
btrfs_relocate_chunk+0x3d/0x120
btrfs_reclaim_bgs_work+0x2ae/0x4e0
process_scheduled_works+0x184/0x370
worker_thread+0xc6/0x3e0
? blk_add_timer+0xb0/0xb0
kthread+0xae/0xe0
? flush_tlb_kernel_range+0x90/0x90
ret_from_fork+0x2f/0x40
? flush_tlb_kernel_range+0x90/0x90
ret_from_fork_asm+0x11/0x20
</TASK>
This occurs because cleanup_one_transaction() calls
destroy_delalloc_inodes() which calls invalidate_inode_pages2() which
takes the folio_lock before setting mapping to NULL. We fail to check
this, and subsequently call set_extent_mapping(), which assumes that
mapping != NULL (in fact it asserts that in debug mode)
Note that the "fixes" patch here is not the one that introduced the
race (the very first iteration of this code from 2009) but a more recent
change that made this particular crash happen in practice.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:25.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/relocation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36679fab54fa7bcffafd469e2c474c1fc4beaee0",
"status": "affected",
"version": "08daa38ca212d87f77beae839bc9be71079c7abf",
"versionType": "git"
},
{
"lessThan": "c7b1bd52a031ad0144d42eef0ba8471ce75122dd",
"status": "affected",
"version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
"versionType": "git"
},
{
"lessThan": "d508e56270389b3a16f5b3cf247f4eb1bbad1578",
"status": "affected",
"version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
"versionType": "git"
},
{
"lessThan": "3e74859ee35edc33a022c3f3971df066ea0ca6b9",
"status": "affected",
"version": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
"versionType": "git"
},
{
"status": "affected",
"version": "9d1e020ed9649cf140fcfafd052cfdcce9e9d67d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/relocation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "6.1.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: check folio mapping after unlock in relocate_one_folio()\n\nWhen we call btrfs_read_folio() to bring a folio uptodate, we unlock the\nfolio. The result of that is that a different thread can modify the\nmapping (like remove it with invalidate) before we call folio_lock().\nThis results in an invalid page and we need to try again.\n\nIn particular, if we are relocating concurrently with aborting a\ntransaction, this can result in a crash like the following:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP\n CPU: 76 PID: 1411631 Comm: kworker/u322:5\n Workqueue: events_unbound btrfs_reclaim_bgs_work\n RIP: 0010:set_page_extent_mapped+0x20/0xb0\n RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246\n RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880\n RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0\n R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000\n R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff\n FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ? __die+0x78/0xc0\n ? page_fault_oops+0x2a8/0x3a0\n ? __switch_to+0x133/0x530\n ? wq_worker_running+0xa/0x40\n ? exc_page_fault+0x63/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? set_page_extent_mapped+0x20/0xb0\n relocate_file_extent_cluster+0x1a7/0x940\n relocate_data_extent+0xaf/0x120\n relocate_block_group+0x20f/0x480\n btrfs_relocate_block_group+0x152/0x320\n btrfs_relocate_chunk+0x3d/0x120\n btrfs_reclaim_bgs_work+0x2ae/0x4e0\n process_scheduled_works+0x184/0x370\n worker_thread+0xc6/0x3e0\n ? blk_add_timer+0xb0/0xb0\n kthread+0xae/0xe0\n ? flush_tlb_kernel_range+0x90/0x90\n ret_from_fork+0x2f/0x40\n ? flush_tlb_kernel_range+0x90/0x90\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nThis occurs because cleanup_one_transaction() calls\ndestroy_delalloc_inodes() which calls invalidate_inode_pages2() which\ntakes the folio_lock before setting mapping to NULL. We fail to check\nthis, and subsequently call set_extent_mapping(), which assumes that\nmapping != NULL (in fact it asserts that in debug mode)\n\nNote that the \"fixes\" patch here is not the one that introduced the\nrace (the very first iteration of this code from 2009) but a more recent\nchange that made this particular crash happen in practice."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T12:57:21.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36679fab54fa7bcffafd469e2c474c1fc4beaee0"
},
{
"url": "https://git.kernel.org/stable/c/c7b1bd52a031ad0144d42eef0ba8471ce75122dd"
},
{
"url": "https://git.kernel.org/stable/c/d508e56270389b3a16f5b3cf247f4eb1bbad1578"
},
{
"url": "https://git.kernel.org/stable/c/3e74859ee35edc33a022c3f3971df066ea0ca6b9"
}
],
"title": "btrfs: check folio mapping after unlock in relocate_one_folio()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56758",
"datePublished": "2025-01-06T16:20:38.942Z",
"dateReserved": "2024-12-29T11:26:39.761Z",
"dateUpdated": "2025-11-03T17:31:25.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49116 (GCVE-0-2022-49116)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: use memset avoid memory leaks
Use memset to initialize structs to prevent memory leaks
in l2cap_ecred_connect
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:46.556414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:04.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9567d54e70ff58c2695c2cc2e53c86c67551d3e6",
"status": "affected",
"version": "da49b602f7f75ccc91386e1274b3ef71676cd092",
"versionType": "git"
},
{
"lessThan": "42b6a39f439b6f37cc2024d91ce547d83290ff78",
"status": "affected",
"version": "da49b602f7f75ccc91386e1274b3ef71676cd092",
"versionType": "git"
},
{
"lessThan": "e9e55acee9b7a737ec7f5161b94a78932a5514c8",
"status": "affected",
"version": "da49b602f7f75ccc91386e1274b3ef71676cd092",
"versionType": "git"
},
{
"lessThan": "d588c183a971b85c775ad66da563ee6e8bc8158f",
"status": "affected",
"version": "da49b602f7f75ccc91386e1274b3ef71676cd092",
"versionType": "git"
},
{
"lessThan": "d3715b2333e9a21692ba16ef8645eda584a9515d",
"status": "affected",
"version": "da49b602f7f75ccc91386e1274b3ef71676cd092",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: use memset avoid memory leaks\n\nUse memset to initialize structs to prevent memory leaks\nin l2cap_ecred_connect"
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:14.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9567d54e70ff58c2695c2cc2e53c86c67551d3e6"
},
{
"url": "https://git.kernel.org/stable/c/42b6a39f439b6f37cc2024d91ce547d83290ff78"
},
{
"url": "https://git.kernel.org/stable/c/e9e55acee9b7a737ec7f5161b94a78932a5514c8"
},
{
"url": "https://git.kernel.org/stable/c/d588c183a971b85c775ad66da563ee6e8bc8158f"
},
{
"url": "https://git.kernel.org/stable/c/d3715b2333e9a21692ba16ef8645eda584a9515d"
}
],
"title": "Bluetooth: use memset avoid memory leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49116",
"datePublished": "2025-02-26T01:54:59.129Z",
"dateReserved": "2025-02-26T01:49:39.263Z",
"dateUpdated": "2025-10-01T19:57:04.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49497 (GCVE-0-2022-49497)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: remove two BUG() from skb_checksum_help()
I have a syzbot report that managed to get a crash in skb_checksum_help()
If syzbot can trigger these BUG(), it makes sense to replace
them with more friendly WARN_ON_ONCE() since skb_checksum_help()
can instead return an error code.
Note that syzbot will still crash there, until real bug is fixed.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:42.780419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:43.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "312c43e98ed190bd8fd7a71a0addf9539d5b8ab1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6320ae1b5876c30bf98203b6a5abe8b5c45e6a04",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5281245f3502e960cb6b89348767b935379cee3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1320c9a4d30ff54b824a8ad6036e0b5fb4c5e73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7ea0d9df2a6265b2b180d17ebc64b38105968fc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: remove two BUG() from skb_checksum_help()\n\nI have a syzbot report that managed to get a crash in skb_checksum_help()\n\nIf syzbot can trigger these BUG(), it makes sense to replace\nthem with more friendly WARN_ON_ONCE() since skb_checksum_help()\ncan instead return an error code.\n\nNote that syzbot will still crash there, until real bug is fixed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:11.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/312c43e98ed190bd8fd7a71a0addf9539d5b8ab1"
},
{
"url": "https://git.kernel.org/stable/c/6320ae1b5876c30bf98203b6a5abe8b5c45e6a04"
},
{
"url": "https://git.kernel.org/stable/c/d5281245f3502e960cb6b89348767b935379cee3"
},
{
"url": "https://git.kernel.org/stable/c/b1320c9a4d30ff54b824a8ad6036e0b5fb4c5e73"
},
{
"url": "https://git.kernel.org/stable/c/d7ea0d9df2a6265b2b180d17ebc64b38105968fc"
}
],
"title": "net: remove two BUG() from skb_checksum_help()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49497",
"datePublished": "2025-02-26T02:13:32.208Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-10-01T19:46:43.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47631 (GCVE-0-2021-47631)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: davinci: da850-evm: Avoid NULL pointer dereference
With newer versions of GCC, there is a panic in da850_evm_config_emac()
when booting multi_v5_defconfig in QEMU under the palmetto-bmc machine:
Unable to handle kernel NULL pointer dereference at virtual address 00000020
pgd = (ptrval)
[00000020] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT ARM
Modules linked in:
CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1
Hardware name: Generic DT based system
PC is at da850_evm_config_emac+0x1c/0x120
LR is at do_one_initcall+0x50/0x1e0
The emac_pdata pointer in soc_info is NULL because davinci_soc_info only
gets populated on davinci machines but da850_evm_config_emac() is called
on all machines via device_initcall().
Move the rmii_en assignment below the machine check so that it is only
dereferenced when running on a supported SoC.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bae105879f2f2404155da6f50b3636193d228a62 Version: bae105879f2f2404155da6f50b3636193d228a62 Version: bae105879f2f2404155da6f50b3636193d228a62 Version: bae105879f2f2404155da6f50b3636193d228a62 Version: bae105879f2f2404155da6f50b3636193d228a62 Version: bae105879f2f2404155da6f50b3636193d228a62 Version: bae105879f2f2404155da6f50b3636193d228a62 Version: bae105879f2f2404155da6f50b3636193d228a62 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:51:01.274417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:09.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-davinci/board-da850-evm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c06f476e5b74bcabb8c4a2fba55864a37e62843b",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
},
{
"lessThan": "a12b356d45cbb6e8a1b718d1436b3d6239a862f3",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
},
{
"lessThan": "c64e2ed5cc376e137e572babfd2edc38b2cfb61b",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
},
{
"lessThan": "89931d4762572aaee6edbe5673d41f8082de110f",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
},
{
"lessThan": "0a312ec66a03133d28570f07bc52749ccfef54da",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
},
{
"lessThan": "0940795c6834fbe7705acc5c3d4b2f7a5f67527a",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
},
{
"lessThan": "c5628533a3ece64235d04fe11ec44d2be99e423d",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
},
{
"lessThan": "83a1cde5c74bfb44b49cb2a940d044bb2380f4ea",
"status": "affected",
"version": "bae105879f2f2404155da6f50b3636193d228a62",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-davinci/board-da850-evm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: davinci: da850-evm: Avoid NULL pointer dereference\n\nWith newer versions of GCC, there is a panic in da850_evm_config_emac()\nwhen booting multi_v5_defconfig in QEMU under the palmetto-bmc machine:\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000020\npgd = (ptrval)\n[00000020] *pgd=00000000\nInternal error: Oops: 5 [#1] PREEMPT ARM\nModules linked in:\nCPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1\nHardware name: Generic DT based system\nPC is at da850_evm_config_emac+0x1c/0x120\nLR is at do_one_initcall+0x50/0x1e0\n\nThe emac_pdata pointer in soc_info is NULL because davinci_soc_info only\ngets populated on davinci machines but da850_evm_config_emac() is called\non all machines via device_initcall().\n\nMove the rmii_en assignment below the machine check so that it is only\ndereferenced when running on a supported SoC."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:09.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c06f476e5b74bcabb8c4a2fba55864a37e62843b"
},
{
"url": "https://git.kernel.org/stable/c/a12b356d45cbb6e8a1b718d1436b3d6239a862f3"
},
{
"url": "https://git.kernel.org/stable/c/c64e2ed5cc376e137e572babfd2edc38b2cfb61b"
},
{
"url": "https://git.kernel.org/stable/c/89931d4762572aaee6edbe5673d41f8082de110f"
},
{
"url": "https://git.kernel.org/stable/c/0a312ec66a03133d28570f07bc52749ccfef54da"
},
{
"url": "https://git.kernel.org/stable/c/0940795c6834fbe7705acc5c3d4b2f7a5f67527a"
},
{
"url": "https://git.kernel.org/stable/c/c5628533a3ece64235d04fe11ec44d2be99e423d"
},
{
"url": "https://git.kernel.org/stable/c/83a1cde5c74bfb44b49cb2a940d044bb2380f4ea"
}
],
"title": "ARM: davinci: da850-evm: Avoid NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47631",
"datePublished": "2025-02-26T01:54:07.513Z",
"dateReserved": "2025-02-26T01:48:21.518Z",
"dateUpdated": "2025-10-01T19:57:09.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49463 (GCVE-0-2022-49463)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal/drivers/imx_sc_thermal: Fix refcount leak in imx_sc_thermal_probe
of_find_node_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:03.403188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:46.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/imx_sc_thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bbf522a2c51ef939d0e8835e236bfcd252193af",
"status": "affected",
"version": "e20db70dba1c0783b9878ce37171ad560b1ebaf3",
"versionType": "git"
},
{
"lessThan": "3ade442ea5d3512a3c67984489ab4d8a6fb3b29f",
"status": "affected",
"version": "e20db70dba1c0783b9878ce37171ad560b1ebaf3",
"versionType": "git"
},
{
"lessThan": "0ec10303c10833c1bcba7a1bde2f297e494d5464",
"status": "affected",
"version": "e20db70dba1c0783b9878ce37171ad560b1ebaf3",
"versionType": "git"
},
{
"lessThan": "ec0925b731697db7cab5944a3e55d2d58bb3d075",
"status": "affected",
"version": "e20db70dba1c0783b9878ce37171ad560b1ebaf3",
"versionType": "git"
},
{
"lessThan": "09700c504d8e63faffd2a2235074e8c5d130cb8f",
"status": "affected",
"version": "e20db70dba1c0783b9878ce37171ad560b1ebaf3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/imx_sc_thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/imx_sc_thermal: Fix refcount leak in imx_sc_thermal_probe\n\nof_find_node_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:16.963Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bbf522a2c51ef939d0e8835e236bfcd252193af"
},
{
"url": "https://git.kernel.org/stable/c/3ade442ea5d3512a3c67984489ab4d8a6fb3b29f"
},
{
"url": "https://git.kernel.org/stable/c/0ec10303c10833c1bcba7a1bde2f297e494d5464"
},
{
"url": "https://git.kernel.org/stable/c/ec0925b731697db7cab5944a3e55d2d58bb3d075"
},
{
"url": "https://git.kernel.org/stable/c/09700c504d8e63faffd2a2235074e8c5d130cb8f"
}
],
"title": "thermal/drivers/imx_sc_thermal: Fix refcount leak in imx_sc_thermal_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49463",
"datePublished": "2025-02-26T02:13:09.673Z",
"dateReserved": "2025-02-26T02:08:31.576Z",
"dateUpdated": "2025-10-01T19:46:46.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21659 (GCVE-0-2025-21659)
Vulnerability from cvelistv5
Published
2025-01-21 12:18
Modified
2025-05-04 07:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netdev: prevent accessing NAPI instances from another namespace
The NAPI IDs were not fully exposed to user space prior to the netlink
API, so they were never namespaced. The netlink API must ensure that
at the very least NAPI instance belongs to the same netns as the owner
of the genl sock.
napi_by_id() can become static now, but it needs to move because of
dev_get_by_napi_id().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev.c",
"net/core/dev.h",
"net/core/netdev-genl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b683ba0df11ff563cc237eb1b74d6adfa77226bf",
"status": "affected",
"version": "27f91aaf49b3a50e5a02ad5fa27b7c453d029a72",
"versionType": "git"
},
{
"lessThan": "d1cacd74776895f6435941f86a1130e58f6dd226",
"status": "affected",
"version": "27f91aaf49b3a50e5a02ad5fa27b7c453d029a72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev.c",
"net/core/dev.h",
"net/core/netdev-genl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.10",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdev: prevent accessing NAPI instances from another namespace\n\nThe NAPI IDs were not fully exposed to user space prior to the netlink\nAPI, so they were never namespaced. The netlink API must ensure that\nat the very least NAPI instance belongs to the same netns as the owner\nof the genl sock.\n\nnapi_by_id() can become static now, but it needs to move because of\ndev_get_by_napi_id()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:18:25.265Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b683ba0df11ff563cc237eb1b74d6adfa77226bf"
},
{
"url": "https://git.kernel.org/stable/c/d1cacd74776895f6435941f86a1130e58f6dd226"
}
],
"title": "netdev: prevent accessing NAPI instances from another namespace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21659",
"datePublished": "2025-01-21T12:18:15.407Z",
"dateReserved": "2024-12-29T08:45:45.732Z",
"dateUpdated": "2025-05-04T07:18:25.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49196 (GCVE-0-2022-49196)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries: Fix use after free in remove_phb_dynamic()
In remove_phb_dynamic() we use &phb->io_resource, after we've called
device_unregister(&host_bridge->dev). But the unregister may have freed
phb, because pcibios_free_controller_deferred() is the release function
for the host_bridge.
If there are no outstanding references when we call device_unregister()
then phb will be freed out from under us.
This has gone mainly unnoticed, but with slub_debug and page_poison
enabled it can lead to a crash:
PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr"
#0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc
#1 [c0000000e4f075d0] oops_end at c000000000029608
#2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4
#3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8
#4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30
Data SLB Access [380] exception frame:
R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100
R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9
R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff
R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000
R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000
R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003
R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005
R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0
R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8
R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800
R30: c00000004d1d2400 R31: c00000004d1d2540
NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474
CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003
CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3
DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2
[NIP : release_resource+56]
[LR : release_resource+48]
#5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable)
#6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648
#7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io]
#8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io]
#9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c
#10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504
#11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868
#12 [c0000000e4f07c70] new_sync_write at c00000000054339c
#13 [c0000000e4f07d10] vfs_write at c000000000546624
#14 [c0000000e4f07d60] ksys_write at c0000000005469f4
#15 [c0000000e4f07db0] system_call_exception at c000000000030840
#16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168
To avoid it, we can take a reference to the host_bridge->dev until we're
done using phb. Then when we drop the reference the phb will be freed.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0 Version: 2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0 Version: 2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0 Version: 2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0 Version: c3e740838fe3117413425c956ac56a5724ccd9f9 Version: 83573addff2b4e16df9fad9a561a0d77d554b370 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T18:03:23.162575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T17:19:08.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/pci_dlpar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33d39efb61a84e055ca2386157d39ebbdf6b7d31",
"status": "affected",
"version": "2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0",
"versionType": "git"
},
{
"lessThan": "403f9e0bc5535a0a5184d1352fa3a70e6ffacb6f",
"status": "affected",
"version": "2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0",
"versionType": "git"
},
{
"lessThan": "895ca4ae1f72e0a0160ab162723e59c9f265ec93",
"status": "affected",
"version": "2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0",
"versionType": "git"
},
{
"lessThan": "fe2640bd7a62f1f7c3f55fbda31084085075bc30",
"status": "affected",
"version": "2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0",
"versionType": "git"
},
{
"status": "affected",
"version": "c3e740838fe3117413425c956ac56a5724ccd9f9",
"versionType": "git"
},
{
"status": "affected",
"version": "83573addff2b4e16df9fad9a561a0d77d554b370",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/pci_dlpar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.7.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix use after free in remove_phb_dynamic()\n\nIn remove_phb_dynamic() we use \u0026phb-\u003eio_resource, after we\u0027ve called\ndevice_unregister(\u0026host_bridge-\u003edev). But the unregister may have freed\nphb, because pcibios_free_controller_deferred() is the release function\nfor the host_bridge.\n\nIf there are no outstanding references when we call device_unregister()\nthen phb will be freed out from under us.\n\nThis has gone mainly unnoticed, but with slub_debug and page_poison\nenabled it can lead to a crash:\n\n PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: \"drmgr\"\n #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc\n #1 [c0000000e4f075d0] oops_end at c000000000029608\n #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4\n #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8\n #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30\n Data SLB Access [380] exception frame:\n R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100\n R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9\n R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff\n R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000\n R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000\n R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003\n R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005\n R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0\n R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8\n R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800\n R30: c00000004d1d2400 R31: c00000004d1d2540\n NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474\n CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003\n CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3\n DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2\n [NIP : release_resource+56]\n [LR : release_resource+48]\n #5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable)\n #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648\n #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io]\n #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io]\n #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c\n #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504\n #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868\n #12 [c0000000e4f07c70] new_sync_write at c00000000054339c\n #13 [c0000000e4f07d10] vfs_write at c000000000546624\n #14 [c0000000e4f07d60] ksys_write at c0000000005469f4\n #15 [c0000000e4f07db0] system_call_exception at c000000000030840\n #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168\n\nTo avoid it, we can take a reference to the host_bridge-\u003edev until we\u0027re\ndone using phb. Then when we drop the reference the phb will be freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:21.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33d39efb61a84e055ca2386157d39ebbdf6b7d31"
},
{
"url": "https://git.kernel.org/stable/c/403f9e0bc5535a0a5184d1352fa3a70e6ffacb6f"
},
{
"url": "https://git.kernel.org/stable/c/895ca4ae1f72e0a0160ab162723e59c9f265ec93"
},
{
"url": "https://git.kernel.org/stable/c/fe2640bd7a62f1f7c3f55fbda31084085075bc30"
}
],
"title": "powerpc/pseries: Fix use after free in remove_phb_dynamic()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49196",
"datePublished": "2025-02-26T01:55:40.626Z",
"dateReserved": "2025-02-26T01:49:39.290Z",
"dateUpdated": "2025-05-04T12:44:21.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21869 (GCVE-0-2025-21869)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/code-patching: Disable KASAN report during patching via temporary mm
Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:
[ 12.028126] ==================================================================
[ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0
[ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1
[ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3
[ 12.028408] Tainted: [T]=RANDSTRUCT
[ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
[ 12.028500] Call Trace:
[ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)
[ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708
[ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300
[ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370
[ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40
[ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0
[ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210
[ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590
[ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0
[ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0
[ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930
[ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280
[ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370
[ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00
[ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40
[ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610
[ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
[ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8
[ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000
[ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty)
[ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000
[ 12.029855] IRQMASK: 0
GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005
GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000
GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90
GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80
GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8
GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580
[ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8
[ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8
[ 12.030405] --- interrupt: 3000
[ 12.030444] ==================================================================
Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for
Radix MMU") is inspired from x86 but unlike x86 is doesn't disable
KASAN reports during patching. This wasn't a problem at the begining
because __patch_mem() is not instrumented.
Commit 465cabc97b42 ("powerpc/code-patching: introduce
patch_instructions()") use copy_to_kernel_nofault() to copy several
instructions at once. But when using temporary mm the destination is
not regular kernel memory but a kind of kernel-like memory located
in user address space.
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/lib/code-patching.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5980d4456dd66d1b6505d5ec15048bd87e8775e0",
"status": "affected",
"version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
"versionType": "git"
},
{
"lessThan": "ea291447a4031f3dac5c23d55bc83fe833820d84",
"status": "affected",
"version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
"versionType": "git"
},
{
"lessThan": "dc9c5166c3cb044f8a001e397195242fd6796eee",
"status": "affected",
"version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/lib/code-patching.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Disable KASAN report during patching via temporary mm\n\nErhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:\n\n[ 12.028126] ==================================================================\n[ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0\n[ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1\n\n[ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3\n[ 12.028408] Tainted: [T]=RANDSTRUCT\n[ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n[ 12.028500] Call Trace:\n[ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)\n[ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708\n[ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300\n[ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370\n[ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40\n[ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0\n[ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210\n[ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590\n[ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0\n[ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0\n[ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930\n[ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280\n[ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370\n[ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00\n[ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40\n[ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610\n[ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280\n[ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8\n[ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000\n[ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty)\n[ 12.029735] MSR: 900000000280f032 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI\u003e CR: 42004848 XER: 00000000\n[ 12.029855] IRQMASK: 0\n GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005\n GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008\n GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000\n GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90\n GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80\n GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8\n GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580\n[ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8\n[ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8\n[ 12.030405] --- interrupt: 3000\n[ 12.030444] ==================================================================\n\nCommit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for\nRadix MMU\") is inspired from x86 but unlike x86 is doesn\u0027t disable\nKASAN reports during patching. This wasn\u0027t a problem at the begining\nbecause __patch_mem() is not instrumented.\n\nCommit 465cabc97b42 (\"powerpc/code-patching: introduce\npatch_instructions()\") use copy_to_kernel_nofault() to copy several\ninstructions at once. But when using temporary mm the destination is\nnot regular kernel memory but a kind of kernel-like memory located\nin user address space. \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:53.274Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0"
},
{
"url": "https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84"
},
{
"url": "https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee"
}
],
"title": "powerpc/code-patching: Disable KASAN report during patching via temporary mm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21869",
"datePublished": "2025-03-27T13:38:22.229Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:53.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21785 (GCVE-0-2025-21785)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
The loop that detects/populates cache information already has a bounds
check on the array size but does not account for cache levels with
separate data/instructions cache. Fix this by incrementing the index
for any populated leaf (instead of any populated level).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5d425c18653731af62831d30a4fa023d532657a9 Version: 5d425c18653731af62831d30a4fa023d532657a9 Version: 5d425c18653731af62831d30a4fa023d532657a9 Version: 5d425c18653731af62831d30a4fa023d532657a9 Version: 5d425c18653731af62831d30a4fa023d532657a9 Version: 5d425c18653731af62831d30a4fa023d532657a9 Version: 5d425c18653731af62831d30a4fa023d532657a9 Version: 5d425c18653731af62831d30a4fa023d532657a9 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:30.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/cacheinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4371ac7b494e933fffee2bd6265d18d73c4f05aa",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
},
{
"lessThan": "e4fde33107351ec33f1a64188612fbc6ca659284",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
},
{
"lessThan": "88a3e6afaf002250220793df99404977d343db14",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
},
{
"lessThan": "4ff25f0b18d1d0174c105e4620428bcdc1213860",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
},
{
"lessThan": "ab90894f33c15b14c1cee6959ab6c8dcb09127f8",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
},
{
"lessThan": "715eb1af64779e1b1aa0a7b2ffb81414d9f708e5",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
},
{
"lessThan": "67b99a2b5811df4294c2ad50f9bff3b6a08bd618",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
},
{
"lessThan": "875d742cf5327c93cba1f11e12b08d3cce7a88d2",
"status": "affected",
"version": "5d425c18653731af62831d30a4fa023d532657a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/cacheinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array\n\nThe loop that detects/populates cache information already has a bounds\ncheck on the array size but does not account for cache levels with\nseparate data/instructions cache. Fix this by incrementing the index\nfor any populated leaf (instead of any populated level)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:12.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4371ac7b494e933fffee2bd6265d18d73c4f05aa"
},
{
"url": "https://git.kernel.org/stable/c/e4fde33107351ec33f1a64188612fbc6ca659284"
},
{
"url": "https://git.kernel.org/stable/c/88a3e6afaf002250220793df99404977d343db14"
},
{
"url": "https://git.kernel.org/stable/c/4ff25f0b18d1d0174c105e4620428bcdc1213860"
},
{
"url": "https://git.kernel.org/stable/c/ab90894f33c15b14c1cee6959ab6c8dcb09127f8"
},
{
"url": "https://git.kernel.org/stable/c/715eb1af64779e1b1aa0a7b2ffb81414d9f708e5"
},
{
"url": "https://git.kernel.org/stable/c/67b99a2b5811df4294c2ad50f9bff3b6a08bd618"
},
{
"url": "https://git.kernel.org/stable/c/875d742cf5327c93cba1f11e12b08d3cce7a88d2"
}
],
"title": "arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21785",
"datePublished": "2025-02-27T02:18:25.938Z",
"dateReserved": "2024-12-29T08:45:45.765Z",
"dateUpdated": "2025-11-03T20:59:30.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52993 (GCVE-0-2023-52993)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL
Baoquan reported that after triggering a crash the subsequent crash-kernel
fails to boot about half of the time. It triggers a NULL pointer
dereference in the periodic tick code.
This happens because the legacy timer interrupt (IRQ0) is resent in
software which happens in soft interrupt (tasklet) context. In this context
get_irq_regs() returns NULL which leads to the NULL pointer dereference.
The reason for the resend is a spurious APIC interrupt on the IRQ0 vector
which is captured and leads to a resend when the legacy timer interrupt is
enabled. This is wrong because the legacy PIC interrupts are level
triggered and therefore should never be resent in software, but nothing
ever sets the IRQ_LEVEL flag on those interrupts, so the core code does not
know about their trigger type.
Ensure that IRQ_LEVEL is set when the legacy PCI interrupts are set up.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:16.903596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:04.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/i8259.c",
"arch/x86/kernel/irqinit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "744fe9be9665227335539b7a77ece8d9ff62b6c0",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "496975d1a2937f4baadf3d985991b13fc4fc4f27",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "8770cd9d7c14aa99c255a0d08186f0be953e1638",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "e284c273dbb4c1ed68d4204bff94d0b10e4a90f5",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "0b08201158f177aab469e356b4d6af24fdd118df",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "137f1b47da5f58805da42c1b7811e28c1e353f39",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "5fa55950729d0762a787451dc52862c3f850f859",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/i8259.c",
"arch/x86/kernel/irqinit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL\n\nBaoquan reported that after triggering a crash the subsequent crash-kernel\nfails to boot about half of the time. It triggers a NULL pointer\ndereference in the periodic tick code.\n\nThis happens because the legacy timer interrupt (IRQ0) is resent in\nsoftware which happens in soft interrupt (tasklet) context. In this context\nget_irq_regs() returns NULL which leads to the NULL pointer dereference.\n\nThe reason for the resend is a spurious APIC interrupt on the IRQ0 vector\nwhich is captured and leads to a resend when the legacy timer interrupt is\nenabled. This is wrong because the legacy PIC interrupts are level\ntriggered and therefore should never be resent in software, but nothing\never sets the IRQ_LEVEL flag on those interrupts, so the core code does not\nknow about their trigger type.\n\nEnsure that IRQ_LEVEL is set when the legacy PCI interrupts are set up."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:05.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/744fe9be9665227335539b7a77ece8d9ff62b6c0"
},
{
"url": "https://git.kernel.org/stable/c/496975d1a2937f4baadf3d985991b13fc4fc4f27"
},
{
"url": "https://git.kernel.org/stable/c/8770cd9d7c14aa99c255a0d08186f0be953e1638"
},
{
"url": "https://git.kernel.org/stable/c/e284c273dbb4c1ed68d4204bff94d0b10e4a90f5"
},
{
"url": "https://git.kernel.org/stable/c/0b08201158f177aab469e356b4d6af24fdd118df"
},
{
"url": "https://git.kernel.org/stable/c/137f1b47da5f58805da42c1b7811e28c1e353f39"
},
{
"url": "https://git.kernel.org/stable/c/5fa55950729d0762a787451dc52862c3f850f859"
}
],
"title": "x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52993",
"datePublished": "2025-03-27T16:43:28.263Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-10-01T20:17:04.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49409 (GCVE-0-2022-49409)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in __es_tree_search
Hulk Robot reported a BUG_ON:
==================================================================
kernel BUG at fs/ext4/extents_status.c:199!
[...]
RIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]
RIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217
[...]
Call Trace:
ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766
ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561
ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964
ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384
ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567
ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980
ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031
ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257
v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63
v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82
vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368
dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490
ext4_quota_enable fs/ext4/super.c:6137 [inline]
ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163
ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754
mount_bdev+0x2e9/0x3b0 fs/super.c:1158
mount_fs+0x4b/0x1e4 fs/super.c:1261
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_enable_quotas
ext4_quota_enable
ext4_iget
__ext4_iget
ext4_ext_check_inode
ext4_ext_check
__ext4_ext_check
ext4_valid_extent_entries
Check for overlapping extents does't take effect
dquot_enable
vfs_load_quota_inode
v2_check_quota_file
v2_read_header
ext4_quota_read
ext4_bread
ext4_getblk
ext4_map_blocks
ext4_ext_map_blocks
ext4_find_extent
ext4_cache_extents
ext4_es_cache_extent
ext4_es_cache_extent
__es_tree_search
ext4_es_end
BUG_ON(es->es_lblk + es->es_len < es->es_lblk)
The error ext4 extents is as follows:
0af3 0300 0400 0000 00000000 extent_header
00000000 0100 0000 12000000 extent1
00000000 0100 0000 18000000 extent2
02000000 0400 0000 14000000 extent3
In the ext4_valid_extent_entries function,
if prev is 0, no error is returned even if lblock<=prev.
This was intended to skip the check on the first extent, but
in the error image above, prev=0+1-1=0 when checking the second extent,
so even though lblock<=prev, the function does not return an error.
As a result, bug_ON occurs in __es_tree_search and the system panics.
To solve this problem, we only need to check that:
1. The lblock of the first extent is not less than 0.
2. The lblock of the next extent is not less than
the next block of the previous extent.
The same applies to extent_idx.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 5946d089379a35dda0e531710b48fca05446a196 Version: 4645e4ee32aee01a85bdc03348982a65c65ce216 Version: a1192c0e5d037def6763f3873d3340615c241fe7 Version: ae21dda05193c441bde106a4bbf88c185a68fbed Version: ea214c946ee77588c4313be3e9951edd25d6b270 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "4fd58b5cf118d2d9038a0b8c9cc0e43096297686",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "3c617827cd51018bc377bd2954e176920ddbcfad",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "59cf2fabbfe76de29d88dd7ae69858a25735b59f",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"lessThan": "d36f6ed761b53933b0b4126486c10d3da7751e7f",
"status": "affected",
"version": "5946d089379a35dda0e531710b48fca05446a196",
"versionType": "git"
},
{
"status": "affected",
"version": "4645e4ee32aee01a85bdc03348982a65c65ce216",
"versionType": "git"
},
{
"status": "affected",
"version": "a1192c0e5d037def6763f3873d3340615c241fe7",
"versionType": "git"
},
{
"status": "affected",
"version": "ae21dda05193c441bde106a4bbf88c185a68fbed",
"versionType": "git"
},
{
"status": "affected",
"version": "ea214c946ee77588c4313be3e9951edd25d6b270",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.277",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.277",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search\n\nHulk Robot reported a BUG_ON:\n==================================================================\nkernel BUG at fs/ext4/extents_status.c:199!\n[...]\nRIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]\nRIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217\n[...]\nCall Trace:\n ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766\n ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561\n ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964\n ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384\n ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567\n ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980\n ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031\n ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257\n v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63\n v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82\n vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368\n dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490\n ext4_quota_enable fs/ext4/super.c:6137 [inline]\n ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163\n ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754\n mount_bdev+0x2e9/0x3b0 fs/super.c:1158\n mount_fs+0x4b/0x1e4 fs/super.c:1261\n[...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_enable_quotas\n ext4_quota_enable\n ext4_iget\n __ext4_iget\n ext4_ext_check_inode\n ext4_ext_check\n __ext4_ext_check\n ext4_valid_extent_entries\n Check for overlapping extents does\u0027t take effect\n dquot_enable\n vfs_load_quota_inode\n v2_check_quota_file\n v2_read_header\n ext4_quota_read\n ext4_bread\n ext4_getblk\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_find_extent\n ext4_cache_extents\n ext4_es_cache_extent\n ext4_es_cache_extent\n __es_tree_search\n ext4_es_end\n BUG_ON(es-\u003ees_lblk + es-\u003ees_len \u003c es-\u003ees_lblk)\n\nThe error ext4 extents is as follows:\n0af3 0300 0400 0000 00000000 extent_header\n00000000 0100 0000 12000000 extent1\n00000000 0100 0000 18000000 extent2\n02000000 0400 0000 14000000 extent3\n\nIn the ext4_valid_extent_entries function,\nif prev is 0, no error is returned even if lblock\u003c=prev.\nThis was intended to skip the check on the first extent, but\nin the error image above, prev=0+1-1=0 when checking the second extent,\nso even though lblock\u003c=prev, the function does not return an error.\nAs a result, bug_ON occurs in __es_tree_search and the system panics.\n\nTo solve this problem, we only need to check that:\n1. The lblock of the first extent is not less than 0.\n2. The lblock of the next extent is not less than\n the next block of the previous extent.\nThe same applies to extent_idx."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:39.209Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f"
},
{
"url": "https://git.kernel.org/stable/c/4fd58b5cf118d2d9038a0b8c9cc0e43096297686"
},
{
"url": "https://git.kernel.org/stable/c/3c617827cd51018bc377bd2954e176920ddbcfad"
},
{
"url": "https://git.kernel.org/stable/c/59cf2fabbfe76de29d88dd7ae69858a25735b59f"
},
{
"url": "https://git.kernel.org/stable/c/ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a"
},
{
"url": "https://git.kernel.org/stable/c/d36f6ed761b53933b0b4126486c10d3da7751e7f"
}
],
"title": "ext4: fix bug_on in __es_tree_search",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49409",
"datePublished": "2025-02-26T02:12:32.591Z",
"dateReserved": "2025-02-26T02:08:31.567Z",
"dateUpdated": "2025-05-04T12:44:39.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49695 (GCVE-0-2022-49695)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igb: fix a use-after-free issue in igb_clean_tx_ring
Fix the following use-after-free bug in igb_clean_tx_ring routine when
the NIC is running in XDP mode. The issue can be triggered redirecting
traffic into the igb NIC and then closing the device while the traffic
is flowing.
[ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9
[ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017
[ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0
[ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282
[ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000
[ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0
[ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058
[ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090
[ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000
[ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000
[ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0
[ 73.426565] Call Trace:
[ 73.429087] <TASK>
[ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb]
[ 73.436002] igb_down+0x1d7/0x220 [igb]
[ 73.439974] __igb_close+0x3c/0x120 [igb]
[ 73.444118] igb_xdp+0x10c/0x150 [igb]
[ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb]
[ 73.453362] dev_xdp_install+0xda/0x110
[ 73.457371] dev_xdp_attach+0x1da/0x550
[ 73.461369] do_setlink+0xfd0/0x10f0
[ 73.465166] ? __nla_validate_parse+0x89/0xc70
[ 73.469714] rtnl_setlink+0x11a/0x1e0
[ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0
[ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130
[ 73.482258] netlink_rcv_skb+0x8d/0x110
[ 73.486229] netlink_unicast+0x230/0x340
[ 73.490317] netlink_sendmsg+0x215/0x470
[ 73.494395] __sys_sendto+0x179/0x190
[ 73.498268] ? move_addr_to_user+0x37/0x70
[ 73.502547] ? __sys_getsockname+0x84/0xe0
[ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0
[ 73.511349] ? __sys_setsockopt+0xc8/0x1d0
[ 73.515636] __x64_sys_sendto+0x20/0x30
[ 73.519603] do_syscall_64+0x3b/0x80
[ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 73.528712] RIP: 0033:0x7ff38d41f20c
[ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c
[ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003
[ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0
[ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30
[ 73.596545] </TASK>
[ 73.598842] ---[ end trace 0000000000000000 ]---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:05.537306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:30.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c12a2c9b1b460ed72e6b3c33aac1ef51b0329b66",
"status": "affected",
"version": "9cbc948b5a20c9c054d9631099c0426c16da546b",
"versionType": "git"
},
{
"lessThan": "2af944210dc23d43d8208dafac4df7be7e3c168b",
"status": "affected",
"version": "9cbc948b5a20c9c054d9631099c0426c16da546b",
"versionType": "git"
},
{
"lessThan": "68a0ed06dcd5d3ea732d011c0b83d66e4791f521",
"status": "affected",
"version": "9cbc948b5a20c9c054d9631099c0426c16da546b",
"versionType": "git"
},
{
"lessThan": "3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec",
"status": "affected",
"version": "9cbc948b5a20c9c054d9631099c0426c16da546b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: fix a use-after-free issue in igb_clean_tx_ring\n\nFix the following use-after-free bug in igb_clean_tx_ring routine when\nthe NIC is running in XDP mode. The issue can be triggered redirecting\ntraffic into the igb NIC and then closing the device while the traffic\nis flowing.\n\n[ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9\n[ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017\n[ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0\n[ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282\n[ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000\n[ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0\n[ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058\n[ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090\n[ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000\n[ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000\n[ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0\n[ 73.426565] Call Trace:\n[ 73.429087] \u003cTASK\u003e\n[ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb]\n[ 73.436002] igb_down+0x1d7/0x220 [igb]\n[ 73.439974] __igb_close+0x3c/0x120 [igb]\n[ 73.444118] igb_xdp+0x10c/0x150 [igb]\n[ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb]\n[ 73.453362] dev_xdp_install+0xda/0x110\n[ 73.457371] dev_xdp_attach+0x1da/0x550\n[ 73.461369] do_setlink+0xfd0/0x10f0\n[ 73.465166] ? __nla_validate_parse+0x89/0xc70\n[ 73.469714] rtnl_setlink+0x11a/0x1e0\n[ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0\n[ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130\n[ 73.482258] netlink_rcv_skb+0x8d/0x110\n[ 73.486229] netlink_unicast+0x230/0x340\n[ 73.490317] netlink_sendmsg+0x215/0x470\n[ 73.494395] __sys_sendto+0x179/0x190\n[ 73.498268] ? move_addr_to_user+0x37/0x70\n[ 73.502547] ? __sys_getsockname+0x84/0xe0\n[ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0\n[ 73.511349] ? __sys_setsockopt+0xc8/0x1d0\n[ 73.515636] __x64_sys_sendto+0x20/0x30\n[ 73.519603] do_syscall_64+0x3b/0x80\n[ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 73.528712] RIP: 0033:0x7ff38d41f20c\n[ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n[ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c\n[ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003\n[ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\n[ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0\n[ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30\n[ 73.596545] \u003c/TASK\u003e\n[ 73.598842] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:26.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c12a2c9b1b460ed72e6b3c33aac1ef51b0329b66"
},
{
"url": "https://git.kernel.org/stable/c/2af944210dc23d43d8208dafac4df7be7e3c168b"
},
{
"url": "https://git.kernel.org/stable/c/68a0ed06dcd5d3ea732d011c0b83d66e4791f521"
},
{
"url": "https://git.kernel.org/stable/c/3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec"
}
],
"title": "igb: fix a use-after-free issue in igb_clean_tx_ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49695",
"datePublished": "2025-02-26T02:24:17.545Z",
"dateReserved": "2025-02-26T02:21:30.442Z",
"dateUpdated": "2025-05-04T08:43:26.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49462 (GCVE-0-2022-49462)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/a6xx: Fix refcount leak in a6xx_gpu_init
of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
a6xx_gmu_init() passes the node to of_find_device_by_node()
and of_dma_configure(), of_find_device_by_node() will takes its
reference, of_dma_configure() doesn't need the node after usage.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4b565ca5a2cbbbb6345e8789da89c193b6b00e5a Version: 4b565ca5a2cbbbb6345e8789da89c193b6b00e5a Version: 4b565ca5a2cbbbb6345e8789da89c193b6b00e5a Version: 4b565ca5a2cbbbb6345e8789da89c193b6b00e5a Version: 4b565ca5a2cbbbb6345e8789da89c193b6b00e5a Version: 4b565ca5a2cbbbb6345e8789da89c193b6b00e5a |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:06.681342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:47.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/a6xx_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6832e36f156ea35a6ed74bca72727806116effdd",
"status": "affected",
"version": "4b565ca5a2cbbbb6345e8789da89c193b6b00e5a",
"versionType": "git"
},
{
"lessThan": "48e82ce8cdb19c20a5020fa446b286d6a147450c",
"status": "affected",
"version": "4b565ca5a2cbbbb6345e8789da89c193b6b00e5a",
"versionType": "git"
},
{
"lessThan": "edff4c1af831d0c02e654eed9da7d74174de49d5",
"status": "affected",
"version": "4b565ca5a2cbbbb6345e8789da89c193b6b00e5a",
"versionType": "git"
},
{
"lessThan": "65ddbc0d26824e2a5d6154d01d8cf39344900213",
"status": "affected",
"version": "4b565ca5a2cbbbb6345e8789da89c193b6b00e5a",
"versionType": "git"
},
{
"lessThan": "06907a374f1b74f8f2fb30720dc6df81331e4fb5",
"status": "affected",
"version": "4b565ca5a2cbbbb6345e8789da89c193b6b00e5a",
"versionType": "git"
},
{
"lessThan": "c56de483093d7ad0782327f95dda7da97bc4c315",
"status": "affected",
"version": "4b565ca5a2cbbbb6345e8789da89c193b6b00e5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/a6xx_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Fix refcount leak in a6xx_gpu_init\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\n\na6xx_gmu_init() passes the node to of_find_device_by_node()\nand of_dma_configure(), of_find_device_by_node() will takes its\nreference, of_dma_configure() doesn\u0027t need the node after usage.\n\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:15.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6832e36f156ea35a6ed74bca72727806116effdd"
},
{
"url": "https://git.kernel.org/stable/c/48e82ce8cdb19c20a5020fa446b286d6a147450c"
},
{
"url": "https://git.kernel.org/stable/c/edff4c1af831d0c02e654eed9da7d74174de49d5"
},
{
"url": "https://git.kernel.org/stable/c/65ddbc0d26824e2a5d6154d01d8cf39344900213"
},
{
"url": "https://git.kernel.org/stable/c/06907a374f1b74f8f2fb30720dc6df81331e4fb5"
},
{
"url": "https://git.kernel.org/stable/c/c56de483093d7ad0782327f95dda7da97bc4c315"
}
],
"title": "drm/msm/a6xx: Fix refcount leak in a6xx_gpu_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49462",
"datePublished": "2025-02-26T02:13:09.016Z",
"dateReserved": "2025-02-26T02:08:31.576Z",
"dateUpdated": "2025-10-01T19:46:47.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49125 (GCVE-0-2022-49125)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sprd: fix potential NULL dereference
'drm' could be null in sprd_drm_shutdown, and drm_warn maybe dereference
it, remove this warning log.
v1 -> v2:
- Split checking platform_get_resource() return value to a separate patch
- Use dev_warn() instead of removing the warning log
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:31.832216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:03.534Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/sprd/sprd_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3acc8db1bc221604e2db9807f01d8a44b97a64d",
"status": "affected",
"version": "43531edd53f07cbe977a0b33dea6dd6c29b21fea",
"versionType": "git"
},
{
"lessThan": "8668658aebb0a19d877d5a81c004baf716c4aaa6",
"status": "affected",
"version": "43531edd53f07cbe977a0b33dea6dd6c29b21fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/sprd/sprd_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sprd: fix potential NULL dereference\n\n\u0027drm\u0027 could be null in sprd_drm_shutdown, and drm_warn maybe dereference\nit, remove this warning log.\n\n\nv1 -\u003e v2:\n- Split checking platform_get_resource() return value to a separate patch\n- Use dev_warn() instead of removing the warning log"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:31.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3acc8db1bc221604e2db9807f01d8a44b97a64d"
},
{
"url": "https://git.kernel.org/stable/c/8668658aebb0a19d877d5a81c004baf716c4aaa6"
}
],
"title": "drm/sprd: fix potential NULL dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49125",
"datePublished": "2025-02-26T01:55:03.677Z",
"dateReserved": "2025-02-26T01:49:39.265Z",
"dateUpdated": "2025-10-01T19:57:03.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49515 (GCVE-0-2022-49515)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t
The CS35L41_NUM_OTP_ELEM is 100, but only 99 entries are defined in
the array otp_map_1/2[CS35L41_NUM_OTP_ELEM], this will trigger UBSAN
to report a shift-out-of-bounds warning in the cs35l41_otp_unpack()
since the last entry in the array will result in GENMASK(-1, 0).
UBSAN reports this problem:
UBSAN: shift-out-of-bounds in /home/hwang4/build/jammy/jammy/sound/soc/codecs/cs35l41-lib.c:836:8
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 10 PID: 595 Comm: systemd-udevd Not tainted 5.15.0-23-generic #23
Hardware name: LENOVO \x02MFG_IN_GO/\x02MFG_IN_GO, BIOS N3GET19W (1.00 ) 03/11/2022
Call Trace:
<TASK>
show_stack+0x52/0x58
dump_stack_lvl+0x4a/0x5f
dump_stack+0x10/0x12
ubsan_epilogue+0x9/0x45
__ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
? regmap_unlock_mutex+0xe/0x10
cs35l41_otp_unpack.cold+0x1c6/0x2b2 [snd_soc_cs35l41_lib]
cs35l41_hda_probe+0x24f/0x33a [snd_hda_scodec_cs35l41]
cs35l41_hda_i2c_probe+0x65/0x90 [snd_hda_scodec_cs35l41_i2c]
? cs35l41_hda_i2c_remove+0x20/0x20 [snd_hda_scodec_cs35l41_i2c]
i2c_device_probe+0x252/0x2b0
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/sound/cs35l41.h",
"sound/soc/codecs/cs35l41-lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbc35268e14d5d89c7a9db72009ad4dcd9ede646",
"status": "affected",
"version": "6450ef55905688602175fae4ed1bfbfef6a14dde",
"versionType": "git"
},
{
"lessThan": "a59b9958416096dd21dc4f62b0c5be525d459ca8",
"status": "affected",
"version": "6450ef55905688602175fae4ed1bfbfef6a14dde",
"versionType": "git"
},
{
"lessThan": "9f342904216f378e88008bb0ce1ae200a4b99fe8",
"status": "affected",
"version": "6450ef55905688602175fae4ed1bfbfef6a14dde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/sound/cs35l41.h",
"sound/soc/codecs/cs35l41-lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t\n\nThe CS35L41_NUM_OTP_ELEM is 100, but only 99 entries are defined in\nthe array otp_map_1/2[CS35L41_NUM_OTP_ELEM], this will trigger UBSAN\nto report a shift-out-of-bounds warning in the cs35l41_otp_unpack()\nsince the last entry in the array will result in GENMASK(-1, 0).\n\nUBSAN reports this problem:\n UBSAN: shift-out-of-bounds in /home/hwang4/build/jammy/jammy/sound/soc/codecs/cs35l41-lib.c:836:8\n shift exponent 64 is too large for 64-bit type \u0027long unsigned int\u0027\n CPU: 10 PID: 595 Comm: systemd-udevd Not tainted 5.15.0-23-generic #23\n Hardware name: LENOVO \\x02MFG_IN_GO/\\x02MFG_IN_GO, BIOS N3GET19W (1.00 ) 03/11/2022\n Call Trace:\n \u003cTASK\u003e\n show_stack+0x52/0x58\n dump_stack_lvl+0x4a/0x5f\n dump_stack+0x10/0x12\n ubsan_epilogue+0x9/0x45\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef\n ? regmap_unlock_mutex+0xe/0x10\n cs35l41_otp_unpack.cold+0x1c6/0x2b2 [snd_soc_cs35l41_lib]\n cs35l41_hda_probe+0x24f/0x33a [snd_hda_scodec_cs35l41]\n cs35l41_hda_i2c_probe+0x65/0x90 [snd_hda_scodec_cs35l41_i2c]\n ? cs35l41_hda_i2c_remove+0x20/0x20 [snd_hda_scodec_cs35l41_i2c]\n i2c_device_probe+0x252/0x2b0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:35.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbc35268e14d5d89c7a9db72009ad4dcd9ede646"
},
{
"url": "https://git.kernel.org/stable/c/a59b9958416096dd21dc4f62b0c5be525d459ca8"
},
{
"url": "https://git.kernel.org/stable/c/9f342904216f378e88008bb0ce1ae200a4b99fe8"
}
],
"title": "ASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49515",
"datePublished": "2025-02-26T02:13:43.888Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-05-04T08:39:35.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49102 (GCVE-0-2022-49102)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
habanalabs: fix possible memory leak in MMU DR fini
This patch fixes what seems to be copy paste error.
We will have a memory leak if the host-resident shadow is NULL (which
will likely happen as the DR and HR are not dependent).
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:25.360080Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:05.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/habanalabs/common/mmu/mmu_v1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "12e49aefda2e04b07604f13e03f40027cbeb0dc6",
"status": "affected",
"version": "0feaf86d4e69507ab9b2af7dcc63a6886352d5db",
"versionType": "git"
},
{
"lessThan": "6d421fb7a9eddd8ce0a05641a3db97283fe20699",
"status": "affected",
"version": "0feaf86d4e69507ab9b2af7dcc63a6886352d5db",
"versionType": "git"
},
{
"lessThan": "30058d3a83cfe8c6aacbfe5ab13c01dd0c1799e3",
"status": "affected",
"version": "0feaf86d4e69507ab9b2af7dcc63a6886352d5db",
"versionType": "git"
},
{
"lessThan": "eb85eec858c1a5c11d3a0bff403f6440b05b40dc",
"status": "affected",
"version": "0feaf86d4e69507ab9b2af7dcc63a6886352d5db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/habanalabs/common/mmu/mmu_v1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs: fix possible memory leak in MMU DR fini\n\nThis patch fixes what seems to be copy paste error.\n\nWe will have a memory leak if the host-resident shadow is NULL (which\nwill likely happen as the DR and HR are not dependent)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:54.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/12e49aefda2e04b07604f13e03f40027cbeb0dc6"
},
{
"url": "https://git.kernel.org/stable/c/6d421fb7a9eddd8ce0a05641a3db97283fe20699"
},
{
"url": "https://git.kernel.org/stable/c/30058d3a83cfe8c6aacbfe5ab13c01dd0c1799e3"
},
{
"url": "https://git.kernel.org/stable/c/eb85eec858c1a5c11d3a0bff403f6440b05b40dc"
}
],
"title": "habanalabs: fix possible memory leak in MMU DR fini",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49102",
"datePublished": "2025-02-26T01:54:52.038Z",
"dateReserved": "2025-02-26T01:49:39.250Z",
"dateUpdated": "2025-10-01T19:57:05.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21890 (GCVE-0-2025-21890)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix checksums set in idpf_rx_rsc()
idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header
is not set yet.
This triggers the following warning for CONFIG_DEBUG_NET=y builds.
DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb))
[ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth
[ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697
[ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
[ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748)
[ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261687] ? report_bug (lib/bug.c:?)
[ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285)
[ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309)
[ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
[ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf
[ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf
[ 69.261712] __napi_poll (net/core/dev.c:7194)
[ 69.261716] net_rx_action (net/core/dev.c:7265)
[ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293)
[ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288)
[ 69.261726] handle_softirqs (kernel/softirq.c:561)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4279bbebe00ffdbfd1a77567961886e35465cbdc",
"status": "affected",
"version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
"versionType": "git"
},
{
"lessThan": "57e68f256911f3ab4b997141975561646ccbbb8c",
"status": "affected",
"version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
"versionType": "git"
},
{
"lessThan": "674fcb4f4a7e3e277417a01788cc6daae47c3804",
"status": "affected",
"version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix checksums set in idpf_rx_rsc()\n\nidpf_rx_rsc() uses skb_transport_offset(skb) while the transport header\nis not set yet.\n\nThis triggers the following warning for CONFIG_DEBUG_NET=y builds.\n\nDEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb))\n\n[ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth\n[ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697\n[ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\n[ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748)\n[ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261687] ? report_bug (lib/bug.c:?)\n[ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285)\n[ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309)\n[ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)\n[ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf\n[ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf\n[ 69.261712] __napi_poll (net/core/dev.c:7194)\n[ 69.261716] net_rx_action (net/core/dev.c:7265)\n[ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293)\n[ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288)\n[ 69.261726] handle_softirqs (kernel/softirq.c:561)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:26.126Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4279bbebe00ffdbfd1a77567961886e35465cbdc"
},
{
"url": "https://git.kernel.org/stable/c/57e68f256911f3ab4b997141975561646ccbbb8c"
},
{
"url": "https://git.kernel.org/stable/c/674fcb4f4a7e3e277417a01788cc6daae47c3804"
}
],
"title": "idpf: fix checksums set in idpf_rx_rsc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21890",
"datePublished": "2025-03-27T14:57:16.525Z",
"dateReserved": "2024-12-29T08:45:45.783Z",
"dateUpdated": "2025-05-04T07:23:26.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21848 (GCVE-0-2025-21848)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
Add check for the return value of nfp_app_ctrl_msg_alloc() in
nfp_bpf_cmsg_alloc() to prevent null pointer dereference.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c Version: ff3d43f7568c82b335d7df2d40a31447c3fce10c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:26:25.004433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:39.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:06.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/netronome/nfp/bpf/cmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d64c6ca420019712e194fe095b55f87363e22a9a",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
},
{
"lessThan": "e976ea6c5e1b005c64467cbf94a8577aae9c7d81",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
},
{
"lessThan": "924b239f9704566e0d86abd894d2d64bd73c11eb",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
},
{
"lessThan": "1358d8e07afdf21d49ca6f00c56048442977e00a",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
},
{
"lessThan": "29ccb1e4040da6ff02b7e64efaa2f8e6bf06020d",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
},
{
"lessThan": "897c32cd763fd11d0b6ed024c52f44d2475bb820",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
},
{
"lessThan": "bd97f60750bb581f07051f98e31dfda59d3a783b",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
},
{
"lessThan": "878e7b11736e062514e58f3b445ff343e6705537",
"status": "affected",
"version": "ff3d43f7568c82b335d7df2d40a31447c3fce10c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/netronome/nfp/bpf/cmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: bpf: Add check for nfp_app_ctrl_msg_alloc()\n\nAdd check for the return value of nfp_app_ctrl_msg_alloc() in\nnfp_bpf_cmsg_alloc() to prevent null pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:28.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d64c6ca420019712e194fe095b55f87363e22a9a"
},
{
"url": "https://git.kernel.org/stable/c/e976ea6c5e1b005c64467cbf94a8577aae9c7d81"
},
{
"url": "https://git.kernel.org/stable/c/924b239f9704566e0d86abd894d2d64bd73c11eb"
},
{
"url": "https://git.kernel.org/stable/c/1358d8e07afdf21d49ca6f00c56048442977e00a"
},
{
"url": "https://git.kernel.org/stable/c/29ccb1e4040da6ff02b7e64efaa2f8e6bf06020d"
},
{
"url": "https://git.kernel.org/stable/c/897c32cd763fd11d0b6ed024c52f44d2475bb820"
},
{
"url": "https://git.kernel.org/stable/c/bd97f60750bb581f07051f98e31dfda59d3a783b"
},
{
"url": "https://git.kernel.org/stable/c/878e7b11736e062514e58f3b445ff343e6705537"
}
],
"title": "nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21848",
"datePublished": "2025-03-12T09:42:04.263Z",
"dateReserved": "2024-12-29T08:45:45.779Z",
"dateUpdated": "2025-11-03T19:38:06.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49066 (GCVE-0-2022-49066)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
veth: Ensure eth header is in skb's linear part
After feeding a decapsulated packet to a veth device with act_mirred,
skb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(),
which expects at least ETH_HLEN byte of linear data (as
__dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes
unconditionally).
Use pskb_may_pull() to ensure veth_xmit() respects this constraint.
kernel BUG at include/linux/skbuff.h:2328!
RIP: 0010:eth_type_trans+0xcf/0x140
Call Trace:
<IRQ>
__dev_forward_skb2+0xe3/0x160
veth_xmit+0x6e/0x250 [veth]
dev_hard_start_xmit+0xc7/0x200
__dev_queue_xmit+0x47f/0x520
? skb_ensure_writable+0x85/0xa0
? skb_mpls_pop+0x98/0x1c0
tcf_mirred_act+0x442/0x47e [act_mirred]
tcf_action_exec+0x86/0x140
fl_classify+0x1d8/0x1e0 [cls_flower]
? dma_pte_clear_level+0x129/0x1a0
? dma_pte_clear_level+0x129/0x1a0
? prb_fill_curr_block+0x2f/0xc0
? skb_copy_bits+0x11a/0x220
__tcf_classify+0x58/0x110
tcf_classify_ingress+0x6b/0x140
__netif_receive_skb_core.constprop.0+0x47d/0xfd0
? __iommu_dma_unmap_swiotlb+0x44/0x90
__netif_receive_skb_one_core+0x3d/0xa0
netif_receive_skb+0x116/0x170
be_process_rx+0x22f/0x330 [be2net]
be_poll+0x13c/0x370 [be2net]
__napi_poll+0x2a/0x170
net_rx_action+0x22f/0x2f0
__do_softirq+0xca/0x2a8
__irq_exit_rcu+0xc1/0xe0
common_interrupt+0x83/0xa0
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 Version: e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3de2a02b60a4ef0ab76263216f08c7d095fc7c42",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
},
{
"lessThan": "d417a859221f127e8edf09c14b76ab50f825e171",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
},
{
"lessThan": "1ef0088e43af1de4e3b365218c4d3179d9a37eec",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
},
{
"lessThan": "2fd90b86dff413fbf8128780c04ea9c6849c16e2",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
},
{
"lessThan": "d67c900f1947d64ba8a64f693504bcaab8d9000c",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
},
{
"lessThan": "93940fc4cb81840dc0fa202de48cccb949a0261d",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
},
{
"lessThan": "46bc359fec0c6d87b70d7a008bcd9a5e30dd6f27",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
},
{
"lessThan": "726e2c5929de841fdcef4e2bf995680688ae1b87",
"status": "affected",
"version": "e314dbdc1c0dc6a548ecf0afce28ecfd538ff568",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: Ensure eth header is in skb\u0027s linear part\n\nAfter feeding a decapsulated packet to a veth device with act_mirred,\nskb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(),\nwhich expects at least ETH_HLEN byte of linear data (as\n__dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes\nunconditionally).\n\nUse pskb_may_pull() to ensure veth_xmit() respects this constraint.\n\nkernel BUG at include/linux/skbuff.h:2328!\nRIP: 0010:eth_type_trans+0xcf/0x140\nCall Trace:\n \u003cIRQ\u003e\n __dev_forward_skb2+0xe3/0x160\n veth_xmit+0x6e/0x250 [veth]\n dev_hard_start_xmit+0xc7/0x200\n __dev_queue_xmit+0x47f/0x520\n ? skb_ensure_writable+0x85/0xa0\n ? skb_mpls_pop+0x98/0x1c0\n tcf_mirred_act+0x442/0x47e [act_mirred]\n tcf_action_exec+0x86/0x140\n fl_classify+0x1d8/0x1e0 [cls_flower]\n ? dma_pte_clear_level+0x129/0x1a0\n ? dma_pte_clear_level+0x129/0x1a0\n ? prb_fill_curr_block+0x2f/0xc0\n ? skb_copy_bits+0x11a/0x220\n __tcf_classify+0x58/0x110\n tcf_classify_ingress+0x6b/0x140\n __netif_receive_skb_core.constprop.0+0x47d/0xfd0\n ? __iommu_dma_unmap_swiotlb+0x44/0x90\n __netif_receive_skb_one_core+0x3d/0xa0\n netif_receive_skb+0x116/0x170\n be_process_rx+0x22f/0x330 [be2net]\n be_poll+0x13c/0x370 [be2net]\n __napi_poll+0x2a/0x170\n net_rx_action+0x22f/0x2f0\n __do_softirq+0xca/0x2a8\n __irq_exit_rcu+0xc1/0xe0\n common_interrupt+0x83/0xa0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:00.333Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3de2a02b60a4ef0ab76263216f08c7d095fc7c42"
},
{
"url": "https://git.kernel.org/stable/c/d417a859221f127e8edf09c14b76ab50f825e171"
},
{
"url": "https://git.kernel.org/stable/c/1ef0088e43af1de4e3b365218c4d3179d9a37eec"
},
{
"url": "https://git.kernel.org/stable/c/2fd90b86dff413fbf8128780c04ea9c6849c16e2"
},
{
"url": "https://git.kernel.org/stable/c/d67c900f1947d64ba8a64f693504bcaab8d9000c"
},
{
"url": "https://git.kernel.org/stable/c/93940fc4cb81840dc0fa202de48cccb949a0261d"
},
{
"url": "https://git.kernel.org/stable/c/46bc359fec0c6d87b70d7a008bcd9a5e30dd6f27"
},
{
"url": "https://git.kernel.org/stable/c/726e2c5929de841fdcef4e2bf995680688ae1b87"
}
],
"title": "veth: Ensure eth header is in skb\u0027s linear part",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49066",
"datePublished": "2025-02-26T01:54:34.395Z",
"dateReserved": "2025-02-26T01:49:39.244Z",
"dateUpdated": "2025-05-04T08:29:00.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21759 (GCVE-0-2025-21759)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-05-04 07:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: extend RCU protection in igmp6_send()
igmp6_send() can be called without RTNL or RCU being held.
Extend RCU protection so that we can safely fetch the net pointer
and avoid a potential UAF.
Note that we no longer can use sock_alloc_send_skb() because
ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.
Instead use alloc_skb() and charge the net->ipv6.igmp_sk
socket under RCU protection.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:46.460072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
},
{
"lessThan": "0bf8e2f3768629d437a32cb824149e6e98254381",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
},
{
"lessThan": "8e92d6a413feaf968a33f0b439ecf27404407458",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
},
{
"lessThan": "087c1faa594fa07a66933d750c0b2610aa1a2946",
"status": "affected",
"version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: extend RCU protection in igmp6_send()\n\nigmp6_send() can be called without RTNL or RCU being held.\n\nExtend RCU protection so that we can safely fetch the net pointer\nand avoid a potential UAF.\n\nNote that we no longer can use sock_alloc_send_skb() because\nipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.\n\nInstead use alloc_skb() and charge the net-\u003eipv6.igmp_sk\nsocket under RCU protection."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:31.433Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a"
},
{
"url": "https://git.kernel.org/stable/c/0bf8e2f3768629d437a32cb824149e6e98254381"
},
{
"url": "https://git.kernel.org/stable/c/8e92d6a413feaf968a33f0b439ecf27404407458"
},
{
"url": "https://git.kernel.org/stable/c/087c1faa594fa07a66933d750c0b2610aa1a2946"
}
],
"title": "ipv6: mcast: extend RCU protection in igmp6_send()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21759",
"datePublished": "2025-02-27T02:18:12.994Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-05-04T07:20:31.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53000 (GCVE-0-2023-53000)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: prevent potential spectre v1 gadgets
Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()
u16 type = nla_type(nla);
if (type == 0 || type > maxtype) {
/* error or continue */
}
@type is then used as an array index and can be used
as a Spectre v1 gadget.
array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.
This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/nlattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e5082b1c66c7783fbcd79b5b178573230e528ff",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "539ca5dcbc91134bbe2c45677811c31d8b030d2d",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "41b74e95f297ac360ca7ed6bf200100717cb6c45",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "992e4ff7116a77968039277b5d6aaa535c2f2184",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "f0950402e8c76e7dcb08563f1b4e8000fbc62455",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/nlattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: prevent potential spectre v1 gadgets\n\nMost netlink attributes are parsed and validated from\n__nla_validate_parse() or validate_nla()\n\n u16 type = nla_type(nla);\n\n if (type == 0 || type \u003e maxtype) {\n /* error or continue */\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.\n\nThis should take care of vast majority of netlink uses,\nbut an audit is needed to take care of others where\nvalidation is not yet centralized in core netlink functions."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:15.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e5082b1c66c7783fbcd79b5b178573230e528ff"
},
{
"url": "https://git.kernel.org/stable/c/539ca5dcbc91134bbe2c45677811c31d8b030d2d"
},
{
"url": "https://git.kernel.org/stable/c/41b74e95f297ac360ca7ed6bf200100717cb6c45"
},
{
"url": "https://git.kernel.org/stable/c/992e4ff7116a77968039277b5d6aaa535c2f2184"
},
{
"url": "https://git.kernel.org/stable/c/f0950402e8c76e7dcb08563f1b4e8000fbc62455"
}
],
"title": "netlink: prevent potential spectre v1 gadgets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53000",
"datePublished": "2025-03-27T16:43:33.208Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T07:47:15.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49129 (GCVE-0-2022-49129)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7921: fix crash when startup fails.
If the nic fails to start, it is possible that the
reset_work has already been scheduled. Ensure the
work item is canceled so we do not have use-after-free
crash in case cleanup is called before the work item
is executed.
This fixes crash on my x86_64 apu2 when mt7921k radio
fails to work. Radio still fails, but OS does not
crash.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:14.426944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:34.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38fbe806645090c07aa97171f20fc62c3d7d3a98",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "c1a5e6002ec441a3b9fb4d048b4b49ae93409a46",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "ac1260b661c2ef0d0a56680cdb5672b931b7be8f",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "827e7799c61b978fbc2cc9dac66cb62401b2b3f0",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix crash when startup fails.\n\nIf the nic fails to start, it is possible that the\nreset_work has already been scheduled. Ensure the\nwork item is canceled so we do not have use-after-free\ncrash in case cleanup is called before the work item\nis executed.\n\nThis fixes crash on my x86_64 apu2 when mt7921k radio\nfails to work. Radio still fails, but OS does not\ncrash."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:36.683Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38fbe806645090c07aa97171f20fc62c3d7d3a98"
},
{
"url": "https://git.kernel.org/stable/c/c1a5e6002ec441a3b9fb4d048b4b49ae93409a46"
},
{
"url": "https://git.kernel.org/stable/c/ac1260b661c2ef0d0a56680cdb5672b931b7be8f"
},
{
"url": "https://git.kernel.org/stable/c/827e7799c61b978fbc2cc9dac66cb62401b2b3f0"
}
],
"title": "mt76: mt7921: fix crash when startup fails.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49129",
"datePublished": "2025-02-26T01:55:05.624Z",
"dateReserved": "2025-02-26T01:49:39.266Z",
"dateUpdated": "2025-05-04T08:30:36.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26634 (GCVE-0-2024-26634)
Vulnerability from cvelistv5
Published
2024-03-18 10:14
Modified
2025-05-04 12:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix removing a namespace with conflicting altnames
Mark reports a BUG() when a net namespace is removed.
kernel BUG at net/core/dev.c:11520!
Physical interfaces moved outside of init_net get "refunded"
to init_net when that namespace disappears. The main interface
name may get overwritten in the process if it would have
conflicted. We need to also discard all conflicting altnames.
Recent fixes addressed ensuring that altnames get moved
with the main interface, which surfaced this problem.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a2232f29bf52c24f827865b3c90829c44b6c695b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e855dded4b70d1975ee7b9fed0c700391e3c8ea6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8072699aa9e67d1727692cfb3c347263bb627fb9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d09486a04f5da0a812c26217213b89a3b1acf836"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:55:13.071723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:18.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev.c",
"net/core/dev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2232f29bf52c24f827865b3c90829c44b6c695b",
"status": "affected",
"version": "673edcffa0960fc154085d639e10f80b6317d3bd",
"versionType": "git"
},
{
"lessThan": "e855dded4b70d1975ee7b9fed0c700391e3c8ea6",
"status": "affected",
"version": "7663d522099ecc464512164e660bc771b2ff7b64",
"versionType": "git"
},
{
"lessThan": "8072699aa9e67d1727692cfb3c347263bb627fb9",
"status": "affected",
"version": "7663d522099ecc464512164e660bc771b2ff7b64",
"versionType": "git"
},
{
"lessThan": "d09486a04f5da0a812c26217213b89a3b1acf836",
"status": "affected",
"version": "7663d522099ecc464512164e660bc771b2ff7b64",
"versionType": "git"
},
{
"status": "affected",
"version": "f7a69786fe5ec75d1cdd71b465e74a1adc68ef40",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev.c",
"net/core/dev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "6.1.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix removing a namespace with conflicting altnames\n\nMark reports a BUG() when a net namespace is removed.\n\n kernel BUG at net/core/dev.c:11520!\n\nPhysical interfaces moved outside of init_net get \"refunded\"\nto init_net when that namespace disappears. The main interface\nname may get overwritten in the process if it would have\nconflicted. We need to also discard all conflicting altnames.\nRecent fixes addressed ensuring that altnames get moved\nwith the main interface, which surfaced this problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:54:19.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2232f29bf52c24f827865b3c90829c44b6c695b"
},
{
"url": "https://git.kernel.org/stable/c/e855dded4b70d1975ee7b9fed0c700391e3c8ea6"
},
{
"url": "https://git.kernel.org/stable/c/8072699aa9e67d1727692cfb3c347263bb627fb9"
},
{
"url": "https://git.kernel.org/stable/c/d09486a04f5da0a812c26217213b89a3b1acf836"
}
],
"title": "net: fix removing a namespace with conflicting altnames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26634",
"datePublished": "2024-03-18T10:14:46.639Z",
"dateReserved": "2024-02-19T14:20:24.136Z",
"dateUpdated": "2025-05-04T12:54:19.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49315 (GCVE-0-2022-49315)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()
There is a deadlock in rtllib_beacons_stop(), which is shown
below:
(Thread 1) | (Thread 2)
| rtllib_send_beacon()
rtllib_beacons_stop() | mod_timer()
spin_lock_irqsave() //(1) | (wait a time)
... | rtllib_send_beacon_cb()
del_timer_sync() | spin_lock_irqsave() //(2)
(wait timer to stop) | ...
We hold ieee->beacon_lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need ieee->beacon_lock in position (2) of thread 2.
As a result, rtllib_beacons_stop() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_irqsave(), which could let timer handler to obtain
the needed lock.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49315",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:03.346443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:57.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8192e/rtllib_softmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4681129fda9e8555392eaaadb239ec6a6e2b3e12",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "381045dc64d23a2229c47c5524c06bfc33d34446",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "08bacf871c019163ccd1389d0bc957a43324967a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "64b05fa212c7e4d057676e8b7e7120c6eb2f615b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f69d7d5e918aa43423d86bd17ddb11b1b5e8ada",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fef451f0fbbe85dbd2962b18379d02e2965610db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46c861009bf437a18417df24cea0d181741b7d72",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffd4c4d5293e4985092ea45ba21cad9326e2e434",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9b6bdbd9337de3917945847bde262a34a87a6303",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8192e/rtllib_softmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()\n\nThere is a deadlock in rtllib_beacons_stop(), which is shown\nbelow:\n\n (Thread 1) | (Thread 2)\n | rtllib_send_beacon()\nrtllib_beacons_stop() | mod_timer()\n spin_lock_irqsave() //(1) | (wait a time)\n ... | rtllib_send_beacon_cb()\n del_timer_sync() | spin_lock_irqsave() //(2)\n (wait timer to stop) | ...\n\nWe hold ieee-\u003ebeacon_lock in position (1) of thread 1 and\nuse del_timer_sync() to wait timer to stop, but timer handler\nalso need ieee-\u003ebeacon_lock in position (2) of thread 2.\nAs a result, rtllib_beacons_stop() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_irqsave(), which could let timer handler to obtain\nthe needed lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:02.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4681129fda9e8555392eaaadb239ec6a6e2b3e12"
},
{
"url": "https://git.kernel.org/stable/c/381045dc64d23a2229c47c5524c06bfc33d34446"
},
{
"url": "https://git.kernel.org/stable/c/08bacf871c019163ccd1389d0bc957a43324967a"
},
{
"url": "https://git.kernel.org/stable/c/64b05fa212c7e4d057676e8b7e7120c6eb2f615b"
},
{
"url": "https://git.kernel.org/stable/c/0f69d7d5e918aa43423d86bd17ddb11b1b5e8ada"
},
{
"url": "https://git.kernel.org/stable/c/fef451f0fbbe85dbd2962b18379d02e2965610db"
},
{
"url": "https://git.kernel.org/stable/c/46c861009bf437a18417df24cea0d181741b7d72"
},
{
"url": "https://git.kernel.org/stable/c/ffd4c4d5293e4985092ea45ba21cad9326e2e434"
},
{
"url": "https://git.kernel.org/stable/c/9b6bdbd9337de3917945847bde262a34a87a6303"
}
],
"title": "drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49315",
"datePublished": "2025-02-26T02:10:43.082Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-10-01T19:46:57.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49715 (GCVE-0-2022-49715)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3: Fix refcount leak in gic_populate_ppi_partitions
of_find_node_by_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e3825ba1af3a27d7522c9f5f929f5a13b8b138ae Version: e3825ba1af3a27d7522c9f5f929f5a13b8b138ae Version: e3825ba1af3a27d7522c9f5f929f5a13b8b138ae Version: e3825ba1af3a27d7522c9f5f929f5a13b8b138ae Version: e3825ba1af3a27d7522c9f5f929f5a13b8b138ae Version: e3825ba1af3a27d7522c9f5f929f5a13b8b138ae |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:19.820025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:44.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e824482e2c5edacc961b7dd30a92fd47606c3036",
"status": "affected",
"version": "e3825ba1af3a27d7522c9f5f929f5a13b8b138ae",
"versionType": "git"
},
{
"lessThan": "8d884c08eeb83142a7173cb46bcff0434ec42cf1",
"status": "affected",
"version": "e3825ba1af3a27d7522c9f5f929f5a13b8b138ae",
"versionType": "git"
},
{
"lessThan": "506a88a5bf261d76a5214c0338a320f2214c67ac",
"status": "affected",
"version": "e3825ba1af3a27d7522c9f5f929f5a13b8b138ae",
"versionType": "git"
},
{
"lessThan": "cc5984cf270b69d03f9f4b27063e535036c659e9",
"status": "affected",
"version": "e3825ba1af3a27d7522c9f5f929f5a13b8b138ae",
"versionType": "git"
},
{
"lessThan": "c136c2924a59a399aa789858cfb320d481964fb7",
"status": "affected",
"version": "e3825ba1af3a27d7522c9f5f929f5a13b8b138ae",
"versionType": "git"
},
{
"lessThan": "fa1ad9d4cc47ca2470cd904ad4519f05d7e43a2b",
"status": "affected",
"version": "e3825ba1af3a27d7522c9f5f929f5a13b8b138ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Fix refcount leak in gic_populate_ppi_partitions\n\nof_find_node_by_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:56.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e824482e2c5edacc961b7dd30a92fd47606c3036"
},
{
"url": "https://git.kernel.org/stable/c/8d884c08eeb83142a7173cb46bcff0434ec42cf1"
},
{
"url": "https://git.kernel.org/stable/c/506a88a5bf261d76a5214c0338a320f2214c67ac"
},
{
"url": "https://git.kernel.org/stable/c/cc5984cf270b69d03f9f4b27063e535036c659e9"
},
{
"url": "https://git.kernel.org/stable/c/c136c2924a59a399aa789858cfb320d481964fb7"
},
{
"url": "https://git.kernel.org/stable/c/fa1ad9d4cc47ca2470cd904ad4519f05d7e43a2b"
}
],
"title": "irqchip/gic-v3: Fix refcount leak in gic_populate_ppi_partitions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49715",
"datePublished": "2025-02-26T02:24:30.901Z",
"dateReserved": "2025-02-26T02:21:30.445Z",
"dateUpdated": "2025-10-01T19:36:44.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49524 (GCVE-0-2022-49524)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: pci: cx23885: Fix the error handling in cx23885_initdev()
When the driver fails to call the dma_set_mask(), the driver will get
the following splat:
[ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240
[ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590
[ 55.856822] Call Trace:
[ 55.860327] __process_removed_driver+0x3c/0x240
[ 55.861347] bus_for_each_dev+0x102/0x160
[ 55.861681] i2c_del_driver+0x2f/0x50
This is because the driver has initialized the i2c related resources
in cx23885_dev_setup() but not released them in error handling, fix this
bug by modifying the error path that jumps after failing to call the
dma_set_mask().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:37.962378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:31.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/cx23885/cx23885-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6041d1a0365baa729b6adfb6ed5386d9388018db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7b9978e1c94e569d65a0e7e719abb9340f5db4a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa636e9ee4442215cd9a2e079cd5a8e1fe0cb8ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca17e7a532d1a55466cc007b3f4d319541a27493",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "98106f100f50c487469903b9cf6d966785fc9cc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "86bd6a579c6c60547706cabf299cd2c9feab3332",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "453514a874c78df1e7804e6e3aaa60c8d8deb6a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e8123311cf06d7dae71e8c5fe78e0510d20cd30b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/cx23885/cx23885-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: cx23885: Fix the error handling in cx23885_initdev()\n\nWhen the driver fails to call the dma_set_mask(), the driver will get\nthe following splat:\n\n[ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240\n[ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590\n[ 55.856822] Call Trace:\n[ 55.860327] __process_removed_driver+0x3c/0x240\n[ 55.861347] bus_for_each_dev+0x102/0x160\n[ 55.861681] i2c_del_driver+0x2f/0x50\n\nThis is because the driver has initialized the i2c related resources\nin cx23885_dev_setup() but not released them in error handling, fix this\nbug by modifying the error path that jumps after failing to call the\ndma_set_mask()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:46.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6041d1a0365baa729b6adfb6ed5386d9388018db"
},
{
"url": "https://git.kernel.org/stable/c/7b9978e1c94e569d65a0e7e719abb9340f5db4a0"
},
{
"url": "https://git.kernel.org/stable/c/fa636e9ee4442215cd9a2e079cd5a8e1fe0cb8ba"
},
{
"url": "https://git.kernel.org/stable/c/ca17e7a532d1a55466cc007b3f4d319541a27493"
},
{
"url": "https://git.kernel.org/stable/c/98106f100f50c487469903b9cf6d966785fc9cc3"
},
{
"url": "https://git.kernel.org/stable/c/86bd6a579c6c60547706cabf299cd2c9feab3332"
},
{
"url": "https://git.kernel.org/stable/c/453514a874c78df1e7804e6e3aaa60c8d8deb6a8"
},
{
"url": "https://git.kernel.org/stable/c/e8123311cf06d7dae71e8c5fe78e0510d20cd30b"
}
],
"title": "media: pci: cx23885: Fix the error handling in cx23885_initdev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49524",
"datePublished": "2025-02-26T02:13:48.222Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-05-04T08:39:46.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56702 (GCVE-0-2024-56702)
Vulnerability from cvelistv5
Published
2024-12-28 09:46
Modified
2025-10-01 20:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Mark raw_tp arguments with PTR_MAYBE_NULL
Arguments to a raw tracepoint are tagged as trusted, which carries the
semantics that the pointer will be non-NULL. However, in certain cases,
a raw tracepoint argument may end up being NULL. More context about this
issue is available in [0].
Thus, there is a discrepancy between the reality, that raw_tp arguments
can actually be NULL, and the verifier's knowledge, that they are never
NULL, causing explicit NULL checks to be deleted, and accesses to such
pointers potentially crashing the kernel.
To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special
case the dereference and pointer arithmetic to permit it, and allow
passing them into helpers/kfuncs; these exceptions are made for raw_tp
programs only. Ensure that we don't do this when ref_obj_id > 0, as in
that case this is an acquired object and doesn't need such adjustment.
The reason we do mask_raw_tp_trusted_reg logic is because other will
recheck in places whether the register is a trusted_reg, and then
consider our register as untrusted when detecting the presence of the
PTR_MAYBE_NULL flag.
To allow safe dereference, we enable PROBE_MEM marking when we see loads
into trusted pointers with PTR_MAYBE_NULL.
While trusted raw_tp arguments can also be passed into helpers or kfuncs
where such broken assumption may cause issues, a future patch set will
tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can
already be passed into helpers and causes similar problems. Thus, they
are left alone for now.
It is possible that these checks also permit passing non-raw_tp args
that are trusted PTR_TO_BTF_ID with null marking. In such a case,
allowing dereference when pointer is NULL expands allowed behavior, so
won't regress existing programs, and the case of passing these into
helpers is the same as above and will be dealt with later.
Also update the failure case in tp_btf_nullable selftest to capture the
new behavior, as the verifier will no longer cause an error when
directly dereference a raw tracepoint argument marked as __nullable.
[0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:58:54.554579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:07.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/btf.c",
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/test_tp_btf_nullable.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6",
"status": "affected",
"version": "3f00c52393445ed49aadc1a567aa502c6333b1a1",
"versionType": "git"
},
{
"lessThan": "3634d4a310820567fc634bf8f1ee2b91378773e8",
"status": "affected",
"version": "3f00c52393445ed49aadc1a567aa502c6333b1a1",
"versionType": "git"
},
{
"lessThan": "cb4158ce8ec8a5bb528cc1693356a5eb8058094d",
"status": "affected",
"version": "3f00c52393445ed49aadc1a567aa502c6333b1a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/btf.c",
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/test_tp_btf_nullable.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark raw_tp arguments with PTR_MAYBE_NULL\n\nArguments to a raw tracepoint are tagged as trusted, which carries the\nsemantics that the pointer will be non-NULL. However, in certain cases,\na raw tracepoint argument may end up being NULL. More context about this\nissue is available in [0].\n\nThus, there is a discrepancy between the reality, that raw_tp arguments\ncan actually be NULL, and the verifier\u0027s knowledge, that they are never\nNULL, causing explicit NULL checks to be deleted, and accesses to such\npointers potentially crashing the kernel.\n\nTo fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special\ncase the dereference and pointer arithmetic to permit it, and allow\npassing them into helpers/kfuncs; these exceptions are made for raw_tp\nprograms only. Ensure that we don\u0027t do this when ref_obj_id \u003e 0, as in\nthat case this is an acquired object and doesn\u0027t need such adjustment.\n\nThe reason we do mask_raw_tp_trusted_reg logic is because other will\nrecheck in places whether the register is a trusted_reg, and then\nconsider our register as untrusted when detecting the presence of the\nPTR_MAYBE_NULL flag.\n\nTo allow safe dereference, we enable PROBE_MEM marking when we see loads\ninto trusted pointers with PTR_MAYBE_NULL.\n\nWhile trusted raw_tp arguments can also be passed into helpers or kfuncs\nwhere such broken assumption may cause issues, a future patch set will\ntackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can\nalready be passed into helpers and causes similar problems. Thus, they\nare left alone for now.\n\nIt is possible that these checks also permit passing non-raw_tp args\nthat are trusted PTR_TO_BTF_ID with null marking. In such a case,\nallowing dereference when pointer is NULL expands allowed behavior, so\nwon\u0027t regress existing programs, and the case of passing these into\nhelpers is the same as above and will be dealt with later.\n\nAlso update the failure case in tp_btf_nullable selftest to capture the\nnew behavior, as the verifier will no longer cause an error when\ndirectly dereference a raw tracepoint argument marked as __nullable.\n\n [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:02:50.500Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6"
},
{
"url": "https://git.kernel.org/stable/c/3634d4a310820567fc634bf8f1ee2b91378773e8"
},
{
"url": "https://git.kernel.org/stable/c/cb4158ce8ec8a5bb528cc1693356a5eb8058094d"
}
],
"title": "bpf: Mark raw_tp arguments with PTR_MAYBE_NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56702",
"datePublished": "2024-12-28T09:46:24.244Z",
"dateReserved": "2024-12-27T15:00:39.856Z",
"dateUpdated": "2025-10-01T20:07:07.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49710 (GCVE-0-2022-49710)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm mirror log: round up region bitmap size to BITS_PER_LONG
The code in dm-log rounds up bitset_size to 32 bits. It then uses
find_next_zero_bit_le on the allocated region. find_next_zero_bit_le
accesses the bitmap using unsigned long pointers. So, on 64-bit
architectures, it may access 4 bytes beyond the allocated size.
Fix this bug by rounding up bitset_size to BITS_PER_LONG.
This bug was found by running the lvm2 testsuite with kasan.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae460312875159285cef5bf3dc654593f404a1ef",
"status": "affected",
"version": "29121bd0b00ebb9524971a583fea4a2f7afe8041",
"versionType": "git"
},
{
"lessThan": "ba751f0d25f07aa21ce9b85372a3792bf7969d13",
"status": "affected",
"version": "29121bd0b00ebb9524971a583fea4a2f7afe8041",
"versionType": "git"
},
{
"lessThan": "0d2209b54f1de0c2f99cab246d4cf2cfe24aaaa9",
"status": "affected",
"version": "29121bd0b00ebb9524971a583fea4a2f7afe8041",
"versionType": "git"
},
{
"lessThan": "9a02f3275acc628c0d956be771405ced79ac36df",
"status": "affected",
"version": "29121bd0b00ebb9524971a583fea4a2f7afe8041",
"versionType": "git"
},
{
"lessThan": "85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0",
"status": "affected",
"version": "29121bd0b00ebb9524971a583fea4a2f7afe8041",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm mirror log: round up region bitmap size to BITS_PER_LONG\n\nThe code in dm-log rounds up bitset_size to 32 bits. It then uses\nfind_next_zero_bit_le on the allocated region. find_next_zero_bit_le\naccesses the bitmap using unsigned long pointers. So, on 64-bit\narchitectures, it may access 4 bytes beyond the allocated size.\n\nFix this bug by rounding up bitset_size to BITS_PER_LONG.\n\nThis bug was found by running the lvm2 testsuite with kasan."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:50.278Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae460312875159285cef5bf3dc654593f404a1ef"
},
{
"url": "https://git.kernel.org/stable/c/ba751f0d25f07aa21ce9b85372a3792bf7969d13"
},
{
"url": "https://git.kernel.org/stable/c/0d2209b54f1de0c2f99cab246d4cf2cfe24aaaa9"
},
{
"url": "https://git.kernel.org/stable/c/9a02f3275acc628c0d956be771405ced79ac36df"
},
{
"url": "https://git.kernel.org/stable/c/85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0"
}
],
"title": "dm mirror log: round up region bitmap size to BITS_PER_LONG",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49710",
"datePublished": "2025-02-26T02:24:27.532Z",
"dateReserved": "2025-02-26T02:21:30.444Z",
"dateUpdated": "2025-05-04T08:43:50.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49570 (GCVE-0-2022-49570)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: gpio-xilinx: Fix integer overflow
Current implementation is not able to configure more than 32 pins
due to incorrect data type. So type casting with unsigned long
to avoid it.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:36:49.913016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:37.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-xilinx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e129e5486b981d324057e6986059f852658b0d00",
"status": "affected",
"version": "02b3f84d9080b0f4297f31258307f626a43faba5",
"versionType": "git"
},
{
"lessThan": "6f16a5390640807dde420ee5ccbc4c95577aea6a",
"status": "affected",
"version": "02b3f84d9080b0f4297f31258307f626a43faba5",
"versionType": "git"
},
{
"lessThan": "32c094a09d5829ad9b02cdf667569aefa8de0ea6",
"status": "affected",
"version": "02b3f84d9080b0f4297f31258307f626a43faba5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-xilinx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: gpio-xilinx: Fix integer overflow\n\nCurrent implementation is not able to configure more than 32 pins\ndue to incorrect data type. So type casting with unsigned long\nto avoid it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:51.913Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e129e5486b981d324057e6986059f852658b0d00"
},
{
"url": "https://git.kernel.org/stable/c/6f16a5390640807dde420ee5ccbc4c95577aea6a"
},
{
"url": "https://git.kernel.org/stable/c/32c094a09d5829ad9b02cdf667569aefa8de0ea6"
}
],
"title": "gpio: gpio-xilinx: Fix integer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49570",
"datePublished": "2025-02-26T02:23:13.703Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-10-01T19:46:37.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49308 (GCVE-0-2022-49308)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
extcon: Modify extcon device to be created after driver data is set
Currently, someone can invoke the sysfs such as state_show()
intermittently before dev_set_drvdata() is done.
And it can be a cause of kernel Oops because of edev is Null at that time.
So modified the driver registration to after setting drviver data.
- Oops's backtrace.
Backtrace:
[<c067865c>] (state_show) from [<c05222e8>] (dev_attr_show)
[<c05222c0>] (dev_attr_show) from [<c02c66e0>] (sysfs_kf_seq_show)
[<c02c6648>] (sysfs_kf_seq_show) from [<c02c496c>] (kernfs_seq_show)
[<c02c4938>] (kernfs_seq_show) from [<c025e2a0>] (seq_read)
[<c025e11c>] (seq_read) from [<c02c50a0>] (kernfs_fop_read)
[<c02c5064>] (kernfs_fop_read) from [<c0231cac>] (__vfs_read)
[<c0231c5c>] (__vfs_read) from [<c0231ee0>] (vfs_read)
[<c0231e34>] (vfs_read) from [<c0232464>] (ksys_read)
[<c02323f0>] (ksys_read) from [<c02324fc>] (sys_read)
[<c02324e4>] (sys_read) from [<c00091d0>] (__sys_trace_return)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/extcon/extcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e721f3ad0535b24f19a62420f4da95212cf069c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cb81ea998c461868d1168411a867d8ffee12f23f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d472c78cc82999d07bd09193a6718016ce9cd386",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "abf3b222614f49f98e606fccdd269161c0d70204",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "368e68ad6da4317fc4170e8d92b51c13d1bfe7a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35ff1ac55d301efb3f467cf5426faaeb3452994b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "033ec4e7e59ae5e1ef1e8c10bc6552926044ed1c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5dcc2afe716d69f5112ce035cb14f007461ff189",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/extcon/extcon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nextcon: Modify extcon device to be created after driver data is set\n\nCurrently, someone can invoke the sysfs such as state_show()\nintermittently before dev_set_drvdata() is done.\nAnd it can be a cause of kernel Oops because of edev is Null at that time.\nSo modified the driver registration to after setting drviver data.\n\n- Oops\u0027s backtrace.\n\nBacktrace:\n[\u003cc067865c\u003e] (state_show) from [\u003cc05222e8\u003e] (dev_attr_show)\n[\u003cc05222c0\u003e] (dev_attr_show) from [\u003cc02c66e0\u003e] (sysfs_kf_seq_show)\n[\u003cc02c6648\u003e] (sysfs_kf_seq_show) from [\u003cc02c496c\u003e] (kernfs_seq_show)\n[\u003cc02c4938\u003e] (kernfs_seq_show) from [\u003cc025e2a0\u003e] (seq_read)\n[\u003cc025e11c\u003e] (seq_read) from [\u003cc02c50a0\u003e] (kernfs_fop_read)\n[\u003cc02c5064\u003e] (kernfs_fop_read) from [\u003cc0231cac\u003e] (__vfs_read)\n[\u003cc0231c5c\u003e] (__vfs_read) from [\u003cc0231ee0\u003e] (vfs_read)\n[\u003cc0231e34\u003e] (vfs_read) from [\u003cc0232464\u003e] (ksys_read)\n[\u003cc02323f0\u003e] (ksys_read) from [\u003cc02324fc\u003e] (sys_read)\n[\u003cc02324e4\u003e] (sys_read) from [\u003cc00091d0\u003e] (__sys_trace_return)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:53.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e721f3ad0535b24f19a62420f4da95212cf069c"
},
{
"url": "https://git.kernel.org/stable/c/cb81ea998c461868d1168411a867d8ffee12f23f"
},
{
"url": "https://git.kernel.org/stable/c/d472c78cc82999d07bd09193a6718016ce9cd386"
},
{
"url": "https://git.kernel.org/stable/c/abf3b222614f49f98e606fccdd269161c0d70204"
},
{
"url": "https://git.kernel.org/stable/c/368e68ad6da4317fc4170e8d92b51c13d1bfe7a7"
},
{
"url": "https://git.kernel.org/stable/c/35ff1ac55d301efb3f467cf5426faaeb3452994b"
},
{
"url": "https://git.kernel.org/stable/c/033ec4e7e59ae5e1ef1e8c10bc6552926044ed1c"
},
{
"url": "https://git.kernel.org/stable/c/5dcc2afe716d69f5112ce035cb14f007461ff189"
}
],
"title": "extcon: Modify extcon device to be created after driver data is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49308",
"datePublished": "2025-02-26T02:10:39.648Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-05-04T08:34:53.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47648 (GCVE-0-2021-47648)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix a memory leak in 'host1x_remove()'
Add a missing 'host1x_channel_list_free()' call in the remove function,
as already done in the error handling path of the probe function.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:29.512200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:07.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bb107332db28a0e9256c2d36a0902b85307612c",
"status": "affected",
"version": "8474b02531c4881a762c52ef869c52429e38633f",
"versionType": "git"
},
{
"lessThan": "c06577a80485511b894cb688e881ef0bc2d1d296",
"status": "affected",
"version": "8474b02531c4881a762c52ef869c52429e38633f",
"versionType": "git"
},
{
"lessThan": "5124a344983e1b9670dae7add0e4d00d589aabcd",
"status": "affected",
"version": "8474b02531c4881a762c52ef869c52429e38633f",
"versionType": "git"
},
{
"lessThan": "fe1ce680560d4f0049ffa0c687de17567421c1ec",
"status": "affected",
"version": "8474b02531c4881a762c52ef869c52429e38633f",
"versionType": "git"
},
{
"lessThan": "025c6643a81564f066d8381b9e2f4603e0f8438f",
"status": "affected",
"version": "8474b02531c4881a762c52ef869c52429e38633f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix a memory leak in \u0027host1x_remove()\u0027\n\nAdd a missing \u0027host1x_channel_list_free()\u0027 call in the remove function,\nas already done in the error handling path of the probe function."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:29.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bb107332db28a0e9256c2d36a0902b85307612c"
},
{
"url": "https://git.kernel.org/stable/c/c06577a80485511b894cb688e881ef0bc2d1d296"
},
{
"url": "https://git.kernel.org/stable/c/5124a344983e1b9670dae7add0e4d00d589aabcd"
},
{
"url": "https://git.kernel.org/stable/c/fe1ce680560d4f0049ffa0c687de17567421c1ec"
},
{
"url": "https://git.kernel.org/stable/c/025c6643a81564f066d8381b9e2f4603e0f8438f"
}
],
"title": "gpu: host1x: Fix a memory leak in \u0027host1x_remove()\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47648",
"datePublished": "2025-02-26T01:54:16.100Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-10-01T19:57:07.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49427 (GCVE-0-2022-49427)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: Remove clk_disable in mtk_iommu_remove
After the commit b34ea31fe013 ("iommu/mediatek: Always enable the clk on
resume"), the iommu clock is controlled by the runtime callback.
thus remove the clk control in the mtk_iommu_remove.
Otherwise, it will warning like:
echo 14018000.iommu > /sys/bus/platform/drivers/mtk-iommu/unbind
[ 51.413044] ------------[ cut here ]------------
[ 51.413648] vpp0_smi_iommu already disabled
[ 51.414233] WARNING: CPU: 2 PID: 157 at */v5.15-rc1/kernel/mediatek/
drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8
[ 51.417174] Hardware name: MT8195V/C(ENG) (DT)
[ 51.418635] pc : clk_core_disable+0xb0/0xb8
[ 51.419177] lr : clk_core_disable+0xb0/0xb8
...
[ 51.429375] Call trace:
[ 51.429694] clk_core_disable+0xb0/0xb8
[ 51.430193] clk_core_disable_lock+0x24/0x40
[ 51.430745] clk_disable+0x20/0x30
[ 51.431189] mtk_iommu_remove+0x58/0x118
[ 51.431705] platform_remove+0x28/0x60
[ 51.432197] device_release_driver_internal+0x110/0x1f0
[ 51.432873] device_driver_detach+0x18/0x28
[ 51.433418] unbind_store+0xd4/0x108
[ 51.433886] drv_attr_store+0x24/0x38
[ 51.434363] sysfs_kf_write+0x40/0x58
[ 51.434843] kernfs_fop_write_iter+0x164/0x1e0
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "053465ab20dcd324a43a1811ee98e5721e6a3e65",
"status": "affected",
"version": "b34ea31fe013569d42b7e8681ef3f717f77c5b72",
"versionType": "git"
},
{
"lessThan": "9b3bd97acb4f8954b8a43a5d63ed9050d463b4e1",
"status": "affected",
"version": "b34ea31fe013569d42b7e8681ef3f717f77c5b72",
"versionType": "git"
},
{
"lessThan": "6eaa046c696c83542c56765cdde564d9818ff1fb",
"status": "affected",
"version": "b34ea31fe013569d42b7e8681ef3f717f77c5b72",
"versionType": "git"
},
{
"lessThan": "98df772bdd1c4ce717a26289efea15cbbe4b64ed",
"status": "affected",
"version": "b34ea31fe013569d42b7e8681ef3f717f77c5b72",
"versionType": "git"
},
{
"status": "affected",
"version": "5cad9e2caa9613fdcd246bd4ebf0ffbec1cba2ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Remove clk_disable in mtk_iommu_remove\n\nAfter the commit b34ea31fe013 (\"iommu/mediatek: Always enable the clk on\nresume\"), the iommu clock is controlled by the runtime callback.\nthus remove the clk control in the mtk_iommu_remove.\n\nOtherwise, it will warning like:\n\necho 14018000.iommu \u003e /sys/bus/platform/drivers/mtk-iommu/unbind\n\n[ 51.413044] ------------[ cut here ]------------\n[ 51.413648] vpp0_smi_iommu already disabled\n[ 51.414233] WARNING: CPU: 2 PID: 157 at */v5.15-rc1/kernel/mediatek/\n drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8\n[ 51.417174] Hardware name: MT8195V/C(ENG) (DT)\n[ 51.418635] pc : clk_core_disable+0xb0/0xb8\n[ 51.419177] lr : clk_core_disable+0xb0/0xb8\n...\n[ 51.429375] Call trace:\n[ 51.429694] clk_core_disable+0xb0/0xb8\n[ 51.430193] clk_core_disable_lock+0x24/0x40\n[ 51.430745] clk_disable+0x20/0x30\n[ 51.431189] mtk_iommu_remove+0x58/0x118\n[ 51.431705] platform_remove+0x28/0x60\n[ 51.432197] device_release_driver_internal+0x110/0x1f0\n[ 51.432873] device_driver_detach+0x18/0x28\n[ 51.433418] unbind_store+0xd4/0x108\n[ 51.433886] drv_attr_store+0x24/0x38\n[ 51.434363] sysfs_kf_write+0x40/0x58\n[ 51.434843] kernfs_fop_write_iter+0x164/0x1e0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:41.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/053465ab20dcd324a43a1811ee98e5721e6a3e65"
},
{
"url": "https://git.kernel.org/stable/c/9b3bd97acb4f8954b8a43a5d63ed9050d463b4e1"
},
{
"url": "https://git.kernel.org/stable/c/6eaa046c696c83542c56765cdde564d9818ff1fb"
},
{
"url": "https://git.kernel.org/stable/c/98df772bdd1c4ce717a26289efea15cbbe4b64ed"
}
],
"title": "iommu/mediatek: Remove clk_disable in mtk_iommu_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49427",
"datePublished": "2025-02-26T02:12:47.692Z",
"dateReserved": "2025-02-26T02:08:31.569Z",
"dateUpdated": "2025-05-04T12:44:41.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21761 (GCVE-0-2025-21761)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
ovs_vport_cmd_fill_info() can be called without RTNL or RCU.
Use RCU protection and dev_net_rcu() to avoid potential UAF.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b Version: 9354d452034273a50a4fd703bea31e5d6b1fc20b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:35.920303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:08.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e85a25d1a9985645e796039e843d1de581d2de1e",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
},
{
"lessThan": "a8816b3f1f151373fd30f1996f00480126c8bb11",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
},
{
"lessThan": "a884f57600e463f69d7b279c4598b865260b62a1",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
},
{
"lessThan": "7e01abc34e87abd091e619161a20f54ed4e3e2da",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
},
{
"lessThan": "8ec57509c36c8b9a23e50b7858dda0c520a2d074",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
},
{
"lessThan": "a849a10de5e04d798f7f286a2f1ca174719a617a",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
},
{
"lessThan": "5828937742af74666192835d657095d95c53dbd0",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
},
{
"lessThan": "90b2f49a502fa71090d9f4fe29a2f51fe5dff76d",
"status": "affected",
"version": "9354d452034273a50a4fd703bea31e5d6b1fc20b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: use RCU protection in ovs_vport_cmd_fill_info()\n\novs_vport_cmd_fill_info() can be called without RTNL or RCU.\n\nUse RCU protection and dev_net_rcu() to avoid potential UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:33.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e85a25d1a9985645e796039e843d1de581d2de1e"
},
{
"url": "https://git.kernel.org/stable/c/a8816b3f1f151373fd30f1996f00480126c8bb11"
},
{
"url": "https://git.kernel.org/stable/c/a884f57600e463f69d7b279c4598b865260b62a1"
},
{
"url": "https://git.kernel.org/stable/c/7e01abc34e87abd091e619161a20f54ed4e3e2da"
},
{
"url": "https://git.kernel.org/stable/c/8ec57509c36c8b9a23e50b7858dda0c520a2d074"
},
{
"url": "https://git.kernel.org/stable/c/a849a10de5e04d798f7f286a2f1ca174719a617a"
},
{
"url": "https://git.kernel.org/stable/c/5828937742af74666192835d657095d95c53dbd0"
},
{
"url": "https://git.kernel.org/stable/c/90b2f49a502fa71090d9f4fe29a2f51fe5dff76d"
}
],
"title": "openvswitch: use RCU protection in ovs_vport_cmd_fill_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21761",
"datePublished": "2025-02-27T02:18:14.054Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:08.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-1048 (GCVE-0-2022-1048)
Vulnerability from cvelistv5
Published
2022-04-29 15:34
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai%40suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3"
},
{
"name": "DSA-5127",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5127"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0001/"
},
{
"name": "DSA-5173",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5173"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Linux kernel 5.17-rc9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use-after-free flaw was found in the Linux kernel\u2019s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-04T10:06:10",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai%40suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3"
},
{
"name": "DSA-5127",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5127"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0001/"
},
{
"name": "DSA-5173",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5173"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-1048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kernel",
"version": {
"version_data": [
{
"version_value": "Linux kernel 5.17-rc9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A use-after-free flaw was found in the Linux kernel\u2019s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-416"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706"
},
{
"name": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai@suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3",
"refsource": "MISC",
"url": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai@suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3"
},
{
"name": "DSA-5127",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5127"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220629-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220629-0001/"
},
{
"name": "DSA-5173",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5173"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1048",
"datePublished": "2022-04-29T15:34:44",
"dateReserved": "2022-03-22T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21810 (GCVE-0-2025-21810)
Vulnerability from cvelistv5
Published
2025-02-27 20:01
Modified
2025-05-04 07:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()
There are a potential wild pointer dereferences issue regarding APIs
class_dev_iter_(init|next|exit)(), as explained by below typical usage:
// All members of @iter are wild pointers.
struct class_dev_iter iter;
// class_dev_iter_init(@iter, @class, ...) checks parameter @class for
// potential class_to_subsys() error, and it returns void type and does
// not initialize its output parameter @iter, so caller can not detect
// the error and continues to invoke class_dev_iter_next(@iter) even if
// @iter still contains wild pointers.
class_dev_iter_init(&iter, ...);
// Dereference these wild pointers in @iter here once suffer the error.
while (dev = class_dev_iter_next(&iter)) { ... };
// Also dereference these wild pointers here.
class_dev_iter_exit(&iter);
Actually, all callers of these APIs have such usage pattern in kernel tree.
Fix by:
- Initialize output parameter @iter by memset() in class_dev_iter_init()
and give callers prompt by pr_crit() for the error.
- Check if @iter is valid in class_dev_iter_next().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4b9bc823b0cfdebfed479c0e87d6939c7562e87",
"status": "affected",
"version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
"versionType": "git"
},
{
"lessThan": "1614e75d1a1b63db6421c7a4bf37004720c7376c",
"status": "affected",
"version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
"versionType": "git"
},
{
"lessThan": "5c504e9767b947cf7d4e29b811c0c8b3c53242b7",
"status": "affected",
"version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
"versionType": "git"
},
{
"lessThan": "e128f82f7006991c99a58114f70ef61e937b1ac1",
"status": "affected",
"version": "7b884b7f24b42fa25e92ed724ad82f137610afaf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: class: Fix wild pointer dereferences in API class_dev_iter_next()\n\nThere are a potential wild pointer dereferences issue regarding APIs\nclass_dev_iter_(init|next|exit)(), as explained by below typical usage:\n\n// All members of @iter are wild pointers.\nstruct class_dev_iter iter;\n\n// class_dev_iter_init(@iter, @class, ...) checks parameter @class for\n// potential class_to_subsys() error, and it returns void type and does\n// not initialize its output parameter @iter, so caller can not detect\n// the error and continues to invoke class_dev_iter_next(@iter) even if\n// @iter still contains wild pointers.\nclass_dev_iter_init(\u0026iter, ...);\n\n// Dereference these wild pointers in @iter here once suffer the error.\nwhile (dev = class_dev_iter_next(\u0026iter)) { ... };\n\n// Also dereference these wild pointers here.\nclass_dev_iter_exit(\u0026iter);\n\nActually, all callers of these APIs have such usage pattern in kernel tree.\nFix by:\n- Initialize output parameter @iter by memset() in class_dev_iter_init()\n and give callers prompt by pr_crit() for the error.\n- Check if @iter is valid in class_dev_iter_next()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:40.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4b9bc823b0cfdebfed479c0e87d6939c7562e87"
},
{
"url": "https://git.kernel.org/stable/c/1614e75d1a1b63db6421c7a4bf37004720c7376c"
},
{
"url": "https://git.kernel.org/stable/c/5c504e9767b947cf7d4e29b811c0c8b3c53242b7"
},
{
"url": "https://git.kernel.org/stable/c/e128f82f7006991c99a58114f70ef61e937b1ac1"
}
],
"title": "driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21810",
"datePublished": "2025-02-27T20:01:01.630Z",
"dateReserved": "2024-12-29T08:45:45.772Z",
"dateUpdated": "2025-05-04T07:21:40.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49327 (GCVE-0-2022-49327)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bcache: avoid journal no-space deadlock by reserving 1 journal bucket
The journal no-space deadlock was reported time to time. Such deadlock
can happen in the following situation.
When all journal buckets are fully filled by active jset with heavy
write I/O load, the cache set registration (after a reboot) will load
all active jsets and inserting them into the btree again (which is
called journal replay). If a journaled bkey is inserted into a btree
node and results btree node split, new journal request might be
triggered. For example, the btree grows one more level after the node
split, then the root node record in cache device super block will be
upgrade by bch_journal_meta() from bch_btree_set_root(). But there is no
space in journal buckets, the journal replay has to wait for new journal
bucket to be reclaimed after at least one journal bucket replayed. This
is one example that how the journal no-space deadlock happens.
The solution to avoid the deadlock is to reserve 1 journal bucket in
run time, and only permit the reserved journal bucket to be used during
cache set registration procedure for things like journal replay. Then
the journal space will never be fully filled, there is no chance for
journal no-space deadlock to happen anymore.
This patch adds a new member "bool do_reserve" in struct journal, it is
inititalized to 0 (false) when struct journal is allocated, and set to
1 (true) by bch_journal_space_reserve() when all initialization done in
run_cache_set(). In the run time when journal_reclaim() tries to
allocate a new journal bucket, free_journal_buckets() is called to check
whether there are enough free journal buckets to use. If there is only
1 free journal bucket and journal->do_reserve is 1 (true), the last
bucket is reserved and free_journal_buckets() will return 0 to indicate
no free journal bucket. Then journal_reclaim() will give up, and try
next time to see whetheer there is free journal bucket to allocate. By
this method, there is always 1 jouranl bucket reserved in run time.
During the cache set registration, journal->do_reserve is 0 (false), so
the reserved journal bucket can be used to avoid the no-space deadlock.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49327",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:27.047873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:55.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/journal.c",
"drivers/md/bcache/journal.h",
"drivers/md/bcache/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59afd4f287900c8187e968a4153ed35e6b48efce",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "5607652823ac65e2c6885e73bd46d5a4f9a20363",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "6332ea3e35efa12dc08f0cbf5faea5e6e8eb0497",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "1dda32aed6f62c163f38ff947ef5b3360e329159",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
},
{
"lessThan": "32feee36c30ea06e38ccb8ae6e5c44c6eec790a6",
"status": "affected",
"version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/journal.c",
"drivers/md/bcache/journal.h",
"drivers/md/bcache/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: avoid journal no-space deadlock by reserving 1 journal bucket\n\nThe journal no-space deadlock was reported time to time. Such deadlock\ncan happen in the following situation.\n\nWhen all journal buckets are fully filled by active jset with heavy\nwrite I/O load, the cache set registration (after a reboot) will load\nall active jsets and inserting them into the btree again (which is\ncalled journal replay). If a journaled bkey is inserted into a btree\nnode and results btree node split, new journal request might be\ntriggered. For example, the btree grows one more level after the node\nsplit, then the root node record in cache device super block will be\nupgrade by bch_journal_meta() from bch_btree_set_root(). But there is no\nspace in journal buckets, the journal replay has to wait for new journal\nbucket to be reclaimed after at least one journal bucket replayed. This\nis one example that how the journal no-space deadlock happens.\n\nThe solution to avoid the deadlock is to reserve 1 journal bucket in\nrun time, and only permit the reserved journal bucket to be used during\ncache set registration procedure for things like journal replay. Then\nthe journal space will never be fully filled, there is no chance for\njournal no-space deadlock to happen anymore.\n\nThis patch adds a new member \"bool do_reserve\" in struct journal, it is\ninititalized to 0 (false) when struct journal is allocated, and set to\n1 (true) by bch_journal_space_reserve() when all initialization done in\nrun_cache_set(). In the run time when journal_reclaim() tries to\nallocate a new journal bucket, free_journal_buckets() is called to check\nwhether there are enough free journal buckets to use. If there is only\n1 free journal bucket and journal-\u003edo_reserve is 1 (true), the last\nbucket is reserved and free_journal_buckets() will return 0 to indicate\nno free journal bucket. Then journal_reclaim() will give up, and try\nnext time to see whetheer there is free journal bucket to allocate. By\nthis method, there is always 1 jouranl bucket reserved in run time.\n\nDuring the cache set registration, journal-\u003edo_reserve is 0 (false), so\nthe reserved journal bucket can be used to avoid the no-space deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T17:19:14.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59afd4f287900c8187e968a4153ed35e6b48efce"
},
{
"url": "https://git.kernel.org/stable/c/5607652823ac65e2c6885e73bd46d5a4f9a20363"
},
{
"url": "https://git.kernel.org/stable/c/6332ea3e35efa12dc08f0cbf5faea5e6e8eb0497"
},
{
"url": "https://git.kernel.org/stable/c/1dda32aed6f62c163f38ff947ef5b3360e329159"
},
{
"url": "https://git.kernel.org/stable/c/32feee36c30ea06e38ccb8ae6e5c44c6eec790a6"
}
],
"title": "bcache: avoid journal no-space deadlock by reserving 1 journal bucket",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49327",
"datePublished": "2025-02-26T02:10:49.092Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-10-01T19:46:55.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49232 (GCVE-0-2022-49232)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()
In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode()
is assigned to mode and is passed to drm_mode_probed_add() directly after
that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and
there is a dereference of it in list_add_tail() without recoveries, which
could lead to NULL pointer dereference on failure of
amdgpu_dm_create_common_mode().
Fix this by adding a NULL check of mode.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e7b07ceef2a650e5ed8ca37997689e086c680daf Version: e7b07ceef2a650e5ed8ca37997689e086c680daf Version: e7b07ceef2a650e5ed8ca37997689e086c680daf Version: e7b07ceef2a650e5ed8ca37997689e086c680daf Version: e7b07ceef2a650e5ed8ca37997689e086c680daf Version: e7b07ceef2a650e5ed8ca37997689e086c680daf Version: e7b07ceef2a650e5ed8ca37997689e086c680daf |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49232",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:07.786921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:03.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c729dec8c1e3e2892fde5ce8181553860914e74",
"status": "affected",
"version": "e7b07ceef2a650e5ed8ca37997689e086c680daf",
"versionType": "git"
},
{
"lessThan": "57f4ad5e286fe4599c8fc63cf89f85f9eec7f9c9",
"status": "affected",
"version": "e7b07ceef2a650e5ed8ca37997689e086c680daf",
"versionType": "git"
},
{
"lessThan": "19a7eba284790cfbba2945deb2363cf03ce41648",
"status": "affected",
"version": "e7b07ceef2a650e5ed8ca37997689e086c680daf",
"versionType": "git"
},
{
"lessThan": "bdc7429708a0772d90c208975694f7c2133b1202",
"status": "affected",
"version": "e7b07ceef2a650e5ed8ca37997689e086c680daf",
"versionType": "git"
},
{
"lessThan": "f4eaa999fec78dec2a9c2d797438e05cbffb125b",
"status": "affected",
"version": "e7b07ceef2a650e5ed8ca37997689e086c680daf",
"versionType": "git"
},
{
"lessThan": "639b3b9def0a6a3f316a195d705d14113236e89c",
"status": "affected",
"version": "e7b07ceef2a650e5ed8ca37997689e086c680daf",
"versionType": "git"
},
{
"lessThan": "588a70177df3b1777484267584ef38ab2ca899a2",
"status": "affected",
"version": "e7b07ceef2a650e5ed8ca37997689e086c680daf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()\n\nIn amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode()\nis assigned to mode and is passed to drm_mode_probed_add() directly after\nthat. drm_mode_probed_add() passes \u0026mode-\u003ehead to list_add_tail(), and\nthere is a dereference of it in list_add_tail() without recoveries, which\ncould lead to NULL pointer dereference on failure of\namdgpu_dm_create_common_mode().\n\nFix this by adding a NULL check of mode.\n\nThis bug was found by a static analyzer.\n\nBuilds with \u0027make allyesconfig\u0027 show no new warnings,\nand our static analyzer no longer warns about this code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:58.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c729dec8c1e3e2892fde5ce8181553860914e74"
},
{
"url": "https://git.kernel.org/stable/c/57f4ad5e286fe4599c8fc63cf89f85f9eec7f9c9"
},
{
"url": "https://git.kernel.org/stable/c/19a7eba284790cfbba2945deb2363cf03ce41648"
},
{
"url": "https://git.kernel.org/stable/c/bdc7429708a0772d90c208975694f7c2133b1202"
},
{
"url": "https://git.kernel.org/stable/c/f4eaa999fec78dec2a9c2d797438e05cbffb125b"
},
{
"url": "https://git.kernel.org/stable/c/639b3b9def0a6a3f316a195d705d14113236e89c"
},
{
"url": "https://git.kernel.org/stable/c/588a70177df3b1777484267584ef38ab2ca899a2"
}
],
"title": "drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49232",
"datePublished": "2025-02-26T01:55:58.618Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-10-01T19:47:03.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49434 (GCVE-0-2022-49434)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()
The sysfs sriov_numvfs_store() path acquires the device lock before the
config space access lock:
sriov_numvfs_store
device_lock # A (1) acquire device lock
sriov_configure
vfio_pci_sriov_configure # (for example)
vfio_pci_core_sriov_configure
pci_disable_sriov
sriov_disable
pci_cfg_access_lock
pci_wait_cfg # B (4) wait for dev->block_cfg_access == 0
Previously, pci_dev_lock() acquired the config space access lock before the
device lock:
pci_dev_lock
pci_cfg_access_lock
dev->block_cfg_access = 1 # B (2) set dev->block_cfg_access = 1
device_lock # A (3) wait for device lock
Any path that uses pci_dev_lock(), e.g., pci_reset_function(), may
deadlock with sriov_numvfs_store() if the operations occur in the sequence
(1) (2) (3) (4).
Avoid the deadlock by reversing the order in pci_dev_lock() so it acquires
the device lock before the config space access lock, the same as the
sriov_numvfs_store() path.
[bhelgaas: combined and adapted commit log from Jay Zhou's independent
subsequent posting:
https://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com]
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da9792920ab525b8a932aa9aeee34529ad7b83f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c3c6dc1853b8bf3c718f96fd8480a6eb09ba4831",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aed6d4d519210c28817948f34c53b6e058e0456c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9a81f9ed6ae3554621d6a50220b1bc74b67d81e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eff3587b9c01439b738298475e555c028ac9f55e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cdd5284035322795b0964f899eefba254cfe483",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ea047f51172aa68841adef7f52d375002438b8f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "59ea6b3ae51df7cd6bfd84c9c0030609b9315622",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a91ee0e9fca9d7501286cfbced9b30a33e52740a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()\n\nThe sysfs sriov_numvfs_store() path acquires the device lock before the\nconfig space access lock:\n\n sriov_numvfs_store\n device_lock # A (1) acquire device lock\n sriov_configure\n vfio_pci_sriov_configure # (for example)\n vfio_pci_core_sriov_configure\n pci_disable_sriov\n sriov_disable\n pci_cfg_access_lock\n pci_wait_cfg # B (4) wait for dev-\u003eblock_cfg_access == 0\n\nPreviously, pci_dev_lock() acquired the config space access lock before the\ndevice lock:\n\n pci_dev_lock\n pci_cfg_access_lock\n dev-\u003eblock_cfg_access = 1 # B (2) set dev-\u003eblock_cfg_access = 1\n device_lock # A (3) wait for device lock\n\nAny path that uses pci_dev_lock(), e.g., pci_reset_function(), may\ndeadlock with sriov_numvfs_store() if the operations occur in the sequence\n(1) (2) (3) (4).\n\nAvoid the deadlock by reversing the order in pci_dev_lock() so it acquires\nthe device lock before the config space access lock, the same as the\nsriov_numvfs_store() path.\n\n[bhelgaas: combined and adapted commit log from Jay Zhou\u0027s independent\nsubsequent posting:\nhttps://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:35.051Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da9792920ab525b8a932aa9aeee34529ad7b83f7"
},
{
"url": "https://git.kernel.org/stable/c/c3c6dc1853b8bf3c718f96fd8480a6eb09ba4831"
},
{
"url": "https://git.kernel.org/stable/c/aed6d4d519210c28817948f34c53b6e058e0456c"
},
{
"url": "https://git.kernel.org/stable/c/c9a81f9ed6ae3554621d6a50220b1bc74b67d81e"
},
{
"url": "https://git.kernel.org/stable/c/eff3587b9c01439b738298475e555c028ac9f55e"
},
{
"url": "https://git.kernel.org/stable/c/2cdd5284035322795b0964f899eefba254cfe483"
},
{
"url": "https://git.kernel.org/stable/c/ea047f51172aa68841adef7f52d375002438b8f0"
},
{
"url": "https://git.kernel.org/stable/c/59ea6b3ae51df7cd6bfd84c9c0030609b9315622"
},
{
"url": "https://git.kernel.org/stable/c/a91ee0e9fca9d7501286cfbced9b30a33e52740a"
}
],
"title": "PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49434",
"datePublished": "2025-02-26T02:12:51.068Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-05-04T08:37:35.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49704 (GCVE-0-2022-49704)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p: fix fid refcount leak in v9fs_vfs_get_link
we check for protocol version later than required, after a fid has
been obtained. Just move the version check earlier.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:36.007976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:45.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/9p/vfs_inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0126bcaee81dabc1926012126aa74caa03a4c6e",
"status": "affected",
"version": "6636b6dcc3db2258cd0585b8078c1c225c4b6dde",
"versionType": "git"
},
{
"lessThan": "e7b6d622bd812013eb39c8f4cd65b7ee8ede1e02",
"status": "affected",
"version": "6636b6dcc3db2258cd0585b8078c1c225c4b6dde",
"versionType": "git"
},
{
"lessThan": "e5690f263208c5abce7451370b7786eb25b405eb",
"status": "affected",
"version": "6636b6dcc3db2258cd0585b8078c1c225c4b6dde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/9p/vfs_inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: fix fid refcount leak in v9fs_vfs_get_link\n\nwe check for protocol version later than required, after a fid has\nbeen obtained. Just move the version check earlier."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:37.789Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0126bcaee81dabc1926012126aa74caa03a4c6e"
},
{
"url": "https://git.kernel.org/stable/c/e7b6d622bd812013eb39c8f4cd65b7ee8ede1e02"
},
{
"url": "https://git.kernel.org/stable/c/e5690f263208c5abce7451370b7786eb25b405eb"
}
],
"title": "9p: fix fid refcount leak in v9fs_vfs_get_link",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49704",
"datePublished": "2025-02-26T02:24:23.384Z",
"dateReserved": "2025-02-26T02:21:30.443Z",
"dateUpdated": "2025-10-01T19:36:45.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49414 (GCVE-0-2022-49414)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix race condition between ext4_write and ext4_convert_inline_data
Hulk Robot reported a BUG_ON:
==================================================================
EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0,
block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters
kernel BUG at fs/ext4/ext4_jbd2.c:53!
invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1
RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]
RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116
[...]
Call Trace:
ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795
generic_perform_write+0x279/0x3c0 mm/filemap.c:3344
ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270
ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520
do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732
do_iter_write+0x107/0x430 fs/read_write.c:861
vfs_writev fs/read_write.c:934 [inline]
do_pwritev+0x1e5/0x380 fs/read_write.c:1031
[...]
==================================================================
Above issue may happen as follows:
cpu1 cpu2
__________________________|__________________________
do_pwritev
vfs_writev
do_iter_write
ext4_file_write_iter
ext4_buffered_write_iter
generic_perform_write
ext4_da_write_begin
vfs_fallocate
ext4_fallocate
ext4_convert_inline_data
ext4_convert_inline_data_nolock
ext4_destroy_inline_data_nolock
clear EXT4_STATE_MAY_INLINE_DATA
ext4_map_blocks
ext4_ext_map_blocks
ext4_mb_new_blocks
ext4_mb_regular_allocator
ext4_mb_good_group_nolock
ext4_mb_init_group
ext4_mb_init_cache
ext4_mb_generate_buddy --> error
ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
ext4_restore_inline_data
set EXT4_STATE_MAY_INLINE_DATA
ext4_block_write_begin
ext4_da_write_end
ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
ext4_write_inline_data_end
handle=NULL
ext4_journal_stop(handle)
__ext4_journal_stop
ext4_put_nojournal(handle)
ref_cnt = (unsigned long)handle
BUG_ON(ref_cnt == 0) ---> BUG_ON
The lock held by ext4_convert_inline_data is xattr_sem, but the lock
held by generic_perform_write is i_rwsem. Therefore, the two locks can
be concurrent.
To solve above issue, we add inode_lock() for ext4_convert_inline_data().
At the same time, move ext4_convert_inline_data() in front of
ext4_punch_hole(), remove similar handling from ext4_punch_hole().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf Version: 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf Version: 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf Version: 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf Version: 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf Version: 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:09.175529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:50.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c",
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18881d7e517169193d9ef6c89c7f322e3e164277",
"status": "affected",
"version": "0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf",
"versionType": "git"
},
{
"lessThan": "91f90b571f1a23f5b8a9c2b68a9aa5d6981a3c3d",
"status": "affected",
"version": "0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf",
"versionType": "git"
},
{
"lessThan": "14602353b350950b551eccc6b46411aa3b12ffe2",
"status": "affected",
"version": "0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf",
"versionType": "git"
},
{
"lessThan": "725e00cb7039eae291890f1bb19bc867176745f6",
"status": "affected",
"version": "0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf",
"versionType": "git"
},
{
"lessThan": "ccc6639f831bee91aa8b41c8a1cdd020ecfb9f32",
"status": "affected",
"version": "0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf",
"versionType": "git"
},
{
"lessThan": "f87c7a4b084afc13190cbb263538e444cb2b392a",
"status": "affected",
"version": "0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c",
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix race condition between ext4_write and ext4_convert_inline_data\n\nHulk Robot reported a BUG_ON:\n ==================================================================\n EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0,\n block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters\n kernel BUG at fs/ext4/ext4_jbd2.c:53!\n invalid opcode: 0000 [#1] SMP KASAN PTI\n CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1\n RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]\n RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116\n [...]\n Call Trace:\n ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795\n generic_perform_write+0x279/0x3c0 mm/filemap.c:3344\n ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270\n ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520\n do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732\n do_iter_write+0x107/0x430 fs/read_write.c:861\n vfs_writev fs/read_write.c:934 [inline]\n do_pwritev+0x1e5/0x380 fs/read_write.c:1031\n [...]\n ==================================================================\n\nAbove issue may happen as follows:\n cpu1 cpu2\n__________________________|__________________________\ndo_pwritev\n vfs_writev\n do_iter_write\n ext4_file_write_iter\n ext4_buffered_write_iter\n generic_perform_write\n ext4_da_write_begin\n vfs_fallocate\n ext4_fallocate\n ext4_convert_inline_data\n ext4_convert_inline_data_nolock\n ext4_destroy_inline_data_nolock\n clear EXT4_STATE_MAY_INLINE_DATA\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_mb_new_blocks\n ext4_mb_regular_allocator\n ext4_mb_good_group_nolock\n ext4_mb_init_group\n ext4_mb_init_cache\n ext4_mb_generate_buddy --\u003e error\n ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)\n ext4_restore_inline_data\n set EXT4_STATE_MAY_INLINE_DATA\n ext4_block_write_begin\n ext4_da_write_end\n ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)\n ext4_write_inline_data_end\n handle=NULL\n ext4_journal_stop(handle)\n __ext4_journal_stop\n ext4_put_nojournal(handle)\n ref_cnt = (unsigned long)handle\n BUG_ON(ref_cnt == 0) ---\u003e BUG_ON\n\nThe lock held by ext4_convert_inline_data is xattr_sem, but the lock\nheld by generic_perform_write is i_rwsem. Therefore, the two locks can\nbe concurrent.\n\nTo solve above issue, we add inode_lock() for ext4_convert_inline_data().\nAt the same time, move ext4_convert_inline_data() in front of\next4_punch_hole(), remove similar handling from ext4_punch_hole()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:10.389Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18881d7e517169193d9ef6c89c7f322e3e164277"
},
{
"url": "https://git.kernel.org/stable/c/91f90b571f1a23f5b8a9c2b68a9aa5d6981a3c3d"
},
{
"url": "https://git.kernel.org/stable/c/14602353b350950b551eccc6b46411aa3b12ffe2"
},
{
"url": "https://git.kernel.org/stable/c/725e00cb7039eae291890f1bb19bc867176745f6"
},
{
"url": "https://git.kernel.org/stable/c/ccc6639f831bee91aa8b41c8a1cdd020ecfb9f32"
},
{
"url": "https://git.kernel.org/stable/c/f87c7a4b084afc13190cbb263538e444cb2b392a"
}
],
"title": "ext4: fix race condition between ext4_write and ext4_convert_inline_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49414",
"datePublished": "2025-02-26T02:12:35.083Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-10-01T19:46:50.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49153 (GCVE-0-2022-49153)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wireguard: socket: free skb in send6 when ipv6 is disabled
I got a memory leak report:
unreferenced object 0xffff8881191fc040 (size 232):
comm "kworker/u17:0", pid 23193, jiffies 4295238848 (age 3464.870s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff814c3ef4>] slab_post_alloc_hook+0x84/0x3b0
[<ffffffff814c8977>] kmem_cache_alloc_node+0x167/0x340
[<ffffffff832974fb>] __alloc_skb+0x1db/0x200
[<ffffffff82612b5d>] wg_socket_send_buffer_to_peer+0x3d/0xc0
[<ffffffff8260e94a>] wg_packet_send_handshake_initiation+0xfa/0x110
[<ffffffff8260ec81>] wg_packet_handshake_send_worker+0x21/0x30
[<ffffffff8119c558>] process_one_work+0x2e8/0x770
[<ffffffff8119ca2a>] worker_thread+0x4a/0x4b0
[<ffffffff811a88e0>] kthread+0x120/0x160
[<ffffffff8100242f>] ret_from_fork+0x1f/0x30
In function wg_socket_send_buffer_as_reply_to_skb() or wg_socket_send_
buffer_to_peer(), the semantics of send6() is required to free skb. But
when CONFIG_IPV6 is disable, kfree_skb() is missing. This patch adds it
to fix this bug.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49153",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:43.493008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:01.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireguard/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "096f9d35cac0a0c95ffafc00db84786b665a4837",
"status": "affected",
"version": "e7096c131e5161fa3b8e52a650d7719d2857adfd",
"versionType": "git"
},
{
"lessThan": "402991a9771587acc2947cf6c4d689c5397f2258",
"status": "affected",
"version": "e7096c131e5161fa3b8e52a650d7719d2857adfd",
"versionType": "git"
},
{
"lessThan": "ebcc492f4ba14bae54b898f1016a37b4282558d1",
"status": "affected",
"version": "e7096c131e5161fa3b8e52a650d7719d2857adfd",
"versionType": "git"
},
{
"lessThan": "0b19bcb753dbfb74710d12bb2761ec5ed706c726",
"status": "affected",
"version": "e7096c131e5161fa3b8e52a650d7719d2857adfd",
"versionType": "git"
},
{
"lessThan": "bbbf962d9460194993ee1943a793a0a0af4a7fbf",
"status": "affected",
"version": "e7096c131e5161fa3b8e52a650d7719d2857adfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireguard/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: socket: free skb in send6 when ipv6 is disabled\n\nI got a memory leak report:\n\nunreferenced object 0xffff8881191fc040 (size 232):\n comm \"kworker/u17:0\", pid 23193, jiffies 4295238848 (age 3464.870s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff814c3ef4\u003e] slab_post_alloc_hook+0x84/0x3b0\n [\u003cffffffff814c8977\u003e] kmem_cache_alloc_node+0x167/0x340\n [\u003cffffffff832974fb\u003e] __alloc_skb+0x1db/0x200\n [\u003cffffffff82612b5d\u003e] wg_socket_send_buffer_to_peer+0x3d/0xc0\n [\u003cffffffff8260e94a\u003e] wg_packet_send_handshake_initiation+0xfa/0x110\n [\u003cffffffff8260ec81\u003e] wg_packet_handshake_send_worker+0x21/0x30\n [\u003cffffffff8119c558\u003e] process_one_work+0x2e8/0x770\n [\u003cffffffff8119ca2a\u003e] worker_thread+0x4a/0x4b0\n [\u003cffffffff811a88e0\u003e] kthread+0x120/0x160\n [\u003cffffffff8100242f\u003e] ret_from_fork+0x1f/0x30\n\nIn function wg_socket_send_buffer_as_reply_to_skb() or wg_socket_send_\nbuffer_to_peer(), the semantics of send6() is required to free skb. But\nwhen CONFIG_IPV6 is disable, kfree_skb() is missing. This patch adds it\nto fix this bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:07.768Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/096f9d35cac0a0c95ffafc00db84786b665a4837"
},
{
"url": "https://git.kernel.org/stable/c/402991a9771587acc2947cf6c4d689c5397f2258"
},
{
"url": "https://git.kernel.org/stable/c/ebcc492f4ba14bae54b898f1016a37b4282558d1"
},
{
"url": "https://git.kernel.org/stable/c/0b19bcb753dbfb74710d12bb2761ec5ed706c726"
},
{
"url": "https://git.kernel.org/stable/c/bbbf962d9460194993ee1943a793a0a0af4a7fbf"
}
],
"title": "wireguard: socket: free skb in send6 when ipv6 is disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49153",
"datePublished": "2025-02-26T01:55:18.745Z",
"dateReserved": "2025-02-26T01:49:39.275Z",
"dateUpdated": "2025-10-01T19:57:01.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49385 (GCVE-0-2022-49385)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver: base: fix UAF when driver_attach failed
When driver_attach(drv); failed, the driver_private will be freed.
But it has been added to the bus, which caused a UAF.
To fix it, we need to delete it from the bus when failed.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 190888ac01d059e38ffe77a2291d44cafa9016fb Version: 190888ac01d059e38ffe77a2291d44cafa9016fb Version: 190888ac01d059e38ffe77a2291d44cafa9016fb Version: 190888ac01d059e38ffe77a2291d44cafa9016fb Version: 190888ac01d059e38ffe77a2291d44cafa9016fb Version: 190888ac01d059e38ffe77a2291d44cafa9016fb |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:41.954887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:28.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d709f58c743166fe1c6914b9de0ae8868600d9b",
"status": "affected",
"version": "190888ac01d059e38ffe77a2291d44cafa9016fb",
"versionType": "git"
},
{
"lessThan": "823f24f2e329babd0330200d0b74882516fe57f4",
"status": "affected",
"version": "190888ac01d059e38ffe77a2291d44cafa9016fb",
"versionType": "git"
},
{
"lessThan": "cdf1a683a01583bca4b618dd16223cbd6e462e21",
"status": "affected",
"version": "190888ac01d059e38ffe77a2291d44cafa9016fb",
"versionType": "git"
},
{
"lessThan": "5389101257828d1913d713d9a40acbe14f5961df",
"status": "affected",
"version": "190888ac01d059e38ffe77a2291d44cafa9016fb",
"versionType": "git"
},
{
"lessThan": "c059665c84feab46b7173d3a1bf36c2fb7f9df86",
"status": "affected",
"version": "190888ac01d059e38ffe77a2291d44cafa9016fb",
"versionType": "git"
},
{
"lessThan": "310862e574001a97ad02272bac0fd13f75f42a27",
"status": "affected",
"version": "190888ac01d059e38ffe77a2291d44cafa9016fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver: base: fix UAF when driver_attach failed\n\nWhen driver_attach(drv); failed, the driver_private will be freed.\nBut it has been added to the bus, which caused a UAF.\n\nTo fix it, we need to delete it from the bus when failed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:33.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d709f58c743166fe1c6914b9de0ae8868600d9b"
},
{
"url": "https://git.kernel.org/stable/c/823f24f2e329babd0330200d0b74882516fe57f4"
},
{
"url": "https://git.kernel.org/stable/c/cdf1a683a01583bca4b618dd16223cbd6e462e21"
},
{
"url": "https://git.kernel.org/stable/c/5389101257828d1913d713d9a40acbe14f5961df"
},
{
"url": "https://git.kernel.org/stable/c/c059665c84feab46b7173d3a1bf36c2fb7f9df86"
},
{
"url": "https://git.kernel.org/stable/c/310862e574001a97ad02272bac0fd13f75f42a27"
}
],
"title": "driver: base: fix UAF when driver_attach failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49385",
"datePublished": "2025-02-26T02:11:20.725Z",
"dateReserved": "2025-02-26T02:08:31.560Z",
"dateUpdated": "2025-05-04T08:36:33.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21776 (GCVE-0-2025-21776)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: hub: Ignore non-compliant devices with too many configs or interfaces
Robert Morris created a test program which can cause
usb_hub_to_struct_hub() to dereference a NULL or inappropriate
pointer:
Oops: general protection fault, probably for non-canonical address
0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110
...
Call Trace:
<TASK>
? die_addr+0x31/0x80
? exc_general_protection+0x1b4/0x3c0
? asm_exc_general_protection+0x26/0x30
? usb_hub_adjust_deviceremovable+0x78/0x110
hub_probe+0x7c7/0xab0
usb_probe_interface+0x14b/0x350
really_probe+0xd0/0x2d0
? __pfx___device_attach_driver+0x10/0x10
__driver_probe_device+0x6e/0x110
driver_probe_device+0x1a/0x90
__device_attach_driver+0x7e/0xc0
bus_for_each_drv+0x7f/0xd0
__device_attach+0xaa/0x1a0
bus_probe_device+0x8b/0xa0
device_add+0x62e/0x810
usb_set_configuration+0x65d/0x990
usb_generic_driver_probe+0x4b/0x70
usb_probe_device+0x36/0xd0
The cause of this error is that the device has two interfaces, and the
hub driver binds to interface 1 instead of interface 0, which is where
usb_hub_to_struct_hub() looks.
We can prevent the problem from occurring by refusing to accept hub
devices that violate the USB spec by having more than one
configuration or interface.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:31.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/core/hub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49f077106fa07919a6a6dda99bb490dd1d1a8218",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d343fe0fad5c1d689775f2dda24a85ce98e29566",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d3a67adb365cdfdac4620daf38a82e57ca45806c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c3720b04df84b5459050ae4e03ec7d545652f897",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e905a0fca7bff0855d312c16f71e60e1773b393e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "62d8f4c5454dd39aded4f343720d1c5a1803cfef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b9778e1fe715700993ce436c152dc3b7df0b490",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2240fed37afbcdb5e8b627bc7ad986891100e05d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/core/hub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: hub: Ignore non-compliant devices with too many configs or interfaces\n\nRobert Morris created a test program which can cause\nusb_hub_to_struct_hub() to dereference a NULL or inappropriate\npointer:\n\nOops: general protection fault, probably for non-canonical address\n0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI\nCPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14\nHardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n ? die_addr+0x31/0x80\n ? exc_general_protection+0x1b4/0x3c0\n ? asm_exc_general_protection+0x26/0x30\n ? usb_hub_adjust_deviceremovable+0x78/0x110\n hub_probe+0x7c7/0xab0\n usb_probe_interface+0x14b/0x350\n really_probe+0xd0/0x2d0\n ? __pfx___device_attach_driver+0x10/0x10\n __driver_probe_device+0x6e/0x110\n driver_probe_device+0x1a/0x90\n __device_attach_driver+0x7e/0xc0\n bus_for_each_drv+0x7f/0xd0\n __device_attach+0xaa/0x1a0\n bus_probe_device+0x8b/0xa0\n device_add+0x62e/0x810\n usb_set_configuration+0x65d/0x990\n usb_generic_driver_probe+0x4b/0x70\n usb_probe_device+0x36/0xd0\n\nThe cause of this error is that the device has two interfaces, and the\nhub driver binds to interface 1 instead of interface 0, which is where\nusb_hub_to_struct_hub() looks.\n\nWe can prevent the problem from occurring by refusing to accept hub\ndevices that violate the USB spec by having more than one\nconfiguration or interface."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:56.723Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49f077106fa07919a6a6dda99bb490dd1d1a8218"
},
{
"url": "https://git.kernel.org/stable/c/d343fe0fad5c1d689775f2dda24a85ce98e29566"
},
{
"url": "https://git.kernel.org/stable/c/d3a67adb365cdfdac4620daf38a82e57ca45806c"
},
{
"url": "https://git.kernel.org/stable/c/c3720b04df84b5459050ae4e03ec7d545652f897"
},
{
"url": "https://git.kernel.org/stable/c/e905a0fca7bff0855d312c16f71e60e1773b393e"
},
{
"url": "https://git.kernel.org/stable/c/62d8f4c5454dd39aded4f343720d1c5a1803cfef"
},
{
"url": "https://git.kernel.org/stable/c/5b9778e1fe715700993ce436c152dc3b7df0b490"
},
{
"url": "https://git.kernel.org/stable/c/2240fed37afbcdb5e8b627bc7ad986891100e05d"
}
],
"title": "USB: hub: Ignore non-compliant devices with too many configs or interfaces",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21776",
"datePublished": "2025-02-27T02:18:21.503Z",
"dateReserved": "2024-12-29T08:45:45.763Z",
"dateUpdated": "2025-11-03T19:37:31.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49441 (GCVE-0-2022-49441)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: fix deadlock caused by calling printk() under tty_port->lock
pty_write() invokes kmalloc() which may invoke a normal printk() to print
failure message. This can cause a deadlock in the scenario reported by
syz-bot below:
CPU0 CPU1 CPU2
---- ---- ----
lock(console_owner);
lock(&port_lock_key);
lock(&port->lock);
lock(&port_lock_key);
lock(&port->lock);
lock(console_owner);
As commit dbdda842fe96 ("printk: Add console owner and waiter logic to
load balance console writes") said, such deadlock can be prevented by
using printk_deferred() in kmalloc() (which is invoked in the section
guarded by the port->lock). But there are too many printk() on the
kmalloc() path, and kmalloc() can be called from anywhere, so changing
printk() to printk_deferred() is too complicated and inelegant.
Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so
that printk() will not be called, and this deadlock problem can be
avoided.
Syzbot reported the following lockdep error:
======================================================
WARNING: possible circular locking dependency detected
5.4.143-00237-g08ccc19a-dirty #10 Not tainted
------------------------------------------------------
syz-executor.4/29420 is trying to acquire lock:
ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]
ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023
but task is already holding lock:
ffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&port->lock){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
tty_port_tty_get drivers/tty/tty_port.c:288 [inline] <-- lock(&port->lock);
tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47
serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767
serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] <-- lock(&port_lock_key);
serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870
serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126
__handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156
[...]
-> #1 (&port_lock_key){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198
<-- lock(&port_lock_key);
call_console_drivers kernel/printk/printk.c:1819 [inline]
console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504
vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024 <-- lock(console_owner);
vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394
printk+0xba/0xed kernel/printk/printk.c:2084
register_console+0x8b3/0xc10 kernel/printk/printk.c:2829
univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681
console_init+0x49d/0x6d3 kernel/printk/printk.c:2915
start_kernel+0x5e9/0x879 init/main.c:713
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
-> #0 (console_owner){....}-{0:0}:
[...]
lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734
console_trylock_spinning kernel/printk/printk.c:1773
---truncated---
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d83904cb2eb2c4d937eaf15032214b0578f25099 Version: deb1feaad03a78b545c949e54582ae57b3c56982 Version: b6da31b2c07c46f2dcad1d86caa835227a16d9ff Version: b6da31b2c07c46f2dcad1d86caa835227a16d9ff Version: b6da31b2c07c46f2dcad1d86caa835227a16d9ff Version: b6da31b2c07c46f2dcad1d86caa835227a16d9ff Version: b6da31b2c07c46f2dcad1d86caa835227a16d9ff Version: b6da31b2c07c46f2dcad1d86caa835227a16d9ff Version: b6da31b2c07c46f2dcad1d86caa835227a16d9ff Version: 6d9cd12792270773fab9e5a129daff328d61ef9e Version: 6dbfa9b5ae65063cd61dc7fa11332e00bb794d8b Version: 60c4e8db32815474bfaeabe888ebb14e698caea1 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:56.105263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:49.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/tty_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4af21b12a60ed2d3642284f4f85b42d7dc6ac246",
"status": "affected",
"version": "d83904cb2eb2c4d937eaf15032214b0578f25099",
"versionType": "git"
},
{
"lessThan": "4c253caf9264d2aa47ee806a87986dd8eb91a5d9",
"status": "affected",
"version": "deb1feaad03a78b545c949e54582ae57b3c56982",
"versionType": "git"
},
{
"lessThan": "04ee31678c128a6cc7bb057ea189a8624ba5a314",
"status": "affected",
"version": "b6da31b2c07c46f2dcad1d86caa835227a16d9ff",
"versionType": "git"
},
{
"lessThan": "3219ac364ac3d8d30771612a6010f1e0b7fa0a28",
"status": "affected",
"version": "b6da31b2c07c46f2dcad1d86caa835227a16d9ff",
"versionType": "git"
},
{
"lessThan": "9834b13e8b962caa28fbcf1f422dd82413da4ede",
"status": "affected",
"version": "b6da31b2c07c46f2dcad1d86caa835227a16d9ff",
"versionType": "git"
},
{
"lessThan": "18ca0d55e8639b911df8aae1b47598b13f9acded",
"status": "affected",
"version": "b6da31b2c07c46f2dcad1d86caa835227a16d9ff",
"versionType": "git"
},
{
"lessThan": "b3c974501d0c32258ae0e04e5cc3fb92383b40f6",
"status": "affected",
"version": "b6da31b2c07c46f2dcad1d86caa835227a16d9ff",
"versionType": "git"
},
{
"lessThan": "0bcf44903ef4df742dcada86ccaedd25374ffb50",
"status": "affected",
"version": "b6da31b2c07c46f2dcad1d86caa835227a16d9ff",
"versionType": "git"
},
{
"lessThan": "6b9dbedbe3499fef862c4dff5217cf91f34e43b3",
"status": "affected",
"version": "b6da31b2c07c46f2dcad1d86caa835227a16d9ff",
"versionType": "git"
},
{
"status": "affected",
"version": "6d9cd12792270773fab9e5a129daff328d61ef9e",
"versionType": "git"
},
{
"status": "affected",
"version": "6dbfa9b5ae65063cd61dc7fa11332e00bb794d8b",
"versionType": "git"
},
{
"status": "affected",
"version": "60c4e8db32815474bfaeabe888ebb14e698caea1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/tty_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.9.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.14.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.17.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix deadlock caused by calling printk() under tty_port-\u003elock\n\npty_write() invokes kmalloc() which may invoke a normal printk() to print\nfailure message. This can cause a deadlock in the scenario reported by\nsyz-bot below:\n\n CPU0 CPU1 CPU2\n ---- ---- ----\n lock(console_owner);\n lock(\u0026port_lock_key);\n lock(\u0026port-\u003elock);\n lock(\u0026port_lock_key);\n lock(\u0026port-\u003elock);\n lock(console_owner);\n\nAs commit dbdda842fe96 (\"printk: Add console owner and waiter logic to\nload balance console writes\") said, such deadlock can be prevented by\nusing printk_deferred() in kmalloc() (which is invoked in the section\nguarded by the port-\u003elock). But there are too many printk() on the\nkmalloc() path, and kmalloc() can be called from anywhere, so changing\nprintk() to printk_deferred() is too complicated and inelegant.\n\nTherefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so\nthat printk() will not be called, and this deadlock problem can be\navoided.\n\nSyzbot reported the following lockdep error:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.4.143-00237-g08ccc19a-dirty #10 Not tainted\n------------------------------------------------------\nsyz-executor.4/29420 is trying to acquire lock:\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023\n\nbut task is already holding lock:\nffff8880119c9158 (\u0026port-\u003elock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #2 (\u0026port-\u003elock){-.-.}-{2:2}:\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n tty_port_tty_get drivers/tty/tty_port.c:288 [inline] \t\t\u003c-- lock(\u0026port-\u003elock);\n tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47\n serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767\n serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854\n serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] \t\u003c-- lock(\u0026port_lock_key);\n serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870\n serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126\n __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156\n [...]\n\n-\u003e #1 (\u0026port_lock_key){-.-.}-{2:2}:\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198\n\t\t\t\t\t\t\t\t\t\t\u003c-- lock(\u0026port_lock_key);\n call_console_drivers kernel/printk/printk.c:1819 [inline]\n console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504\n vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024\t\t\t\u003c-- lock(console_owner);\n vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394\n printk+0xba/0xed kernel/printk/printk.c:2084\n register_console+0x8b3/0xc10 kernel/printk/printk.c:2829\n univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681\n console_init+0x49d/0x6d3 kernel/printk/printk.c:2915\n start_kernel+0x5e9/0x879 init/main.c:713\n secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241\n\n-\u003e #0 (console_owner){....}-{0:0}:\n [...]\n lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734\n console_trylock_spinning kernel/printk/printk.c:1773 \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:42.797Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4af21b12a60ed2d3642284f4f85b42d7dc6ac246"
},
{
"url": "https://git.kernel.org/stable/c/4c253caf9264d2aa47ee806a87986dd8eb91a5d9"
},
{
"url": "https://git.kernel.org/stable/c/04ee31678c128a6cc7bb057ea189a8624ba5a314"
},
{
"url": "https://git.kernel.org/stable/c/3219ac364ac3d8d30771612a6010f1e0b7fa0a28"
},
{
"url": "https://git.kernel.org/stable/c/9834b13e8b962caa28fbcf1f422dd82413da4ede"
},
{
"url": "https://git.kernel.org/stable/c/18ca0d55e8639b911df8aae1b47598b13f9acded"
},
{
"url": "https://git.kernel.org/stable/c/b3c974501d0c32258ae0e04e5cc3fb92383b40f6"
},
{
"url": "https://git.kernel.org/stable/c/0bcf44903ef4df742dcada86ccaedd25374ffb50"
},
{
"url": "https://git.kernel.org/stable/c/6b9dbedbe3499fef862c4dff5217cf91f34e43b3"
}
],
"title": "tty: fix deadlock caused by calling printk() under tty_port-\u003elock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49441",
"datePublished": "2025-02-26T02:12:54.649Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-10-01T19:46:49.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58011 (GCVE-0-2024-58011)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: int3472: Check for adev == NULL
Not all devices have an ACPI companion fwnode, so adev might be NULL. This
can e.g. (theoretically) happen when a user manually binds one of
the int3472 drivers to another i2c/platform device through sysfs.
Add a check for adev not being set and return -ENODEV in that case to
avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 Version: 5de691bffe57fd0fc2b4dcdcf13815c56d11db10 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:30.268538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:05.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:26.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/int3472/discrete.c",
"drivers/platform/x86/intel/int3472/tps68470.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46263a0b687a044e645387a9c7692ccd693f09f1",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "4f8b210823cc2d1f9d967f089a6c00d025bb237f",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "f9c7cc44758f4930b41285a6d54afa8cbd9762b4",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "0a30353beca2693d30bde477024d755ffecea514",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
},
{
"lessThan": "cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c",
"status": "affected",
"version": "5de691bffe57fd0fc2b4dcdcf13815c56d11db10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/int3472/discrete.c",
"drivers/platform/x86/intel/int3472/tps68470.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Check for adev == NULL\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL. This\ncan e.g. (theoretically) happen when a user manually binds one of\nthe int3472 drivers to another i2c/platform device through sysfs.\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-19T14:48:47.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46263a0b687a044e645387a9c7692ccd693f09f1"
},
{
"url": "https://git.kernel.org/stable/c/4f8b210823cc2d1f9d967f089a6c00d025bb237f"
},
{
"url": "https://git.kernel.org/stable/c/f9c7cc44758f4930b41285a6d54afa8cbd9762b4"
},
{
"url": "https://git.kernel.org/stable/c/0a30353beca2693d30bde477024d755ffecea514"
},
{
"url": "https://git.kernel.org/stable/c/a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d"
},
{
"url": "https://git.kernel.org/stable/c/cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c"
}
],
"title": "platform/x86: int3472: Check for adev == NULL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58011",
"datePublished": "2025-02-27T02:12:05.675Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-11-03T19:33:26.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49103 (GCVE-0-2022-49103)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4.2: fix reference count leaks in _nfs42_proc_copy_notify()
[You don't often get email from xiongx18@fudan.edu.cn. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.]
The reference counting issue happens in two error paths in the
function _nfs42_proc_copy_notify(). In both error paths, the function
simply returns the error code and forgets to balance the refcount of
object `ctx`, bumped by get_nfs_open_context() earlier, which may
cause refcount leaks.
Fix it by balancing refcount of the `ctx` object before the function
returns in both error paths.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:20.520133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:05.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs42proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b9feec97c1fc7dd9bb69f62c4905cddf1801599",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b37f482ba9f0e6382c188e3fccf6c4b2fdc938eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb73bf6305f4eb8f0cf9a61ee874d55f019d6dc4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f46f632f9cfae4b2e3635fa58840a8ec584c42e3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b7f114edd54326f730a754547e7cfb197b5bc132",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs42proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix reference count leaks in _nfs42_proc_copy_notify()\n\n[You don\u0027t often get email from xiongx18@fudan.edu.cn. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.]\n\nThe reference counting issue happens in two error paths in the\nfunction _nfs42_proc_copy_notify(). In both error paths, the function\nsimply returns the error code and forgets to balance the refcount of\nobject `ctx`, bumped by get_nfs_open_context() earlier, which may\ncause refcount leaks.\n\nFix it by balancing refcount of the `ctx` object before the function\nreturns in both error paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:55.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b9feec97c1fc7dd9bb69f62c4905cddf1801599"
},
{
"url": "https://git.kernel.org/stable/c/b37f482ba9f0e6382c188e3fccf6c4b2fdc938eb"
},
{
"url": "https://git.kernel.org/stable/c/fb73bf6305f4eb8f0cf9a61ee874d55f019d6dc4"
},
{
"url": "https://git.kernel.org/stable/c/f46f632f9cfae4b2e3635fa58840a8ec584c42e3"
},
{
"url": "https://git.kernel.org/stable/c/b7f114edd54326f730a754547e7cfb197b5bc132"
}
],
"title": "NFSv4.2: fix reference count leaks in _nfs42_proc_copy_notify()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49103",
"datePublished": "2025-02-26T01:54:52.530Z",
"dateReserved": "2025-02-26T01:49:39.250Z",
"dateUpdated": "2025-10-01T19:57:05.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21745 (GCVE-0-2025-21745)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Fix class @block_class's subsystem refcount leakage
blkcg_fill_root_iostats() iterates over @block_class's devices by
class_dev_iter_(init|next)(), but does not end iterating with
class_dev_iter_exit(), so causes the class's subsystem refcount leakage.
Fix by ending the iterating with class_dev_iter_exit().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ef45fe470e1e5410db4af87abc5d5055427945ac Version: ef45fe470e1e5410db4af87abc5d5055427945ac Version: ef45fe470e1e5410db4af87abc5d5055427945ac Version: ef45fe470e1e5410db4af87abc5d5055427945ac Version: ef45fe470e1e5410db4af87abc5d5055427945ac Version: ef45fe470e1e5410db4af87abc5d5055427945ac Version: ef45fe470e1e5410db4af87abc5d5055427945ac |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:50.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffb494f1e7a047bd7a41b13796fcfb08fe5beafb",
"status": "affected",
"version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
"versionType": "git"
},
{
"lessThan": "38287f779b34dfe959b4b681e909f2d3d52b88be",
"status": "affected",
"version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
"versionType": "git"
},
{
"lessThan": "431b6ef2714be4d5babb802114987541a88b43b0",
"status": "affected",
"version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
"versionType": "git"
},
{
"lessThan": "993121481b5a87829f1e8163f47158b72679f309",
"status": "affected",
"version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
"versionType": "git"
},
{
"lessThan": "2ce09aabe009453d641a2ceb79e6461a2d4f3876",
"status": "affected",
"version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
"versionType": "git"
},
{
"lessThan": "67c7f213e052b1aa6caba4a7e25e303bc6997126",
"status": "affected",
"version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
"versionType": "git"
},
{
"lessThan": "d1248436cbef1f924c04255367ff4845ccd9025e",
"status": "affected",
"version": "ef45fe470e1e5410db4af87abc5d5055427945ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix class @block_class\u0027s subsystem refcount leakage\n\nblkcg_fill_root_iostats() iterates over @block_class\u0027s devices by\nclass_dev_iter_(init|next)(), but does not end iterating with\nclass_dev_iter_exit(), so causes the class\u0027s subsystem refcount leakage.\n\nFix by ending the iterating with class_dev_iter_exit()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:12.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffb494f1e7a047bd7a41b13796fcfb08fe5beafb"
},
{
"url": "https://git.kernel.org/stable/c/38287f779b34dfe959b4b681e909f2d3d52b88be"
},
{
"url": "https://git.kernel.org/stable/c/431b6ef2714be4d5babb802114987541a88b43b0"
},
{
"url": "https://git.kernel.org/stable/c/993121481b5a87829f1e8163f47158b72679f309"
},
{
"url": "https://git.kernel.org/stable/c/2ce09aabe009453d641a2ceb79e6461a2d4f3876"
},
{
"url": "https://git.kernel.org/stable/c/67c7f213e052b1aa6caba4a7e25e303bc6997126"
},
{
"url": "https://git.kernel.org/stable/c/d1248436cbef1f924c04255367ff4845ccd9025e"
}
],
"title": "blk-cgroup: Fix class @block_class\u0027s subsystem refcount leakage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21745",
"datePublished": "2025-02-27T02:12:17.853Z",
"dateReserved": "2024-12-29T08:45:45.757Z",
"dateUpdated": "2025-11-03T19:36:50.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49281 (GCVE-0-2022-49281)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix handlecache and multiuser
In multiuser each individual user has their own tcon structure for the
share and thus their own handle for a cached directory.
When we umount such a share we much make sure to release the pinned down dentry
for each such tcon and not just the master tcon.
Otherwise we will get nasty warnings on umount that dentries are still in use:
[ 3459.590047] BUG: Dentry 00000000115c6f41{i=12000000019d95,n=/} still in use\
(2) [unmount of cifs cifs]
...
[ 3459.590492] Call Trace:
[ 3459.590500] d_walk+0x61/0x2a0
[ 3459.590518] ? shrink_lock_dentry.part.0+0xe0/0xe0
[ 3459.590526] shrink_dcache_for_umount+0x49/0x110
[ 3459.590535] generic_shutdown_super+0x1a/0x110
[ 3459.590542] kill_anon_super+0x14/0x30
[ 3459.590549] cifs_kill_sb+0xf5/0x104 [cifs]
[ 3459.590773] deactivate_locked_super+0x36/0xa0
[ 3459.590782] cleanup_mnt+0x131/0x190
[ 3459.590789] task_work_run+0x5c/0x90
[ 3459.590798] exit_to_user_mode_loop+0x151/0x160
[ 3459.590809] exit_to_user_mode_prepare+0x83/0xd0
[ 3459.590818] syscall_exit_to_user_mode+0x12/0x30
[ 3459.590828] do_syscall_64+0x48/0x90
[ 3459.590833] entry_SYSCALL_64_after_hwframe+0x44/0xae
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fafbc198613823943c106d1ec9b516da692059f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffa631c4bff59dde59b598011f570e27dfba3515",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e71f6a3a1d5c826a30384fec587ca7503ef6bde5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "47178c7722ac528ea08aa82c3ef9ffa178962d7a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix handlecache and multiuser\n\nIn multiuser each individual user has their own tcon structure for the\nshare and thus their own handle for a cached directory.\nWhen we umount such a share we much make sure to release the pinned down dentry\nfor each such tcon and not just the master tcon.\n\nOtherwise we will get nasty warnings on umount that dentries are still in use:\n[ 3459.590047] BUG: Dentry 00000000115c6f41{i=12000000019d95,n=/} still in use\\\n (2) [unmount of cifs cifs]\n...\n[ 3459.590492] Call Trace:\n[ 3459.590500] d_walk+0x61/0x2a0\n[ 3459.590518] ? shrink_lock_dentry.part.0+0xe0/0xe0\n[ 3459.590526] shrink_dcache_for_umount+0x49/0x110\n[ 3459.590535] generic_shutdown_super+0x1a/0x110\n[ 3459.590542] kill_anon_super+0x14/0x30\n[ 3459.590549] cifs_kill_sb+0xf5/0x104 [cifs]\n[ 3459.590773] deactivate_locked_super+0x36/0xa0\n[ 3459.590782] cleanup_mnt+0x131/0x190\n[ 3459.590789] task_work_run+0x5c/0x90\n[ 3459.590798] exit_to_user_mode_loop+0x151/0x160\n[ 3459.590809] exit_to_user_mode_prepare+0x83/0xd0\n[ 3459.590818] syscall_exit_to_user_mode+0x12/0x30\n[ 3459.590828] do_syscall_64+0x48/0x90\n[ 3459.590833] entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:05.720Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fafbc198613823943c106d1ec9b516da692059f"
},
{
"url": "https://git.kernel.org/stable/c/ffa631c4bff59dde59b598011f570e27dfba3515"
},
{
"url": "https://git.kernel.org/stable/c/e71f6a3a1d5c826a30384fec587ca7503ef6bde5"
},
{
"url": "https://git.kernel.org/stable/c/47178c7722ac528ea08aa82c3ef9ffa178962d7a"
}
],
"title": "cifs: fix handlecache and multiuser",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49281",
"datePublished": "2025-02-26T01:56:23.201Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:34:05.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49526 (GCVE-0-2022-49526)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/bitmap: don't set sb values if can't pass sanity check
If bitmap area contains invalid data, kernel will crash then mdadm
triggers "Segmentation fault".
This is cluster-md speical bug. In non-clustered env, mdadm will
handle broken metadata case. In clustered array, only kernel space
handles bitmap slot info. But even this bug only happened in clustered
env, current sanity check is wrong, the code should be changed.
How to trigger: (faulty injection)
dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda
dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb
mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb
mdadm -Ss
echo aaa > magic.txt
== below modifying slot 2 bitmap data ==
dd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 <== destroy magic
dd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 <== ZERO chunksize
mdadm -A /dev/md0 /dev/sda /dev/sdb
== kernel crashes. mdadm outputs "Segmentation fault" ==
Reason of kernel crash:
In md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn't
block chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()
trigger "divide error".
Crash log:
kernel: md: md0 stopped.
kernel: md/raid1:md0: not clean -- starting background reconstruction
kernel: md/raid1:md0: active with 2 out of 2 mirrors
kernel: dlm: ... ...
kernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1
kernel: md0: invalid bitmap file superblock: bad magic
kernel: md_bitmap_copy_from_slot can't get bitmap from slot 2
kernel: md-cluster: Could not gather bitmaps from slot 2
kernel: divide error: 0000 [#1] SMP NOPTI
kernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default
kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]
kernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246
kernel: ... ...
kernel: Call Trace:
kernel: ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]
kernel: md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]
kernel: load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]
kernel: md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]
kernel: do_md_run+0x30/0x100 [md_mod 24ea..d3a]
kernel: md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]
kernel: ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]
kernel: ? blkdev_ioctl+0xb1/0x2b0
kernel: block_ioctl+0x3b/0x40
kernel: __x64_sys_ioctl+0x7f/0xb0
kernel: do_syscall_64+0x59/0x80
kernel: ? exit_to_user_mode_prepare+0x1ab/0x230
kernel: ? syscall_exit_to_user_mode+0x18/0x40
kernel: ? do_syscall_64+0x69/0x80
kernel: entry_SYSCALL_64_after_hwframe+0x44/0xae
kernel: RIP: 0033:0x7f4a15fa722b
kernel: ... ...
kernel: ---[ end trace 8afa7612f559c868 ]---
kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "422e8f7ba1e08c8e0e88d375bcb550bc2bbfe96d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0959aa00f9765bd8c654b1365012e41b51c733cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e69e93120f6219b9cc4fba3b515b6ababd8548aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27f672af28a8e9b783ff7f0eaf7ef2fbd5a2f4ba",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cf9392282a2cf5a8d83dd1c5aa1a097e12f172bc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d8f1558e1daf54f53a90b4c5700ae3e3a4b13412",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e68cb83a57a458b01c9739e2ad9cb70b04d1e6d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md-bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: don\u0027t set sb values if can\u0027t pass sanity check\n\nIf bitmap area contains invalid data, kernel will crash then mdadm\ntriggers \"Segmentation fault\".\nThis is cluster-md speical bug. In non-clustered env, mdadm will\nhandle broken metadata case. In clustered array, only kernel space\nhandles bitmap slot info. But even this bug only happened in clustered\nenv, current sanity check is wrong, the code should be changed.\n\nHow to trigger: (faulty injection)\n\ndd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda\ndd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb\nmdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb\nmdadm -Ss\necho aaa \u003e magic.txt\n == below modifying slot 2 bitmap data ==\ndd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 \u003c== destroy magic\ndd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 \u003c== ZERO chunksize\nmdadm -A /dev/md0 /dev/sda /dev/sdb\n == kernel crashes. mdadm outputs \"Segmentation fault\" ==\n\nReason of kernel crash:\n\nIn md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn\u0027t\nblock chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()\ntrigger \"divide error\".\n\nCrash log:\n\nkernel: md: md0 stopped.\nkernel: md/raid1:md0: not clean -- starting background reconstruction\nkernel: md/raid1:md0: active with 2 out of 2 mirrors\nkernel: dlm: ... ...\nkernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1\nkernel: md0: invalid bitmap file superblock: bad magic\nkernel: md_bitmap_copy_from_slot can\u0027t get bitmap from slot 2\nkernel: md-cluster: Could not gather bitmaps from slot 2\nkernel: divide error: 0000 [#1] SMP NOPTI\nkernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default\nkernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nkernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]\nkernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246\nkernel: ... ...\nkernel: Call Trace:\nkernel: ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]\nkernel: md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]\nkernel: load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]\nkernel: md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]\nkernel: do_md_run+0x30/0x100 [md_mod 24ea..d3a]\nkernel: md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]\nkernel: ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]\nkernel: ? blkdev_ioctl+0xb1/0x2b0\nkernel: block_ioctl+0x3b/0x40\nkernel: __x64_sys_ioctl+0x7f/0xb0\nkernel: do_syscall_64+0x59/0x80\nkernel: ? exit_to_user_mode_prepare+0x1ab/0x230\nkernel: ? syscall_exit_to_user_mode+0x18/0x40\nkernel: ? do_syscall_64+0x69/0x80\nkernel: entry_SYSCALL_64_after_hwframe+0x44/0xae\nkernel: RIP: 0033:0x7f4a15fa722b\nkernel: ... ...\nkernel: ---[ end trace 8afa7612f559c868 ]---\nkernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:49.359Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/422e8f7ba1e08c8e0e88d375bcb550bc2bbfe96d"
},
{
"url": "https://git.kernel.org/stable/c/0959aa00f9765bd8c654b1365012e41b51c733cc"
},
{
"url": "https://git.kernel.org/stable/c/e69e93120f6219b9cc4fba3b515b6ababd8548aa"
},
{
"url": "https://git.kernel.org/stable/c/27f672af28a8e9b783ff7f0eaf7ef2fbd5a2f4ba"
},
{
"url": "https://git.kernel.org/stable/c/cf9392282a2cf5a8d83dd1c5aa1a097e12f172bc"
},
{
"url": "https://git.kernel.org/stable/c/d8f1558e1daf54f53a90b4c5700ae3e3a4b13412"
},
{
"url": "https://git.kernel.org/stable/c/e68cb83a57a458b01c9739e2ad9cb70b04d1e6d2"
}
],
"title": "md/bitmap: don\u0027t set sb values if can\u0027t pass sanity check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49526",
"datePublished": "2025-02-26T02:13:49.145Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-05-04T08:39:49.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49071 (GCVE-0-2022-49071)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panel: ili9341: fix optional regulator handling
If the optional regulator lookup fails, reset the pointer to NULL.
Other functions such as mipi_dbi_poweron_reset_conditional() only do
a NULL pointer check and will otherwise dereference the error pointer.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:33.116084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:05.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-ilitek-ili9341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28dc1503a9d36654f9c61adb2915682515a30f71",
"status": "affected",
"version": "5a04227326b04c15b015181772f5c853172fdb68",
"versionType": "git"
},
{
"lessThan": "e3d982c111a6c033671dd6084b07f62fbf50f76f",
"status": "affected",
"version": "5a04227326b04c15b015181772f5c853172fdb68",
"versionType": "git"
},
{
"lessThan": "4ea189854b1e625ed5ec80d30147870f984db44c",
"status": "affected",
"version": "5a04227326b04c15b015181772f5c853172fdb68",
"versionType": "git"
},
{
"lessThan": "d14eb80e27795b7b20060f7b151cdfe39722a813",
"status": "affected",
"version": "5a04227326b04c15b015181772f5c853172fdb68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-ilitek-ili9341.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: ili9341: fix optional regulator handling\n\nIf the optional regulator lookup fails, reset the pointer to NULL.\nOther functions such as mipi_dbi_poweron_reset_conditional() only do\na NULL pointer check and will otherwise dereference the error pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:06.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28dc1503a9d36654f9c61adb2915682515a30f71"
},
{
"url": "https://git.kernel.org/stable/c/e3d982c111a6c033671dd6084b07f62fbf50f76f"
},
{
"url": "https://git.kernel.org/stable/c/4ea189854b1e625ed5ec80d30147870f984db44c"
},
{
"url": "https://git.kernel.org/stable/c/d14eb80e27795b7b20060f7b151cdfe39722a813"
}
],
"title": "drm/panel: ili9341: fix optional regulator handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49071",
"datePublished": "2025-02-26T01:54:36.821Z",
"dateReserved": "2025-02-26T01:49:39.245Z",
"dateUpdated": "2025-10-01T19:57:05.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49089 (GCVE-0-2022-49089)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition
The documentation of the function rvt_error_qp says both r_lock and s_lock
need to be held when calling that function. It also asserts using lockdep
that both of those locks are held. However, the commit I referenced in
Fixes accidentally makes the call to rvt_error_qp in rvt_ruc_loopback no
longer covered by r_lock. This results in the lockdep assertion failing
and also possibly in a race condition.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d757c60eca9b22f4d108929a24401e0fdecda0b1 Version: d757c60eca9b22f4d108929a24401e0fdecda0b1 Version: d757c60eca9b22f4d108929a24401e0fdecda0b1 Version: d757c60eca9b22f4d108929a24401e0fdecda0b1 Version: d757c60eca9b22f4d108929a24401e0fdecda0b1 Version: d757c60eca9b22f4d108929a24401e0fdecda0b1 Version: 25636de95557a95d54ac30be94af3748345a0a90 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rdmavt/qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a50937227c385a477177c9ffa122b4230e40666",
"status": "affected",
"version": "d757c60eca9b22f4d108929a24401e0fdecda0b1",
"versionType": "git"
},
{
"lessThan": "43c2d7890ecabe527448a6c391fb2d9a5e6bbfe0",
"status": "affected",
"version": "d757c60eca9b22f4d108929a24401e0fdecda0b1",
"versionType": "git"
},
{
"lessThan": "92f1947c0d26060e978b3a9f21f32ce7c8c9cca3",
"status": "affected",
"version": "d757c60eca9b22f4d108929a24401e0fdecda0b1",
"versionType": "git"
},
{
"lessThan": "77ffb2495a41098f9d6a14f8aefde3188da75944",
"status": "affected",
"version": "d757c60eca9b22f4d108929a24401e0fdecda0b1",
"versionType": "git"
},
{
"lessThan": "57800cc36e55db0547461c49acf5cd84c0f502b0",
"status": "affected",
"version": "d757c60eca9b22f4d108929a24401e0fdecda0b1",
"versionType": "git"
},
{
"lessThan": "4d809f69695d4e7d1378b3a072fa9aef23123018",
"status": "affected",
"version": "d757c60eca9b22f4d108929a24401e0fdecda0b1",
"versionType": "git"
},
{
"status": "affected",
"version": "25636de95557a95d54ac30be94af3748345a0a90",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rdmavt/qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition\n\nThe documentation of the function rvt_error_qp says both r_lock and s_lock\nneed to be held when calling that function. It also asserts using lockdep\nthat both of those locks are held. However, the commit I referenced in\nFixes accidentally makes the call to rvt_error_qp in rvt_ruc_loopback no\nlonger covered by r_lock. This results in the lockdep assertion failing\nand also possibly in a race condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:16.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a50937227c385a477177c9ffa122b4230e40666"
},
{
"url": "https://git.kernel.org/stable/c/43c2d7890ecabe527448a6c391fb2d9a5e6bbfe0"
},
{
"url": "https://git.kernel.org/stable/c/92f1947c0d26060e978b3a9f21f32ce7c8c9cca3"
},
{
"url": "https://git.kernel.org/stable/c/77ffb2495a41098f9d6a14f8aefde3188da75944"
},
{
"url": "https://git.kernel.org/stable/c/57800cc36e55db0547461c49acf5cd84c0f502b0"
},
{
"url": "https://git.kernel.org/stable/c/4d809f69695d4e7d1378b3a072fa9aef23123018"
}
],
"title": "IB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49089",
"datePublished": "2025-02-26T01:54:45.743Z",
"dateReserved": "2025-02-26T01:49:39.248Z",
"dateUpdated": "2025-05-04T12:44:16.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49174 (GCVE-0-2022-49174)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit
In case of flex_bg feature (which is by default enabled), extents for
any given inode might span across blocks from two different block group.
ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the
starting block group, but it fails to read it again when the extent length
boundary overflows to another block group. Then in this below loop it
accesses memory beyond the block group bitmap buffer_head and results
into a data abort.
for (i = 0; i < clen; i++)
if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state)
already++;
This patch adds this functionality for checking block group boundary in
ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different
block group.
w/o this patch, I was easily able to hit a data access abort using Power platform.
<...>
[ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters
[ 74.533214] EXT4-fs (loop3): shut down requested (2)
[ 74.536705] Aborting journal on device loop3-8.
[ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000
[ 74.703727] Faulting instruction address: 0xc0000000007bffb8
cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060]
pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0
lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0
sp: c000000015db7300
msr: 800000000280b033
dar: c00000005e980000
dsisr: 40000000
current = 0xc000000027af6880
paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01
pid = 5167, comm = mount
<...>
enter ? for help
[c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410
[c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000
[c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0
[c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0
[c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0
[c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10
[c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350
[c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40
[c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100
[c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70
[c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550
[c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0
[c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd6d719534af993210306f8a13f9cb3e615f7c8d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6a6beb074186a0452368a023a261c7d0eaebe838",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b07eedd0222e9548ffc568ec429bb1f61d21a39c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "803fb0e8240cc16585a5c9df76add1dfaa781773",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bfdc502a4a4c058bf4cbb1df0c297761d528f54d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix ext4_mb_mark_bb() with flex_bg with fast_commit\n\nIn case of flex_bg feature (which is by default enabled), extents for\nany given inode might span across blocks from two different block group.\next4_mb_mark_bb() only reads the buffer_head of block bitmap once for the\nstarting block group, but it fails to read it again when the extent length\nboundary overflows to another block group. Then in this below loop it\naccesses memory beyond the block group bitmap buffer_head and results\ninto a data abort.\n\n\tfor (i = 0; i \u003c clen; i++)\n\t\tif (!mb_test_bit(blkoff + i, bitmap_bh-\u003eb_data) == !state)\n\t\t\talready++;\n\nThis patch adds this functionality for checking block group boundary in\next4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different\nblock group.\n\nw/o this patch, I was easily able to hit a data access abort using Power platform.\n\n\u003c...\u003e\n[ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters\n[ 74.533214] EXT4-fs (loop3): shut down requested (2)\n[ 74.536705] Aborting journal on device loop3-8.\n[ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000\n[ 74.703727] Faulting instruction address: 0xc0000000007bffb8\ncpu 0xd: Vector: 300 (Data Access) at [c000000015db7060]\n pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0\n lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0\n sp: c000000015db7300\n msr: 800000000280b033\n dar: c00000005e980000\n dsisr: 40000000\n current = 0xc000000027af6880\n paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01\n pid = 5167, comm = mount\n\u003c...\u003e\nenter ? for help\n[c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410\n[c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000\n[c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0\n[c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0\n[c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0\n[c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10\n[c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350\n[c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40\n[c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100\n[c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70\n[c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550\n[c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0\n[c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:36.036Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd6d719534af993210306f8a13f9cb3e615f7c8d"
},
{
"url": "https://git.kernel.org/stable/c/6a6beb074186a0452368a023a261c7d0eaebe838"
},
{
"url": "https://git.kernel.org/stable/c/b07eedd0222e9548ffc568ec429bb1f61d21a39c"
},
{
"url": "https://git.kernel.org/stable/c/803fb0e8240cc16585a5c9df76add1dfaa781773"
},
{
"url": "https://git.kernel.org/stable/c/bfdc502a4a4c058bf4cbb1df0c297761d528f54d"
}
],
"title": "ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49174",
"datePublished": "2025-02-26T01:55:29.590Z",
"dateReserved": "2025-02-26T01:49:39.280Z",
"dateUpdated": "2025-05-04T08:31:36.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47651 (GCVE-0-2021-47651)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: rpmpd: Check for null return of devm_kcalloc
Because of the possible failure of the allocation, data->domains might
be NULL pointer and will cause the dereference of the NULL pointer
later.
Therefore, it might be better to check it and directly return -ENOMEM
without releasing data manually if fails, because the comment of the
devm_kmalloc() says "Memory allocated with this function is
automatically freed on driver detach.".
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bbe3a66c3f5a65fb3d702351bac2a6033944d389 Version: bbe3a66c3f5a65fb3d702351bac2a6033944d389 Version: bbe3a66c3f5a65fb3d702351bac2a6033944d389 Version: bbe3a66c3f5a65fb3d702351bac2a6033944d389 Version: bbe3a66c3f5a65fb3d702351bac2a6033944d389 Version: bbe3a66c3f5a65fb3d702351bac2a6033944d389 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:25.388114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:07.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/rpmpd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "755dbc3d73789ac9f0017c729abf5e4b153bf799",
"status": "affected",
"version": "bbe3a66c3f5a65fb3d702351bac2a6033944d389",
"versionType": "git"
},
{
"lessThan": "b5d6eba71997b6d661935d2b15094ac7f9f6132d",
"status": "affected",
"version": "bbe3a66c3f5a65fb3d702351bac2a6033944d389",
"versionType": "git"
},
{
"lessThan": "724376c30af5a57686b223dbcd6188e07d2a1de2",
"status": "affected",
"version": "bbe3a66c3f5a65fb3d702351bac2a6033944d389",
"versionType": "git"
},
{
"lessThan": "84b89fa877ad576e9ee8130f412cfd592f274508",
"status": "affected",
"version": "bbe3a66c3f5a65fb3d702351bac2a6033944d389",
"versionType": "git"
},
{
"lessThan": "31b5124d742969ea8bf7a1360596f548ca23e770",
"status": "affected",
"version": "bbe3a66c3f5a65fb3d702351bac2a6033944d389",
"versionType": "git"
},
{
"lessThan": "5a811126d38f9767a20cc271b34db7c8efc5a46c",
"status": "affected",
"version": "bbe3a66c3f5a65fb3d702351bac2a6033944d389",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/rpmpd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: rpmpd: Check for null return of devm_kcalloc\n\nBecause of the possible failure of the allocation, data-\u003edomains might\nbe NULL pointer and will cause the dereference of the NULL pointer\nlater.\nTherefore, it might be better to check it and directly return -ENOMEM\nwithout releasing data manually if fails, because the comment of the\ndevm_kmalloc() says \"Memory allocated with this function is\nautomatically freed on driver detach.\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:32.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/755dbc3d73789ac9f0017c729abf5e4b153bf799"
},
{
"url": "https://git.kernel.org/stable/c/b5d6eba71997b6d661935d2b15094ac7f9f6132d"
},
{
"url": "https://git.kernel.org/stable/c/724376c30af5a57686b223dbcd6188e07d2a1de2"
},
{
"url": "https://git.kernel.org/stable/c/84b89fa877ad576e9ee8130f412cfd592f274508"
},
{
"url": "https://git.kernel.org/stable/c/31b5124d742969ea8bf7a1360596f548ca23e770"
},
{
"url": "https://git.kernel.org/stable/c/5a811126d38f9767a20cc271b34db7c8efc5a46c"
}
],
"title": "soc: qcom: rpmpd: Check for null return of devm_kcalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47651",
"datePublished": "2025-02-26T01:54:17.551Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-10-01T19:57:07.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49201 (GCVE-0-2022-49201)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: fix race between xmit and reset
There is a race between reset and the transmit paths that can lead to
ibmvnic_xmit() accessing an scrq after it has been freed in the reset
path. It can result in a crash like:
Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc0080000016189f8
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [c0080000016189f8] ibmvnic_xmit+0x60/0xb60 [ibmvnic]
LR [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280
Call Trace:
[c008000001618f08] ibmvnic_xmit+0x570/0xb60 [ibmvnic] (unreliable)
[c000000000c0046c] dev_hard_start_xmit+0x11c/0x280
[c000000000c9cfcc] sch_direct_xmit+0xec/0x330
[c000000000bfe640] __dev_xmit_skb+0x3a0/0x9d0
[c000000000c00ad4] __dev_queue_xmit+0x394/0x730
[c008000002db813c] __bond_start_xmit+0x254/0x450 [bonding]
[c008000002db8378] bond_start_xmit+0x40/0xc0 [bonding]
[c000000000c0046c] dev_hard_start_xmit+0x11c/0x280
[c000000000c00ca4] __dev_queue_xmit+0x564/0x730
[c000000000cf97e0] neigh_hh_output+0xd0/0x180
[c000000000cfa69c] ip_finish_output2+0x31c/0x5c0
[c000000000cfd244] __ip_queue_xmit+0x194/0x4f0
[c000000000d2a3c4] __tcp_transmit_skb+0x434/0x9b0
[c000000000d2d1e0] __tcp_retransmit_skb+0x1d0/0x6a0
[c000000000d2d984] tcp_retransmit_skb+0x34/0x130
[c000000000d310e8] tcp_retransmit_timer+0x388/0x6d0
[c000000000d315ec] tcp_write_timer_handler+0x1bc/0x330
[c000000000d317bc] tcp_write_timer+0x5c/0x200
[c000000000243270] call_timer_fn+0x50/0x1c0
[c000000000243704] __run_timers.part.0+0x324/0x460
[c000000000243894] run_timer_softirq+0x54/0xa0
[c000000000ea713c] __do_softirq+0x15c/0x3e0
[c000000000166258] __irq_exit_rcu+0x158/0x190
[c000000000166420] irq_exit+0x20/0x40
[c00000000002853c] timer_interrupt+0x14c/0x2b0
[c000000000009a00] decrementer_common_virt+0x210/0x220
--- interrupt: 900 at plpar_hcall_norets_notrace+0x18/0x2c
The immediate cause of the crash is the access of tx_scrq in the following
snippet during a reset, where the tx_scrq can be either NULL or an address
that will soon be invalid:
ibmvnic_xmit()
{
...
tx_scrq = adapter->tx_scrq[queue_num];
txq = netdev_get_tx_queue(netdev, queue_num);
ind_bufp = &tx_scrq->ind_buf;
if (test_bit(0, &adapter->resetting)) {
...
}
But beyond that, the call to ibmvnic_xmit() itself is not safe during a
reset and the reset path attempts to avoid this by stopping the queue in
ibmvnic_cleanup(). However just after the queue was stopped, an in-flight
ibmvnic_complete_tx() could have restarted the queue even as the reset is
progressing.
Since the queue was restarted we could get a call to ibmvnic_xmit() which
can then access the bad tx_scrq (or other fields).
We cannot however simply have ibmvnic_complete_tx() check the ->resetting
bit and skip starting the queue. This can race at the "back-end" of a good
reset which just restarted the queue but has not cleared the ->resetting
bit yet. If we skip restarting the queue due to ->resetting being true,
the queue would remain stopped indefinitely potentially leading to transmit
timeouts.
IOW ->resetting is too broad for this purpose. Instead use a new flag
that indicates whether or not the queues are active. Only the open/
reset paths control when the queues are active. ibmvnic_complete_tx()
and others wake up the queue only if the queue is marked active.
So we will have:
A. reset/open thread in ibmvnic_cleanup() and __ibmvnic_open()
->resetting = true
->tx_queues_active = false
disable tx queues
...
->tx_queues_active = true
start tx queues
B. Tx interrupt in ibmvnic_complete_tx():
if (->tx_queues_active)
netif_wake_subqueue();
To ensure that ->tx_queues_active and state of the queues are consistent,
we need a lock which:
- must also be taken in the interrupt path (ibmvnic_complete_tx())
- shared across the multiple
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:15.276230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:56:59.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c",
"drivers/net/ethernet/ibm/ibmvnic.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bd58abf595b6cf1ba6dd47ec887c4c009155fc9",
"status": "affected",
"version": "7ed5b31f4a6695a21f617df07646e9b15c6c1d29",
"versionType": "git"
},
{
"lessThan": "475f9cce98b63bc145b4efa66fa51175d4cb345f",
"status": "affected",
"version": "7ed5b31f4a6695a21f617df07646e9b15c6c1d29",
"versionType": "git"
},
{
"lessThan": "8507c6ade73cdbbbda5c3d31d67f52f2e1cf03fe",
"status": "affected",
"version": "7ed5b31f4a6695a21f617df07646e9b15c6c1d29",
"versionType": "git"
},
{
"lessThan": "4219196d1f662cb10a462eb9e076633a3fc31a15",
"status": "affected",
"version": "7ed5b31f4a6695a21f617df07646e9b15c6c1d29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c",
"drivers/net/ethernet/ibm/ibmvnic.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: fix race between xmit and reset\n\nThere is a race between reset and the transmit paths that can lead to\nibmvnic_xmit() accessing an scrq after it has been freed in the reset\npath. It can result in a crash like:\n\n\tKernel attempted to read user page (0) - exploit attempt? (uid: 0)\n\tBUG: Kernel NULL pointer dereference on read at 0x00000000\n\tFaulting instruction address: 0xc0080000016189f8\n\tOops: Kernel access of bad area, sig: 11 [#1]\n\t...\n\tNIP [c0080000016189f8] ibmvnic_xmit+0x60/0xb60 [ibmvnic]\n\tLR [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280\n\tCall Trace:\n\t[c008000001618f08] ibmvnic_xmit+0x570/0xb60 [ibmvnic] (unreliable)\n\t[c000000000c0046c] dev_hard_start_xmit+0x11c/0x280\n\t[c000000000c9cfcc] sch_direct_xmit+0xec/0x330\n\t[c000000000bfe640] __dev_xmit_skb+0x3a0/0x9d0\n\t[c000000000c00ad4] __dev_queue_xmit+0x394/0x730\n\t[c008000002db813c] __bond_start_xmit+0x254/0x450 [bonding]\n\t[c008000002db8378] bond_start_xmit+0x40/0xc0 [bonding]\n\t[c000000000c0046c] dev_hard_start_xmit+0x11c/0x280\n\t[c000000000c00ca4] __dev_queue_xmit+0x564/0x730\n\t[c000000000cf97e0] neigh_hh_output+0xd0/0x180\n\t[c000000000cfa69c] ip_finish_output2+0x31c/0x5c0\n\t[c000000000cfd244] __ip_queue_xmit+0x194/0x4f0\n\t[c000000000d2a3c4] __tcp_transmit_skb+0x434/0x9b0\n\t[c000000000d2d1e0] __tcp_retransmit_skb+0x1d0/0x6a0\n\t[c000000000d2d984] tcp_retransmit_skb+0x34/0x130\n\t[c000000000d310e8] tcp_retransmit_timer+0x388/0x6d0\n\t[c000000000d315ec] tcp_write_timer_handler+0x1bc/0x330\n\t[c000000000d317bc] tcp_write_timer+0x5c/0x200\n\t[c000000000243270] call_timer_fn+0x50/0x1c0\n\t[c000000000243704] __run_timers.part.0+0x324/0x460\n\t[c000000000243894] run_timer_softirq+0x54/0xa0\n\t[c000000000ea713c] __do_softirq+0x15c/0x3e0\n\t[c000000000166258] __irq_exit_rcu+0x158/0x190\n\t[c000000000166420] irq_exit+0x20/0x40\n\t[c00000000002853c] timer_interrupt+0x14c/0x2b0\n\t[c000000000009a00] decrementer_common_virt+0x210/0x220\n\t--- interrupt: 900 at plpar_hcall_norets_notrace+0x18/0x2c\n\nThe immediate cause of the crash is the access of tx_scrq in the following\nsnippet during a reset, where the tx_scrq can be either NULL or an address\nthat will soon be invalid:\n\n\tibmvnic_xmit()\n\t{\n\t\t...\n\t\ttx_scrq = adapter-\u003etx_scrq[queue_num];\n\t\ttxq = netdev_get_tx_queue(netdev, queue_num);\n\t\tind_bufp = \u0026tx_scrq-\u003eind_buf;\n\n\t\tif (test_bit(0, \u0026adapter-\u003eresetting)) {\n\t\t...\n\t}\n\nBut beyond that, the call to ibmvnic_xmit() itself is not safe during a\nreset and the reset path attempts to avoid this by stopping the queue in\nibmvnic_cleanup(). However just after the queue was stopped, an in-flight\nibmvnic_complete_tx() could have restarted the queue even as the reset is\nprogressing.\n\nSince the queue was restarted we could get a call to ibmvnic_xmit() which\ncan then access the bad tx_scrq (or other fields).\n\nWe cannot however simply have ibmvnic_complete_tx() check the -\u003eresetting\nbit and skip starting the queue. This can race at the \"back-end\" of a good\nreset which just restarted the queue but has not cleared the -\u003eresetting\nbit yet. If we skip restarting the queue due to -\u003eresetting being true,\nthe queue would remain stopped indefinitely potentially leading to transmit\ntimeouts.\n\nIOW -\u003eresetting is too broad for this purpose. Instead use a new flag\nthat indicates whether or not the queues are active. Only the open/\nreset paths control when the queues are active. ibmvnic_complete_tx()\nand others wake up the queue only if the queue is marked active.\n\nSo we will have:\n\tA. reset/open thread in ibmvnic_cleanup() and __ibmvnic_open()\n\n\t\t-\u003eresetting = true\n\t\t-\u003etx_queues_active = false\n\t\tdisable tx queues\n\t\t...\n\t\t-\u003etx_queues_active = true\n\t\tstart tx queues\n\n\tB. Tx interrupt in ibmvnic_complete_tx():\n\n\t\tif (-\u003etx_queues_active)\n\t\t\tnetif_wake_subqueue();\n\nTo ensure that -\u003etx_queues_active and state of the queues are consistent,\nwe need a lock which:\n\n\t- must also be taken in the interrupt path (ibmvnic_complete_tx())\n\t- shared across the multiple\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:14.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bd58abf595b6cf1ba6dd47ec887c4c009155fc9"
},
{
"url": "https://git.kernel.org/stable/c/475f9cce98b63bc145b4efa66fa51175d4cb345f"
},
{
"url": "https://git.kernel.org/stable/c/8507c6ade73cdbbbda5c3d31d67f52f2e1cf03fe"
},
{
"url": "https://git.kernel.org/stable/c/4219196d1f662cb10a462eb9e076633a3fc31a15"
}
],
"title": "ibmvnic: fix race between xmit and reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49201",
"datePublished": "2025-02-26T01:55:43.263Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-10-01T19:56:59.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52831 (GCVE-0-2023-52831)
Vulnerability from cvelistv5
Published
2024-05-21 15:31
Modified
2025-05-04 07:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpu/hotplug: Don't offline the last non-isolated CPU
If a system has isolated CPUs via the "isolcpus=" command line parameter,
then an attempt to offline the last housekeeping CPU will result in a
WARN_ON() when rebuilding the scheduler domains and a subsequent panic due
to and unhandled empty CPU mas in partition_sched_domains_locked().
cpuset_hotplug_workfn()
rebuild_sched_domains_locked()
ndoms = generate_sched_domains(&doms, &attr);
cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));
Thus results in an empty CPU mask which triggers the warning and then the
subsequent crash:
WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408
Call trace:
build_sched_domains+0x120c/0x1408
partition_sched_domains_locked+0x234/0x880
rebuild_sched_domains_locked+0x37c/0x798
rebuild_sched_domains+0x30/0x58
cpuset_hotplug_workfn+0x2a8/0x930
Unable to handle kernel paging request at virtual address fffe80027ab37080
partition_sched_domains_locked+0x318/0x880
rebuild_sched_domains_locked+0x37c/0x798
Aside of the resulting crash, it does not make any sense to offline the last
last housekeeping CPU.
Prevent this by masking out the non-housekeeping CPUs when selecting a
target CPU for initiating the CPU unplug operation via the work queue.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T19:07:45.620666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T20:44:55.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:36.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/cpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3410b702354702b500bde10e3cc1f9db8731d908",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "335a47ed71e332c82339d1aec0c7f6caccfcda13",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3073f6df783d9d75f7f69f73e16c7ef85d6cfb63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "38685e2a0476127db766f81b1c06019ddc4c9ffa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/cpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don\u0027t offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n rebuild_sched_domains_locked()\n ndoms = generate_sched_domains(\u0026doms, \u0026attr);\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:43:55.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3410b702354702b500bde10e3cc1f9db8731d908"
},
{
"url": "https://git.kernel.org/stable/c/335a47ed71e332c82339d1aec0c7f6caccfcda13"
},
{
"url": "https://git.kernel.org/stable/c/3073f6df783d9d75f7f69f73e16c7ef85d6cfb63"
},
{
"url": "https://git.kernel.org/stable/c/38685e2a0476127db766f81b1c06019ddc4c9ffa"
}
],
"title": "cpu/hotplug: Don\u0027t offline the last non-isolated CPU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52831",
"datePublished": "2024-05-21T15:31:33.566Z",
"dateReserved": "2024-05-21T15:19:24.251Z",
"dateUpdated": "2025-05-04T07:43:55.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21835 (GCVE-0-2025-21835)
Vulnerability from cvelistv5
Published
2025-03-07 09:09
Modified
2025-11-03 21:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_midi: fix MIDI Streaming descriptor lengths
While the MIDI jacks are configured correctly, and the MIDIStreaming
endpoint descriptors are filled with the correct information,
bNumEmbMIDIJack and bLength are set incorrectly in these descriptors.
This does not matter when the numbers of in and out ports are equal, but
when they differ the host will receive broken descriptors with
uninitialized stack memory leaking into the descriptor for whichever
value is smaller.
The precise meaning of "in" and "out" in the port counts is not clearly
defined and can be confusing. But elsewhere the driver consistently
uses this to match the USB meaning of IN and OUT viewed from the host,
so that "in" ports send data to the host and "out" ports receive data
from it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c8933c3f79568263c90a46f06cf80419e6c63c97 Version: c8933c3f79568263c90a46f06cf80419e6c63c97 Version: c8933c3f79568263c90a46f06cf80419e6c63c97 Version: c8933c3f79568263c90a46f06cf80419e6c63c97 Version: c8933c3f79568263c90a46f06cf80419e6c63c97 Version: c8933c3f79568263c90a46f06cf80419e6c63c97 Version: c8933c3f79568263c90a46f06cf80419e6c63c97 Version: c8933c3f79568263c90a46f06cf80419e6c63c97 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:00:07.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a983390d14e8498f303fc5cb23ab7d696b815db",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
},
{
"lessThan": "9f36a89dcb78cb7e37f487b04a16396ac18c0636",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
},
{
"lessThan": "d8e86700c8a8cf415e300a0921acd6a8f9b494f8",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
},
{
"lessThan": "9f6860a9c11301b052225ca8825f8d2b1a5825bf",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
},
{
"lessThan": "6ae6dee9f005a2f3b739b85abb6f14a0935699e0",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
},
{
"lessThan": "6b16761a928796e4b49e89a0b1ac284155172726",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
},
{
"lessThan": "a2d0694e1f111379c1efdf439dadd3cfd959fe9d",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
},
{
"lessThan": "da1668997052ed1cb00322e1f3b63702615c9429",
"status": "affected",
"version": "c8933c3f79568263c90a46f06cf80419e6c63c97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_midi: fix MIDI Streaming descriptor lengths\n\nWhile the MIDI jacks are configured correctly, and the MIDIStreaming\nendpoint descriptors are filled with the correct information,\nbNumEmbMIDIJack and bLength are set incorrectly in these descriptors.\n\nThis does not matter when the numbers of in and out ports are equal, but\nwhen they differ the host will receive broken descriptors with\nuninitialized stack memory leaking into the descriptor for whichever\nvalue is smaller.\n\nThe precise meaning of \"in\" and \"out\" in the port counts is not clearly\ndefined and can be confusing. But elsewhere the driver consistently\nuses this to match the USB meaning of IN and OUT viewed from the host,\nso that \"in\" ports send data to the host and \"out\" ports receive data\nfrom it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:08.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a983390d14e8498f303fc5cb23ab7d696b815db"
},
{
"url": "https://git.kernel.org/stable/c/9f36a89dcb78cb7e37f487b04a16396ac18c0636"
},
{
"url": "https://git.kernel.org/stable/c/d8e86700c8a8cf415e300a0921acd6a8f9b494f8"
},
{
"url": "https://git.kernel.org/stable/c/9f6860a9c11301b052225ca8825f8d2b1a5825bf"
},
{
"url": "https://git.kernel.org/stable/c/6ae6dee9f005a2f3b739b85abb6f14a0935699e0"
},
{
"url": "https://git.kernel.org/stable/c/6b16761a928796e4b49e89a0b1ac284155172726"
},
{
"url": "https://git.kernel.org/stable/c/a2d0694e1f111379c1efdf439dadd3cfd959fe9d"
},
{
"url": "https://git.kernel.org/stable/c/da1668997052ed1cb00322e1f3b63702615c9429"
}
],
"title": "usb: gadget: f_midi: fix MIDI Streaming descriptor lengths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21835",
"datePublished": "2025-03-07T09:09:55.320Z",
"dateReserved": "2024-12-29T08:45:45.777Z",
"dateUpdated": "2025-11-03T21:00:07.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49242 (GCVE-0-2022-49242)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error paths.
For example, when codec_np is NULL, saif_np[0] and saif_np[1]
are not NULL, it will cause leaks.
of_node_put() will check if the node pointer is NULL, so we can
call it directly to release the refcount of regular pointers.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe Version: e968194b45c4e8077dada75c5bae5660b37628fe |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:41.640059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:02.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mxs/mxs-sgtl5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f16ad2c0e22687f80e5981c67374023f51c204b9",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "790d2628e3fcc819d8f5572eb5615113fb2e727a",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "f8d38056bcd220ea6f0802a5586d1a12ebcce849",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "67e12f1cb2f97468c12b59e21975eaa0f332e7d2",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "86b6cf989437e694fd0a15782b5a513853a739e0",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "44acdaf7acb60054d872bed18ce0e7db8ce900ce",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "d2923b48d99fe663cb93d8b481c93299fcd68656",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "8d880226c86f37624e2a5f3c6d92ac0ec3375f96",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
},
{
"lessThan": "6ae0a4d8fec551ec581d620f0eb1fe31f755551c",
"status": "affected",
"version": "e968194b45c4e8077dada75c5bae5660b37628fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mxs/mxs-sgtl5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mxs: Fix error handling in mxs_sgtl5000_probe\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFor example, when codec_np is NULL, saif_np[0] and saif_np[1]\nare not NULL, it will cause leaks.\n\nof_node_put() will check if the node pointer is NULL, so we can\ncall it directly to release the refcount of regular pointers."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:11.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f16ad2c0e22687f80e5981c67374023f51c204b9"
},
{
"url": "https://git.kernel.org/stable/c/790d2628e3fcc819d8f5572eb5615113fb2e727a"
},
{
"url": "https://git.kernel.org/stable/c/f8d38056bcd220ea6f0802a5586d1a12ebcce849"
},
{
"url": "https://git.kernel.org/stable/c/67e12f1cb2f97468c12b59e21975eaa0f332e7d2"
},
{
"url": "https://git.kernel.org/stable/c/86b6cf989437e694fd0a15782b5a513853a739e0"
},
{
"url": "https://git.kernel.org/stable/c/44acdaf7acb60054d872bed18ce0e7db8ce900ce"
},
{
"url": "https://git.kernel.org/stable/c/d2923b48d99fe663cb93d8b481c93299fcd68656"
},
{
"url": "https://git.kernel.org/stable/c/8d880226c86f37624e2a5f3c6d92ac0ec3375f96"
},
{
"url": "https://git.kernel.org/stable/c/6ae0a4d8fec551ec581d620f0eb1fe31f755551c"
}
],
"title": "ASoC: mxs: Fix error handling in mxs_sgtl5000_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49242",
"datePublished": "2025-02-26T01:56:03.812Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-10-01T19:47:02.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58055 (GCVE-0-2024-58055)
Vulnerability from cvelistv5
Published
2025-03-06 15:53
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_tcm: Don't free command immediately
Don't prematurely free the command. Wait for the status completion of
the sense status. It can be freed then. Otherwise we will double-free
the command.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 Version: cff834c16d23d614388aab1b86d19eb67b3f80c4 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:28:24.217231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:38.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:50.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_tcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7cb72dc08ed8da60fd6d1f6adf13bf0e6ee0f694",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
},
{
"lessThan": "38229c35a6d7875697dfb293356407330cfcd23e",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
},
{
"lessThan": "bbb7f49839b57d66ccaf7b5752d9b63d3031dd0a",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
},
{
"lessThan": "f0c33e7d387ccbb6870e73a43c558fefede06614",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
},
{
"lessThan": "16907219ad6763f401700e1b57b2da4f3e07f047",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
},
{
"lessThan": "929b69810eec132b284ffd19047a85d961df9e4d",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
},
{
"lessThan": "e6693595bd1b55af62d057a4136a89d5c2ddf0e9",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
},
{
"lessThan": "c225d006a31949d673e646d585d9569bc28feeb9",
"status": "affected",
"version": "cff834c16d23d614388aab1b86d19eb67b3f80c4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_tcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_tcm: Don\u0027t free command immediately\n\nDon\u0027t prematurely free the command. Wait for the status completion of\nthe sense status. It can be freed then. Otherwise we will double-free\nthe command."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:50.223Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7cb72dc08ed8da60fd6d1f6adf13bf0e6ee0f694"
},
{
"url": "https://git.kernel.org/stable/c/38229c35a6d7875697dfb293356407330cfcd23e"
},
{
"url": "https://git.kernel.org/stable/c/bbb7f49839b57d66ccaf7b5752d9b63d3031dd0a"
},
{
"url": "https://git.kernel.org/stable/c/f0c33e7d387ccbb6870e73a43c558fefede06614"
},
{
"url": "https://git.kernel.org/stable/c/16907219ad6763f401700e1b57b2da4f3e07f047"
},
{
"url": "https://git.kernel.org/stable/c/929b69810eec132b284ffd19047a85d961df9e4d"
},
{
"url": "https://git.kernel.org/stable/c/e6693595bd1b55af62d057a4136a89d5c2ddf0e9"
},
{
"url": "https://git.kernel.org/stable/c/c225d006a31949d673e646d585d9569bc28feeb9"
}
],
"title": "usb: gadget: f_tcm: Don\u0027t free command immediately",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58055",
"datePublished": "2025-03-06T15:53:58.951Z",
"dateReserved": "2025-03-06T15:52:09.179Z",
"dateUpdated": "2025-11-03T19:33:50.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49107 (GCVE-0-2022-49107)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix memory leak in ceph_readdir when note_last_dentry returns error
Reset the last_readdir at the same time, and add a comment explaining
why we don't free last_readdir when dir_emit returns false.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:03.486437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:04.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4429786129648a8f4bb1e5faa143c4478cc5c4a",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "2fe82d3254029ef9ec4e7be890125d5ef4f537de",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "e792575b902a3939ca482491ee9fb3a236f99640",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "7f740ede35132d3d5d19747cad56a511d21bb156",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "f639d9867eea647005dc824e0e24f39ffc50d4e4",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_readdir when note_last_dentry returns error\n\nReset the last_readdir at the same time, and add a comment explaining\nwhy we don\u0027t free last_readdir when dir_emit returns false."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:01.249Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4429786129648a8f4bb1e5faa143c4478cc5c4a"
},
{
"url": "https://git.kernel.org/stable/c/2fe82d3254029ef9ec4e7be890125d5ef4f537de"
},
{
"url": "https://git.kernel.org/stable/c/e792575b902a3939ca482491ee9fb3a236f99640"
},
{
"url": "https://git.kernel.org/stable/c/7f740ede35132d3d5d19747cad56a511d21bb156"
},
{
"url": "https://git.kernel.org/stable/c/f639d9867eea647005dc824e0e24f39ffc50d4e4"
}
],
"title": "ceph: fix memory leak in ceph_readdir when note_last_dentry returns error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49107",
"datePublished": "2025-02-26T01:54:54.493Z",
"dateReserved": "2025-02-26T01:49:39.251Z",
"dateUpdated": "2025-10-01T19:57:04.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58080 (GCVE-0-2024-58080)
Vulnerability from cvelistv5
Published
2025-03-06 16:13
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: dispcc-sm6350: Add missing parent_map for a clock
If a clk_rcg2 has a parent, it should also have parent_map defined,
otherwise we'll get a NULL pointer dereference when calling clk_set_rate
like the following:
[ 3.388105] Call trace:
[ 3.390664] qcom_find_src_index+0x3c/0x70 (P)
[ 3.395301] qcom_find_src_index+0x1c/0x70 (L)
[ 3.399934] _freq_tbl_determine_rate+0x48/0x100
[ 3.404753] clk_rcg2_determine_rate+0x1c/0x28
[ 3.409387] clk_core_determine_round_nolock+0x58/0xe4
[ 3.421414] clk_core_round_rate_nolock+0x48/0xfc
[ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc
[ 3.444483] clk_core_set_rate_nolock+0x8c/0x300
[ 3.455886] clk_set_rate+0x38/0x14c
Add the parent_map property for the clock where it's missing and also
un-inline the parent_data as well to keep the matching parent_map and
parent_data together.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:27:17.147966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:35.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:14.320Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/dispcc-sm6350.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3daca9050857220726732ad9d4a8512069386f46",
"status": "affected",
"version": "837519775f1d3945e3d4019641f7120d58325059",
"versionType": "git"
},
{
"lessThan": "3ad28517385e2821e8e43388d6a0b3e1ba0bc3ab",
"status": "affected",
"version": "837519775f1d3945e3d4019641f7120d58325059",
"versionType": "git"
},
{
"lessThan": "2dba8d5d423fa5f6f3a687aa6e0da5808f69091b",
"status": "affected",
"version": "837519775f1d3945e3d4019641f7120d58325059",
"versionType": "git"
},
{
"lessThan": "a1f15808adfd77268eac7fefce5378ad9fedbfba",
"status": "affected",
"version": "837519775f1d3945e3d4019641f7120d58325059",
"versionType": "git"
},
{
"lessThan": "d4cdb196f182d2fbe336c968228be00d8c3fed05",
"status": "affected",
"version": "837519775f1d3945e3d4019641f7120d58325059",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/dispcc-sm6350.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: dispcc-sm6350: Add missing parent_map for a clock\n\nIf a clk_rcg2 has a parent, it should also have parent_map defined,\notherwise we\u0027ll get a NULL pointer dereference when calling clk_set_rate\nlike the following:\n\n [ 3.388105] Call trace:\n [ 3.390664] qcom_find_src_index+0x3c/0x70 (P)\n [ 3.395301] qcom_find_src_index+0x1c/0x70 (L)\n [ 3.399934] _freq_tbl_determine_rate+0x48/0x100\n [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28\n [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4\n [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc\n [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc\n [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300\n [ 3.455886] clk_set_rate+0x38/0x14c\n\nAdd the parent_map property for the clock where it\u0027s missing and also\nun-inline the parent_data as well to keep the matching parent_map and\nparent_data together."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:31.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3daca9050857220726732ad9d4a8512069386f46"
},
{
"url": "https://git.kernel.org/stable/c/3ad28517385e2821e8e43388d6a0b3e1ba0bc3ab"
},
{
"url": "https://git.kernel.org/stable/c/2dba8d5d423fa5f6f3a687aa6e0da5808f69091b"
},
{
"url": "https://git.kernel.org/stable/c/a1f15808adfd77268eac7fefce5378ad9fedbfba"
},
{
"url": "https://git.kernel.org/stable/c/d4cdb196f182d2fbe336c968228be00d8c3fed05"
}
],
"title": "clk: qcom: dispcc-sm6350: Add missing parent_map for a clock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58080",
"datePublished": "2025-03-06T16:13:43.414Z",
"dateReserved": "2025-03-06T15:52:09.183Z",
"dateUpdated": "2025-11-03T19:34:14.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49185 (GCVE-0-2022-49185)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
This node pointer is returned by of_parse_phandle() with refcount
incremented in this function. Calling of_node_put() to avoid
the refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c Version: 32e67eee670e1254ee5ab41e2f454680acb9c17c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:26.081614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:56:59.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/nomadik/pinctrl-nomadik.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59250d547542f1c7765a78dc97ddfe5e6b0d2ab0",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "0356d4b64a03d23daf99a2a29d7d7d91d6ec2ea8",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "0067ba448f1c29ca06e5aee00d8506889ed1f9d0",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "bc1e29a35147c1ba6ea2b06a16cb0028f7c852d2",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "669b05ff43bd7ed684379c6e2006a6dad5127b71",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "c52703355766c347f270df222a744e0c491a02f2",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "9511c6018cd772668def8b034bc67269847e591a",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "62580a40c9bef3d8a90629c64dda381344b35ffd",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
},
{
"lessThan": "c09ac191b1f97cfa06f394dbfd7a5db07986cefc",
"status": "affected",
"version": "32e67eee670e1254ee5ab41e2f454680acb9c17c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/nomadik/pinctrl-nomadik.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe\n\nThis node pointer is returned by of_parse_phandle() with refcount\nincremented in this function. Calling of_node_put() to avoid\nthe refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:49.635Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59250d547542f1c7765a78dc97ddfe5e6b0d2ab0"
},
{
"url": "https://git.kernel.org/stable/c/0356d4b64a03d23daf99a2a29d7d7d91d6ec2ea8"
},
{
"url": "https://git.kernel.org/stable/c/0067ba448f1c29ca06e5aee00d8506889ed1f9d0"
},
{
"url": "https://git.kernel.org/stable/c/bc1e29a35147c1ba6ea2b06a16cb0028f7c852d2"
},
{
"url": "https://git.kernel.org/stable/c/669b05ff43bd7ed684379c6e2006a6dad5127b71"
},
{
"url": "https://git.kernel.org/stable/c/c52703355766c347f270df222a744e0c491a02f2"
},
{
"url": "https://git.kernel.org/stable/c/9511c6018cd772668def8b034bc67269847e591a"
},
{
"url": "https://git.kernel.org/stable/c/62580a40c9bef3d8a90629c64dda381344b35ffd"
},
{
"url": "https://git.kernel.org/stable/c/c09ac191b1f97cfa06f394dbfd7a5db07986cefc"
}
],
"title": "pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49185",
"datePublished": "2025-02-26T01:55:35.068Z",
"dateReserved": "2025-02-26T01:49:39.284Z",
"dateUpdated": "2025-10-01T19:56:59.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49389 (GCVE-0-2022-49389)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: usbip: fix a refcount leak in stub_probe()
usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
after that, usb_put_dev() needs to be called to release the reference.
Fix this by moving usb_put_dev() to sdev_free error path handling.
Find this by code review.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 3ff67445750a84de67faaf52c6e1895cb09f2c56 Version: 77e7f91231bf63e3c64eb59a2aaf5754eaea2e69 Version: d0f35e23dafa0185f979d0c70463caa658062264 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:37.910870Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:51.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/usbip/stub_dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bafee2f18af5e5ac125e42960bc65496d0e56a0",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "f20d2d3b3364ce6525c050a8b6b4c54c8c19674d",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "247d3809e45a34d9e1a3a2bb7012e31ed8b46031",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "2f0ae93ec33c8456cdfbf7876b80403a6318ebce",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "bcbb795a9e78180d74c6ab21518da87e803dfdce",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "51422046be504515eb5a591adf0f424b62f46804",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "8afb048800919d0ab10c57983940eba956339f21",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "11c65408bd0ba1d9cd1307caa38169292de9cdfb",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"lessThan": "9ec4cbf1cc55d126759051acfe328d489c5d6e60",
"status": "affected",
"version": "3ff67445750a84de67faaf52c6e1895cb09f2c56",
"versionType": "git"
},
{
"status": "affected",
"version": "77e7f91231bf63e3c64eb59a2aaf5754eaea2e69",
"versionType": "git"
},
{
"status": "affected",
"version": "d0f35e23dafa0185f979d0c70463caa658062264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/usbip/stub_dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.110",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbip: fix a refcount leak in stub_probe()\n\nusb_get_dev() is called in stub_device_alloc(). When stub_probe() fails\nafter that, usb_put_dev() needs to be called to release the reference.\n\nFix this by moving usb_put_dev() to sdev_free error path handling.\n\nFind this by code review."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:33.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bafee2f18af5e5ac125e42960bc65496d0e56a0"
},
{
"url": "https://git.kernel.org/stable/c/f20d2d3b3364ce6525c050a8b6b4c54c8c19674d"
},
{
"url": "https://git.kernel.org/stable/c/247d3809e45a34d9e1a3a2bb7012e31ed8b46031"
},
{
"url": "https://git.kernel.org/stable/c/2f0ae93ec33c8456cdfbf7876b80403a6318ebce"
},
{
"url": "https://git.kernel.org/stable/c/bcbb795a9e78180d74c6ab21518da87e803dfdce"
},
{
"url": "https://git.kernel.org/stable/c/51422046be504515eb5a591adf0f424b62f46804"
},
{
"url": "https://git.kernel.org/stable/c/8afb048800919d0ab10c57983940eba956339f21"
},
{
"url": "https://git.kernel.org/stable/c/11c65408bd0ba1d9cd1307caa38169292de9cdfb"
},
{
"url": "https://git.kernel.org/stable/c/9ec4cbf1cc55d126759051acfe328d489c5d6e60"
}
],
"title": "usb: usbip: fix a refcount leak in stub_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49389",
"datePublished": "2025-02-26T02:11:22.834Z",
"dateReserved": "2025-02-26T02:08:31.561Z",
"dateUpdated": "2025-10-01T19:46:51.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49419 (GCVE-0-2022-49419)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup
Commit b3c9a924aab6 ("fbdev: vesafb: Cleanup fb_info in .fb_destroy rather
than .remove") fixed a use-after-free error due the vesafb driver freeing
the fb_info in the .remove handler instead of doing it in .fb_destroy.
This can happen if the .fb_destroy callback is executed after the .remove
callback, since the former tries to access a pointer freed by the latter.
But that change didn't take into account that another possible scenario is
that .fb_destroy is called before the .remove callback. For example, if no
process has the fbdev chardev opened by the time the driver is removed.
If that's the case, fb_info will be freed when unregister_framebuffer() is
called, making the fb_info pointer accessed in vesafb_remove() after that
to no longer be valid.
To prevent that, move the expression containing the info->par to happen
before the unregister_framebuffer() function call.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:14.940889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:33.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/vesafb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fac5f8fb1bc2fc4f8714bf5e743c9cc3f547c63",
"status": "affected",
"version": "f94aa46efaa087ec075c83e4508f943fb5e43977",
"versionType": "git"
},
{
"lessThan": "f605f5558ecc175ec70016a3c15f007cb6386531",
"status": "affected",
"version": "a1aac13288de2935dc1a9330a93b1ac92f1e2b72",
"versionType": "git"
},
{
"lessThan": "d260cad015945d1f4bb9b028a096f648506106a2",
"status": "affected",
"version": "b3c9a924aab61adbc29df110006aa03afe1a78ba",
"versionType": "git"
},
{
"lessThan": "acde4003efc16480375543638484d8f13f2e99a3",
"status": "affected",
"version": "b3c9a924aab61adbc29df110006aa03afe1a78ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/vesafb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.17.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup\n\nCommit b3c9a924aab6 (\"fbdev: vesafb: Cleanup fb_info in .fb_destroy rather\nthan .remove\") fixed a use-after-free error due the vesafb driver freeing\nthe fb_info in the .remove handler instead of doing it in .fb_destroy.\n\nThis can happen if the .fb_destroy callback is executed after the .remove\ncallback, since the former tries to access a pointer freed by the latter.\n\nBut that change didn\u0027t take into account that another possible scenario is\nthat .fb_destroy is called before the .remove callback. For example, if no\nprocess has the fbdev chardev opened by the time the driver is removed.\n\nIf that\u0027s the case, fb_info will be freed when unregister_framebuffer() is\ncalled, making the fb_info pointer accessed in vesafb_remove() after that\nto no longer be valid.\n\nTo prevent that, move the expression containing the info-\u003epar to happen\nbefore the unregister_framebuffer() function call."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:16.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fac5f8fb1bc2fc4f8714bf5e743c9cc3f547c63"
},
{
"url": "https://git.kernel.org/stable/c/f605f5558ecc175ec70016a3c15f007cb6386531"
},
{
"url": "https://git.kernel.org/stable/c/d260cad015945d1f4bb9b028a096f648506106a2"
},
{
"url": "https://git.kernel.org/stable/c/acde4003efc16480375543638484d8f13f2e99a3"
}
],
"title": "video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49419",
"datePublished": "2025-02-26T02:12:43.849Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-05-04T08:37:16.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49483 (GCVE-0-2022-49483)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/disp/dpu1: avoid clearing hw interrupts if hw_intr is null during drm uninit
If edp modeset init is failed due to panel being not ready and
probe defers during drm bind, avoid clearing irqs and dereference
hw_intr when hw_intr is null.
BUG: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Call trace:
dpu_core_irq_uninstall+0x50/0xb0
dpu_irq_uninstall+0x18/0x24
msm_drm_uninit+0xd8/0x16c
msm_drm_bind+0x580/0x5fc
try_to_bring_up_master+0x168/0x1c0
__component_add+0xb4/0x178
component_add+0x1c/0x28
dp_display_probe+0x38c/0x400
platform_probe+0xb0/0xd0
really_probe+0xcc/0x2c8
__driver_probe_device+0xbc/0xe8
driver_probe_device+0x48/0xf0
__device_attach_driver+0xa0/0xc8
bus_for_each_drv+0x8c/0xd8
__device_attach+0xc4/0x150
device_initial_probe+0x1c/0x28
Changes in V2:
- Update commit message and coreect fixes tag.
Patchwork: https://patchwork.freedesktop.org/patch/484430/
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:16.676337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:44.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7ca30c3a8b2e8bda65f2b922d382ac056be8aa4",
"status": "affected",
"version": "f25f656608e3a54ac3e0747be415cf3d4a69cef8",
"versionType": "git"
},
{
"lessThan": "a800701429313149afde18d98821554fbfcb3164",
"status": "affected",
"version": "f25f656608e3a54ac3e0747be415cf3d4a69cef8",
"versionType": "git"
},
{
"lessThan": "01013ba9bbddc62f7d011163cebfd7ed06bb698b",
"status": "affected",
"version": "f25f656608e3a54ac3e0747be415cf3d4a69cef8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/disp/dpu1: avoid clearing hw interrupts if hw_intr is null during drm uninit\n\nIf edp modeset init is failed due to panel being not ready and\nprobe defers during drm bind, avoid clearing irqs and dereference\nhw_intr when hw_intr is null.\n\nBUG: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n\nCall trace:\n dpu_core_irq_uninstall+0x50/0xb0\n dpu_irq_uninstall+0x18/0x24\n msm_drm_uninit+0xd8/0x16c\n msm_drm_bind+0x580/0x5fc\n try_to_bring_up_master+0x168/0x1c0\n __component_add+0xb4/0x178\n component_add+0x1c/0x28\n dp_display_probe+0x38c/0x400\n platform_probe+0xb0/0xd0\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xbc/0xe8\n driver_probe_device+0x48/0xf0\n __device_attach_driver+0xa0/0xc8\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xc4/0x150\n device_initial_probe+0x1c/0x28\n\nChanges in V2:\n- Update commit message and coreect fixes tag.\n\nPatchwork: https://patchwork.freedesktop.org/patch/484430/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:52.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7ca30c3a8b2e8bda65f2b922d382ac056be8aa4"
},
{
"url": "https://git.kernel.org/stable/c/a800701429313149afde18d98821554fbfcb3164"
},
{
"url": "https://git.kernel.org/stable/c/01013ba9bbddc62f7d011163cebfd7ed06bb698b"
}
],
"title": "drm/msm/disp/dpu1: avoid clearing hw interrupts if hw_intr is null during drm uninit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49483",
"datePublished": "2025-02-26T02:13:22.779Z",
"dateReserved": "2025-02-26T02:08:31.582Z",
"dateUpdated": "2025-10-01T19:46:44.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49422 (GCVE-0-2022-49422)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix the error handling path in idxd_cdev_register()
If a call to alloc_chrdev_region() fails, the already allocated resources
are leaking.
Add the needed error handling path to fix the leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6073af78156b8c3fc1198f8bcc190b7ac3ac0143",
"status": "affected",
"version": "42d279f9137ab7d5503836baec2739284b278d8f",
"versionType": "git"
},
{
"lessThan": "b3c7b5d08e9d5b2ff31c03078c00ecf11042419f",
"status": "affected",
"version": "42d279f9137ab7d5503836baec2739284b278d8f",
"versionType": "git"
},
{
"lessThan": "5e88561eceb34ae3f88451c2b8e30fe403484189",
"status": "affected",
"version": "42d279f9137ab7d5503836baec2739284b278d8f",
"versionType": "git"
},
{
"lessThan": "c308a2e711a52a47f4b45e7add2b5200169e429a",
"status": "affected",
"version": "42d279f9137ab7d5503836baec2739284b278d8f",
"versionType": "git"
},
{
"lessThan": "aab08c1aac01097815fbcf10fce7021d2396a31f",
"status": "affected",
"version": "42d279f9137ab7d5503836baec2739284b278d8f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix the error handling path in idxd_cdev_register()\n\nIf a call to alloc_chrdev_region() fails, the already allocated resources\nare leaking.\n\nAdd the needed error handling path to fix the leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:20.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6073af78156b8c3fc1198f8bcc190b7ac3ac0143"
},
{
"url": "https://git.kernel.org/stable/c/b3c7b5d08e9d5b2ff31c03078c00ecf11042419f"
},
{
"url": "https://git.kernel.org/stable/c/5e88561eceb34ae3f88451c2b8e30fe403484189"
},
{
"url": "https://git.kernel.org/stable/c/c308a2e711a52a47f4b45e7add2b5200169e429a"
},
{
"url": "https://git.kernel.org/stable/c/aab08c1aac01097815fbcf10fce7021d2396a31f"
}
],
"title": "dmaengine: idxd: Fix the error handling path in idxd_cdev_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49422",
"datePublished": "2025-02-26T02:12:45.269Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-05-04T08:37:20.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49120 (GCVE-0-2022-49120)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix task leak in pm8001_send_abort_all()
In pm8001_send_abort_all(), make sure to free the allocated sas task
if pm8001_tag_alloc() or pm8001_mpi_build_cmd() fail.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2051044d7901f1a9d7be95d0d32e53b88e9548f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2290dcad6f65864dec518fb2d5fb45f67d684150",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "146cae06d2682d7563732544be334e8e6d3862b8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34c79d16ee69cb53288c202bb1ab0ba0130d9674",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f90a74892f3acf0cdec5844e90fc8686ca13e7d7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix task leak in pm8001_send_abort_all()\n\nIn pm8001_send_abort_all(), make sure to free the allocated sas task\nif pm8001_tag_alloc() or pm8001_mpi_build_cmd() fail."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:19.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2051044d7901f1a9d7be95d0d32e53b88e9548f7"
},
{
"url": "https://git.kernel.org/stable/c/2290dcad6f65864dec518fb2d5fb45f67d684150"
},
{
"url": "https://git.kernel.org/stable/c/146cae06d2682d7563732544be334e8e6d3862b8"
},
{
"url": "https://git.kernel.org/stable/c/34c79d16ee69cb53288c202bb1ab0ba0130d9674"
},
{
"url": "https://git.kernel.org/stable/c/f90a74892f3acf0cdec5844e90fc8686ca13e7d7"
}
],
"title": "scsi: pm8001: Fix task leak in pm8001_send_abort_all()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49120",
"datePublished": "2025-02-26T01:55:01.159Z",
"dateReserved": "2025-02-26T01:49:39.264Z",
"dateUpdated": "2025-05-04T08:30:19.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49708 (GCVE-0-2022-49708)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 12:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on ext4_mb_use_inode_pa
Hulk Robot reported a BUG_ON:
==================================================================
kernel BUG at fs/ext4/mballoc.c:3211!
[...]
RIP: 0010:ext4_mb_mark_diskspace_used.cold+0x85/0x136f
[...]
Call Trace:
ext4_mb_new_blocks+0x9df/0x5d30
ext4_ext_map_blocks+0x1803/0x4d80
ext4_map_blocks+0x3a4/0x1a10
ext4_writepages+0x126d/0x2c30
do_writepages+0x7f/0x1b0
__filemap_fdatawrite_range+0x285/0x3b0
file_write_and_wait_range+0xb1/0x140
ext4_sync_file+0x1aa/0xca0
vfs_fsync_range+0xfb/0x260
do_fsync+0x48/0xa0
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
do_fsync
vfs_fsync_range
ext4_sync_file
file_write_and_wait_range
__filemap_fdatawrite_range
do_writepages
ext4_writepages
mpage_map_and_submit_extent
mpage_map_one_extent
ext4_map_blocks
ext4_mb_new_blocks
ext4_mb_normalize_request
>>> start + size <= ac->ac_o_ex.fe_logical
ext4_mb_regular_allocator
ext4_mb_simple_scan_group
ext4_mb_use_best_found
ext4_mb_new_preallocation
ext4_mb_new_inode_pa
ext4_mb_use_inode_pa
>>> set ac->ac_b_ex.fe_len <= 0
ext4_mb_mark_diskspace_used
>>> BUG_ON(ac->ac_b_ex.fe_len <= 0);
we can easily reproduce this problem with the following commands:
`fallocate -l100M disk`
`mkfs.ext4 -b 1024 -g 256 disk`
`mount disk /mnt`
`fsstress -d /mnt -l 0 -n 1000 -p 1`
The size must be smaller than or equal to EXT4_BLOCKS_PER_GROUP.
Therefore, "start + size <= ac->ac_o_ex.fe_logical" may occur
when the size is truncated. So start should be the start position of
the group where ac_o_ex.fe_logical is located after alignment.
In addition, when the value of fe_logical or EXT4_BLOCKS_PER_GROUP
is very large, the value calculated by start_off is more accurate.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fc6c2da174edd7a7b760b12c60d432d300e05cca Version: cd648b8a8fd5071d232242d5ee7ee3c0815776af Version: cd648b8a8fd5071d232242d5ee7ee3c0815776af Version: cd648b8a8fd5071d232242d5ee7ee3c0815776af Version: cd648b8a8fd5071d232242d5ee7ee3c0815776af Version: cd648b8a8fd5071d232242d5ee7ee3c0815776af Version: cd648b8a8fd5071d232242d5ee7ee3c0815776af Version: cd648b8a8fd5071d232242d5ee7ee3c0815776af Version: f213db429b883a2d5403de0b1ce92fb7d7ee979e Version: 98f58e05231f835dfb09359e3b5e3a886fe8f189 Version: c1664e9bcf6291c0ceb8599f57c8cf493526abe6 Version: 37cf4ab1ba60c30ca9fd0fe3b9993b24cb87886a Version: 75f37dab088eb84ff25a49e59371f01ea3f44aa7 Version: 8774c73cf6963310395823ed7077ea12943ea0f3 Version: c4fbdc0124799f1772f4d886b7f2e1a6f881d195 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6880fb2e64331b9fdc85d3f32b1d7e81ad8703f1",
"status": "affected",
"version": "fc6c2da174edd7a7b760b12c60d432d300e05cca",
"versionType": "git"
},
{
"lessThan": "a37c1359714da42517dd19d36fc3c4d17edba832",
"status": "affected",
"version": "cd648b8a8fd5071d232242d5ee7ee3c0815776af",
"versionType": "git"
},
{
"lessThan": "5707d721d1819db57dba57b1d4623034fcb32047",
"status": "affected",
"version": "cd648b8a8fd5071d232242d5ee7ee3c0815776af",
"versionType": "git"
},
{
"lessThan": "a6b31616e5afe1d3972cb0682a373e50597faf5c",
"status": "affected",
"version": "cd648b8a8fd5071d232242d5ee7ee3c0815776af",
"versionType": "git"
},
{
"lessThan": "6fdaf31ad5f3d3afab744dfd9a8b0d9142aa881f",
"status": "affected",
"version": "cd648b8a8fd5071d232242d5ee7ee3c0815776af",
"versionType": "git"
},
{
"lessThan": "90f0f9d45dff0128c0fca0d2358c4153b024afa6",
"status": "affected",
"version": "cd648b8a8fd5071d232242d5ee7ee3c0815776af",
"versionType": "git"
},
{
"lessThan": "887a3e9ad4b8309a2266bce7ae749b2bf1f7a687",
"status": "affected",
"version": "cd648b8a8fd5071d232242d5ee7ee3c0815776af",
"versionType": "git"
},
{
"lessThan": "a08f789d2ab5242c07e716baf9a835725046be89",
"status": "affected",
"version": "cd648b8a8fd5071d232242d5ee7ee3c0815776af",
"versionType": "git"
},
{
"status": "affected",
"version": "f213db429b883a2d5403de0b1ce92fb7d7ee979e",
"versionType": "git"
},
{
"status": "affected",
"version": "98f58e05231f835dfb09359e3b5e3a886fe8f189",
"versionType": "git"
},
{
"status": "affected",
"version": "c1664e9bcf6291c0ceb8599f57c8cf493526abe6",
"versionType": "git"
},
{
"status": "affected",
"version": "37cf4ab1ba60c30ca9fd0fe3b9993b24cb87886a",
"versionType": "git"
},
{
"status": "affected",
"version": "75f37dab088eb84ff25a49e59371f01ea3f44aa7",
"versionType": "git"
},
{
"status": "affected",
"version": "8774c73cf6963310395823ed7077ea12943ea0f3",
"versionType": "git"
},
{
"status": "affected",
"version": "c4fbdc0124799f1772f4d886b7f2e1a6f881d195",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.320",
"versionStartIncluding": "4.9.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on ext4_mb_use_inode_pa\n\nHulk Robot reported a BUG_ON:\n==================================================================\nkernel BUG at fs/ext4/mballoc.c:3211!\n[...]\nRIP: 0010:ext4_mb_mark_diskspace_used.cold+0x85/0x136f\n[...]\nCall Trace:\n ext4_mb_new_blocks+0x9df/0x5d30\n ext4_ext_map_blocks+0x1803/0x4d80\n ext4_map_blocks+0x3a4/0x1a10\n ext4_writepages+0x126d/0x2c30\n do_writepages+0x7f/0x1b0\n __filemap_fdatawrite_range+0x285/0x3b0\n file_write_and_wait_range+0xb1/0x140\n ext4_sync_file+0x1aa/0xca0\n vfs_fsync_range+0xfb/0x260\n do_fsync+0x48/0xa0\n[...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\ndo_fsync\n vfs_fsync_range\n ext4_sync_file\n file_write_and_wait_range\n __filemap_fdatawrite_range\n do_writepages\n ext4_writepages\n mpage_map_and_submit_extent\n mpage_map_one_extent\n ext4_map_blocks\n ext4_mb_new_blocks\n ext4_mb_normalize_request\n \u003e\u003e\u003e start + size \u003c= ac-\u003eac_o_ex.fe_logical\n ext4_mb_regular_allocator\n ext4_mb_simple_scan_group\n ext4_mb_use_best_found\n ext4_mb_new_preallocation\n ext4_mb_new_inode_pa\n ext4_mb_use_inode_pa\n \u003e\u003e\u003e set ac-\u003eac_b_ex.fe_len \u003c= 0\n ext4_mb_mark_diskspace_used\n \u003e\u003e\u003e BUG_ON(ac-\u003eac_b_ex.fe_len \u003c= 0);\n\nwe can easily reproduce this problem with the following commands:\n\t`fallocate -l100M disk`\n\t`mkfs.ext4 -b 1024 -g 256 disk`\n\t`mount disk /mnt`\n\t`fsstress -d /mnt -l 0 -n 1000 -p 1`\n\nThe size must be smaller than or equal to EXT4_BLOCKS_PER_GROUP.\nTherefore, \"start + size \u003c= ac-\u003eac_o_ex.fe_logical\" may occur\nwhen the size is truncated. So start should be the start position of\nthe group where ac_o_ex.fe_logical is located after alignment.\nIn addition, when the value of fe_logical or EXT4_BLOCKS_PER_GROUP\nis very large, the value calculated by start_off is more accurate."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:10.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6880fb2e64331b9fdc85d3f32b1d7e81ad8703f1"
},
{
"url": "https://git.kernel.org/stable/c/a37c1359714da42517dd19d36fc3c4d17edba832"
},
{
"url": "https://git.kernel.org/stable/c/5707d721d1819db57dba57b1d4623034fcb32047"
},
{
"url": "https://git.kernel.org/stable/c/a6b31616e5afe1d3972cb0682a373e50597faf5c"
},
{
"url": "https://git.kernel.org/stable/c/6fdaf31ad5f3d3afab744dfd9a8b0d9142aa881f"
},
{
"url": "https://git.kernel.org/stable/c/90f0f9d45dff0128c0fca0d2358c4153b024afa6"
},
{
"url": "https://git.kernel.org/stable/c/887a3e9ad4b8309a2266bce7ae749b2bf1f7a687"
},
{
"url": "https://git.kernel.org/stable/c/a08f789d2ab5242c07e716baf9a835725046be89"
}
],
"title": "ext4: fix bug_on ext4_mb_use_inode_pa",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49708",
"datePublished": "2025-02-26T02:24:26.142Z",
"dateReserved": "2025-02-26T02:21:30.444Z",
"dateUpdated": "2025-05-04T12:45:10.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49301 (GCVE-0-2022-49301)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8712: fix uninit-value in usb_read8() and friends
When r8712_usbctrl_vendorreq() returns negative, 'data' in
usb_read{8,16,32} will not be initialized.
BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:643 [inline]
BUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:725
string_nocheck lib/vsprintf.c:643 [inline]
string+0x4ec/0x6f0 lib/vsprintf.c:725
vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806
va_format lib/vsprintf.c:1704 [inline]
pointer+0x18e6/0x1f70 lib/vsprintf.c:2443
vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2810
vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158
vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256
dev_vprintk_emit+0x5ef/0x6d0 drivers/base/core.c:4604
dev_printk_emit+0x1dd/0x21f drivers/base/core.c:4615
__dev_printk+0x3be/0x440 drivers/base/core.c:4627
_dev_info+0x1ea/0x22f drivers/base/core.c:4673
r871xu_drv_init+0x1929/0x3070 drivers/staging/rtl8712/usb_intf.c:401
usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396
really_probe+0x6c7/0x1350 drivers/base/dd.c:621
__driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
driver_probe_device drivers/base/dd.c:782 [inline]
__device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
__device_attach+0x593/0x8e0 drivers/base/dd.c:970
device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
device_add+0x1fff/0x26e0 drivers/base/core.c:3405
usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238
usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293
really_probe+0x6c7/0x1350 drivers/base/dd.c:621
__driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
driver_probe_device drivers/base/dd.c:782 [inline]
__device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
__device_attach+0x593/0x8e0 drivers/base/dd.c:970
device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
device_add+0x1fff/0x26e0 drivers/base/core.c:3405
usb_new_device+0x1b91/0x2950 drivers/usb/core/hub.c:2566
hub_port_connect drivers/usb/core/hub.c:5363 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]
port_event drivers/usb/core/hub.c:5665 [inline]
hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5747
process_one_work+0xdb6/0x1820 kernel/workqueue.c:2289
worker_thread+0x10d0/0x2240 kernel/workqueue.c:2436
kthread+0x3c7/0x500 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
Local variable data created at:
usb_read8+0x5d/0x130 drivers/staging/rtl8712/usb_ops.c:33
r8712_read8+0xa5/0xd0 drivers/staging/rtl8712/rtl8712_io.c:29
KMSAN: uninit-value in r871xu_drv_init
https://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:44.311879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:59.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/usb_ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58762f1c63c75cbe1dc393eed3c9cf8e38310ca1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33ef21d55418ab6a62a63fd550b2dbe297433372",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "95b0f54f8a898072a2810c05fab34d971f23a612",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7ed3c85da0b230bcdf5329acfe012ed093f3daa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de075af8c404f7d59ed34df230aedd9f645fb846",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d1b57669732d09da7e13ef86d058dab0cd57f6e0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/usb_ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix uninit-value in usb_read8() and friends\n\nWhen r8712_usbctrl_vendorreq() returns negative, \u0027data\u0027 in\nusb_read{8,16,32} will not be initialized.\n\nBUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:643 [inline]\nBUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:725\n string_nocheck lib/vsprintf.c:643 [inline]\n string+0x4ec/0x6f0 lib/vsprintf.c:725\n vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806\n va_format lib/vsprintf.c:1704 [inline]\n pointer+0x18e6/0x1f70 lib/vsprintf.c:2443\n vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2810\n vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158\n vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256\n dev_vprintk_emit+0x5ef/0x6d0 drivers/base/core.c:4604\n dev_printk_emit+0x1dd/0x21f drivers/base/core.c:4615\n __dev_printk+0x3be/0x440 drivers/base/core.c:4627\n _dev_info+0x1ea/0x22f drivers/base/core.c:4673\n r871xu_drv_init+0x1929/0x3070 drivers/staging/rtl8712/usb_intf.c:401\n usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396\n really_probe+0x6c7/0x1350 drivers/base/dd.c:621\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238\n usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293\n really_probe+0x6c7/0x1350 drivers/base/dd.c:621\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_new_device+0x1b91/0x2950 drivers/usb/core/hub.c:2566\n hub_port_connect drivers/usb/core/hub.c:5363 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]\n port_event drivers/usb/core/hub.c:5665 [inline]\n hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5747\n process_one_work+0xdb6/0x1820 kernel/workqueue.c:2289\n worker_thread+0x10d0/0x2240 kernel/workqueue.c:2436\n kthread+0x3c7/0x500 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nLocal variable data created at:\n usb_read8+0x5d/0x130 drivers/staging/rtl8712/usb_ops.c:33\n r8712_read8+0xa5/0xd0 drivers/staging/rtl8712/rtl8712_io.c:29\n\nKMSAN: uninit-value in r871xu_drv_init\nhttps://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:39.416Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58762f1c63c75cbe1dc393eed3c9cf8e38310ca1"
},
{
"url": "https://git.kernel.org/stable/c/33ef21d55418ab6a62a63fd550b2dbe297433372"
},
{
"url": "https://git.kernel.org/stable/c/95b0f54f8a898072a2810c05fab34d971f23a612"
},
{
"url": "https://git.kernel.org/stable/c/d7ed3c85da0b230bcdf5329acfe012ed093f3daa"
},
{
"url": "https://git.kernel.org/stable/c/de075af8c404f7d59ed34df230aedd9f645fb846"
},
{
"url": "https://git.kernel.org/stable/c/d1b57669732d09da7e13ef86d058dab0cd57f6e0"
}
],
"title": "staging: rtl8712: fix uninit-value in usb_read8() and friends",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49301",
"datePublished": "2025-02-26T02:10:36.072Z",
"dateReserved": "2025-02-26T02:08:31.535Z",
"dateUpdated": "2025-10-01T19:46:59.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49584 (GCVE-0-2022-49584)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero
It is possible to disable VFs while the PF driver is processing requests
from the VF driver. This can result in a panic.
BUG: unable to handle kernel paging request at 000000000000106c
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 8 PID: 0 Comm: swapper/8 Kdump: loaded Tainted: G I --------- -
Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020
RIP: 0010:ixgbe_msg_task+0x4c8/0x1690 [ixgbe]
Code: 00 00 48 8d 04 40 48 c1 e0 05 89 7c 24 24 89 fd 48 89 44 24 10 83 ff
01 0f 84 b8 04 00 00 4c 8b 64 24 10 4d 03 a5 48 22 00 00 <41> 80 7c 24 4c
00 0f 84 8a 03 00 00 0f b7 c7 83 f8 08 0f 84 8f 0a
RSP: 0018:ffffb337869f8df8 EFLAGS: 00010002
RAX: 0000000000001020 RBX: 0000000000000000 RCX: 000000000000002b
RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000006
RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000029780
R10: 00006957d8f42832 R11: 0000000000000000 R12: 0000000000001020
R13: ffff8a00e8978ac0 R14: 000000000000002b R15: ffff8a00e8979c80
FS: 0000000000000000(0000) GS:ffff8a07dfd00000(0000) knlGS:00000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000106c CR3: 0000000063e10004 CR4: 00000000007726e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
? ttwu_do_wakeup+0x19/0x140
? try_to_wake_up+0x1cd/0x550
? ixgbevf_update_xcast_mode+0x71/0xc0 [ixgbevf]
ixgbe_msix_other+0x17e/0x310 [ixgbe]
__handle_irq_event_percpu+0x40/0x180
handle_irq_event_percpu+0x30/0x80
handle_irq_event+0x36/0x53
handle_edge_irq+0x82/0x190
handle_irq+0x1c/0x30
do_IRQ+0x49/0xd0
common_interrupt+0xf/0xf
This can be eventually be reproduced with the following script:
while :
do
echo 63 > /sys/class/net/<devname>/device/sriov_numvfs
sleep 1
echo 0 > /sys/class/net/<devname>/device/sriov_numvfs
sleep 1
done
Add lock when disabling SR-IOV to prevent process VF mailbox communication.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe.h",
"drivers/net/ethernet/intel/ixgbe/ixgbe_main.c",
"drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "031af9e617a6f51075d97e56fc9e712c7dde2508",
"status": "affected",
"version": "d773d1310625be3b040b436178ad59a0af8888f1",
"versionType": "git"
},
{
"lessThan": "b82de63f8f817b5735480293dda8e92ba8170c52",
"status": "affected",
"version": "d773d1310625be3b040b436178ad59a0af8888f1",
"versionType": "git"
},
{
"lessThan": "16f929a5e76fd047fd8697e1e568bdd7d771955c",
"status": "affected",
"version": "d773d1310625be3b040b436178ad59a0af8888f1",
"versionType": "git"
},
{
"lessThan": "9d925d2dc82cec2bcbd8625457645d8a548ab22e",
"status": "affected",
"version": "d773d1310625be3b040b436178ad59a0af8888f1",
"versionType": "git"
},
{
"lessThan": "1e53834ce541d4fe271cdcca7703e50be0a44f8a",
"status": "affected",
"version": "d773d1310625be3b040b436178ad59a0af8888f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe.h",
"drivers/net/ethernet/intel/ixgbe/ixgbe_main.c",
"drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Add locking to prevent panic when setting sriov_numvfs to zero\n\nIt is possible to disable VFs while the PF driver is processing requests\nfrom the VF driver. This can result in a panic.\n\nBUG: unable to handle kernel paging request at 000000000000106c\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 8 PID: 0 Comm: swapper/8 Kdump: loaded Tainted: G I --------- -\nHardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020\nRIP: 0010:ixgbe_msg_task+0x4c8/0x1690 [ixgbe]\nCode: 00 00 48 8d 04 40 48 c1 e0 05 89 7c 24 24 89 fd 48 89 44 24 10 83 ff\n01 0f 84 b8 04 00 00 4c 8b 64 24 10 4d 03 a5 48 22 00 00 \u003c41\u003e 80 7c 24 4c\n00 0f 84 8a 03 00 00 0f b7 c7 83 f8 08 0f 84 8f 0a\nRSP: 0018:ffffb337869f8df8 EFLAGS: 00010002\nRAX: 0000000000001020 RBX: 0000000000000000 RCX: 000000000000002b\nRDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000006\nRBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000029780\nR10: 00006957d8f42832 R11: 0000000000000000 R12: 0000000000001020\nR13: ffff8a00e8978ac0 R14: 000000000000002b R15: ffff8a00e8979c80\nFS: 0000000000000000(0000) GS:ffff8a07dfd00000(0000) knlGS:00000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000106c CR3: 0000000063e10004 CR4: 00000000007726e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u003cIRQ\u003e\n ? ttwu_do_wakeup+0x19/0x140\n ? try_to_wake_up+0x1cd/0x550\n ? ixgbevf_update_xcast_mode+0x71/0xc0 [ixgbevf]\n ixgbe_msix_other+0x17e/0x310 [ixgbe]\n __handle_irq_event_percpu+0x40/0x180\n handle_irq_event_percpu+0x30/0x80\n handle_irq_event+0x36/0x53\n handle_edge_irq+0x82/0x190\n handle_irq+0x1c/0x30\n do_IRQ+0x49/0xd0\n common_interrupt+0xf/0xf\n\nThis can be eventually be reproduced with the following script:\n\nwhile :\ndo\n echo 63 \u003e /sys/class/net/\u003cdevname\u003e/device/sriov_numvfs\n sleep 1\n echo 0 \u003e /sys/class/net/\u003cdevname\u003e/device/sriov_numvfs\n sleep 1\ndone\n\nAdd lock when disabling SR-IOV to prevent process VF mailbox communication."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:10.383Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/031af9e617a6f51075d97e56fc9e712c7dde2508"
},
{
"url": "https://git.kernel.org/stable/c/b82de63f8f817b5735480293dda8e92ba8170c52"
},
{
"url": "https://git.kernel.org/stable/c/16f929a5e76fd047fd8697e1e568bdd7d771955c"
},
{
"url": "https://git.kernel.org/stable/c/9d925d2dc82cec2bcbd8625457645d8a548ab22e"
},
{
"url": "https://git.kernel.org/stable/c/1e53834ce541d4fe271cdcca7703e50be0a44f8a"
}
],
"title": "ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49584",
"datePublished": "2025-02-26T02:23:20.600Z",
"dateReserved": "2025-02-26T02:21:30.412Z",
"dateUpdated": "2025-05-04T08:41:10.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56770 (GCVE-0-2024-56770)
Vulnerability from cvelistv5
Published
2025-01-08 16:36
Modified
2025-11-03 20:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: netem: account for backlog updates from child qdisc
In general, 'qlen' of any classful qdisc should keep track of the
number of packets that the qdisc itself and all of its children holds.
In case of netem, 'qlen' only accounts for the packets in its internal
tfifo. When netem is used with a child qdisc, the child qdisc can use
'qdisc_tree_reduce_backlog' to inform its parent, netem, about created
or dropped SKBs. This function updates 'qlen' and the backlog statistics
of netem, but netem does not account for changes made by a child qdisc.
'qlen' then indicates the wrong number of packets in the tfifo.
If a child qdisc creates new SKBs during enqueue and informs its parent
about this, netem's 'qlen' value is increased. When netem dequeues the
newly created SKBs from the child, the 'qlen' in netem is not updated.
If 'qlen' reaches the configured sch->limit, the enqueue function stops
working, even though the tfifo is not full.
Reproduce the bug:
Ensure that the sender machine has GSO enabled. Configure netem as root
qdisc and tbf as its child on the outgoing interface of the machine
as follows:
$ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100
$ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms
Send bulk TCP traffic out via this interface, e.g., by running an iPerf3
client on the machine. Check the qdisc statistics:
$ tc -s qdisc show dev <oif>
Statistics after 10s of iPerf3 TCP test before the fix (note that
netem's backlog > limit, netem stopped accepting packets):
qdisc netem 1: root refcnt 2 limit 1000 delay 100ms
Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)
backlog 4294528236b 1155p requeues 0
qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms
Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)
backlog 0b 0p requeues 0
Statistics after the fix:
qdisc netem 1: root refcnt 2 limit 1000 delay 100ms
Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms
Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)
backlog 0b 0p requeues 0
tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'.
The interface fully stops transferring packets and "locks". In this case,
the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at
its limit and no more packets are accepted.
This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is
only decreased when a packet is returned by its dequeue function, and not
during enqueuing into the child qdisc. External updates to 'qlen' are thus
accounted for and only the behavior of the backlog statistics changes. As
in other qdiscs, 'qlen' then keeps track of how many packets are held in
netem and all of its children. As before, sch->limit remains as the
maximum number of packets in the tfifo. The same applies to netem's
backlog statistics.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 50612537e9ab29693122fab20fc1eed235054ffe Version: 50612537e9ab29693122fab20fc1eed235054ffe Version: 50612537e9ab29693122fab20fc1eed235054ffe Version: 50612537e9ab29693122fab20fc1eed235054ffe Version: 50612537e9ab29693122fab20fc1eed235054ffe Version: 50612537e9ab29693122fab20fc1eed235054ffe Version: 50612537e9ab29693122fab20fc1eed235054ffe |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:56:54.954468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:25.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:54:08.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31",
"status": "affected",
"version": "50612537e9ab29693122fab20fc1eed235054ffe",
"versionType": "git"
},
{
"lessThan": "216509dda290f6db92c816dd54b83c1df9da9e76",
"status": "affected",
"version": "50612537e9ab29693122fab20fc1eed235054ffe",
"versionType": "git"
},
{
"lessThan": "c2047b0e216c8edce227d7c42f99ac2877dad0e4",
"status": "affected",
"version": "50612537e9ab29693122fab20fc1eed235054ffe",
"versionType": "git"
},
{
"lessThan": "10df49cfca73dfbbdb6c4150d859f7e8926ae427",
"status": "affected",
"version": "50612537e9ab29693122fab20fc1eed235054ffe",
"versionType": "git"
},
{
"lessThan": "3824c5fad18eeb7abe0c4fc966f29959552dca3e",
"status": "affected",
"version": "50612537e9ab29693122fab20fc1eed235054ffe",
"versionType": "git"
},
{
"lessThan": "356078a5c55ec8d2061fcc009fb8599f5b0527f9",
"status": "affected",
"version": "50612537e9ab29693122fab20fc1eed235054ffe",
"versionType": "git"
},
{
"lessThan": "f8d4bc455047cf3903cd6f85f49978987dbb3027",
"status": "affected",
"version": "50612537e9ab29693122fab20fc1eed235054ffe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_netem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.288",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.288",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.232",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.175",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.121",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.67",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.6",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: netem: account for backlog updates from child qdisc\n\nIn general, \u0027qlen\u0027 of any classful qdisc should keep track of the\nnumber of packets that the qdisc itself and all of its children holds.\nIn case of netem, \u0027qlen\u0027 only accounts for the packets in its internal\ntfifo. When netem is used with a child qdisc, the child qdisc can use\n\u0027qdisc_tree_reduce_backlog\u0027 to inform its parent, netem, about created\nor dropped SKBs. This function updates \u0027qlen\u0027 and the backlog statistics\nof netem, but netem does not account for changes made by a child qdisc.\n\u0027qlen\u0027 then indicates the wrong number of packets in the tfifo.\nIf a child qdisc creates new SKBs during enqueue and informs its parent\nabout this, netem\u0027s \u0027qlen\u0027 value is increased. When netem dequeues the\nnewly created SKBs from the child, the \u0027qlen\u0027 in netem is not updated.\nIf \u0027qlen\u0027 reaches the configured sch-\u003elimit, the enqueue function stops\nworking, even though the tfifo is not full.\n\nReproduce the bug:\nEnsure that the sender machine has GSO enabled. Configure netem as root\nqdisc and tbf as its child on the outgoing interface of the machine\nas follows:\n$ tc qdisc add dev \u003coif\u003e root handle 1: netem delay 100ms limit 100\n$ tc qdisc add dev \u003coif\u003e parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms\n\nSend bulk TCP traffic out via this interface, e.g., by running an iPerf3\nclient on the machine. Check the qdisc statistics:\n$ tc -s qdisc show dev \u003coif\u003e\n\nStatistics after 10s of iPerf3 TCP test before the fix (note that\nnetem\u0027s backlog \u003e limit, netem stopped accepting packets):\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)\n backlog 4294528236b 1155p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)\n backlog 0b 0p requeues 0\n\nStatistics after the fix:\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)\n backlog 0b 0p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)\n backlog 0b 0p requeues 0\n\ntbf segments the GSO SKBs (tbf_segment) and updates the netem\u0027s \u0027qlen\u0027.\nThe interface fully stops transferring packets and \"locks\". In this case,\nthe child qdisc and tfifo are empty, but \u0027qlen\u0027 indicates the tfifo is at\nits limit and no more packets are accepted.\n\nThis patch adds a counter for the entries in the tfifo. Netem\u0027s \u0027qlen\u0027 is\nonly decreased when a packet is returned by its dequeue function, and not\nduring enqueuing into the child qdisc. External updates to \u0027qlen\u0027 are thus\naccounted for and only the behavior of the backlog statistics changes. As\nin other qdiscs, \u0027qlen\u0027 then keeps track of how many packets are held in\nnetem and all of its children. As before, sch-\u003elimit remains as the\nmaximum number of packets in the tfifo. The same applies to netem\u0027s\nbacklog statistics."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:04:19.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31"
},
{
"url": "https://git.kernel.org/stable/c/216509dda290f6db92c816dd54b83c1df9da9e76"
},
{
"url": "https://git.kernel.org/stable/c/c2047b0e216c8edce227d7c42f99ac2877dad0e4"
},
{
"url": "https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427"
},
{
"url": "https://git.kernel.org/stable/c/3824c5fad18eeb7abe0c4fc966f29959552dca3e"
},
{
"url": "https://git.kernel.org/stable/c/356078a5c55ec8d2061fcc009fb8599f5b0527f9"
},
{
"url": "https://git.kernel.org/stable/c/f8d4bc455047cf3903cd6f85f49978987dbb3027"
}
],
"title": "net/sched: netem: account for backlog updates from child qdisc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56770",
"datePublished": "2025-01-08T16:36:59.315Z",
"dateReserved": "2024-12-29T11:26:39.763Z",
"dateUpdated": "2025-11-03T20:54:08.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21830 (GCVE-0-2025-21830)
Vulnerability from cvelistv5
Published
2025-03-06 16:08
Modified
2025-11-03 21:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
landlock: Handle weird files
A corrupted filesystem (e.g. bcachefs) might return weird files.
Instead of throwing a warning and allowing access to such file, treat
them as regular files.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d Version: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:00:01.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/landlock/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a1fccf6b72b56343dd4f2d96b008147f9951eebd",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
},
{
"lessThan": "7d6121228959ddf44a4b9b6a177384ac7854e2f9",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
},
{
"lessThan": "39bb3d56f1c351e76bb18895d0e73796e653d5c1",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
},
{
"lessThan": "2569e65d2eb6ac1afe6cb6dfae476afee8b6771a",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
},
{
"lessThan": "0fde195a373ab1267e60baa9e1a703a97e7464cd",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
},
{
"lessThan": "49440290a0935f428a1e43a5ac8dc275a647ff80",
"status": "affected",
"version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/landlock/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Handle weird files\n\nA corrupted filesystem (e.g. bcachefs) might return weird files.\nInstead of throwing a warning and allowing access to such file, treat\nthem as regular files."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:03.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a1fccf6b72b56343dd4f2d96b008147f9951eebd"
},
{
"url": "https://git.kernel.org/stable/c/7d6121228959ddf44a4b9b6a177384ac7854e2f9"
},
{
"url": "https://git.kernel.org/stable/c/39bb3d56f1c351e76bb18895d0e73796e653d5c1"
},
{
"url": "https://git.kernel.org/stable/c/2569e65d2eb6ac1afe6cb6dfae476afee8b6771a"
},
{
"url": "https://git.kernel.org/stable/c/0fde195a373ab1267e60baa9e1a703a97e7464cd"
},
{
"url": "https://git.kernel.org/stable/c/49440290a0935f428a1e43a5ac8dc275a647ff80"
}
],
"title": "landlock: Handle weird files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21830",
"datePublished": "2025-03-06T16:08:09.894Z",
"dateReserved": "2024-12-29T08:45:45.776Z",
"dateUpdated": "2025-11-03T21:00:01.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53033 (GCVE-0-2023-53033)
Vulnerability from cvelistv5
Published
2025-03-27 16:44
Modified
2025-05-04 07:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
If the offset + length goes over the ethernet + vlan header, then the
length is adjusted to copy the bytes that are within the boundaries of
the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
vlan header are copied directly from the skbuff data area.
Fix incorrect arithmetic operator: subtract, not add, the size of the
vlan header in case of double-tagged packets to adjust the length
accordingly to address CVE-2023-0179.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_payload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "550efeff989b041f3746118c0ddd863c39ddc1aa",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
},
{
"lessThan": "a8acfe2c6fb99f9375a9325807a179cd8c32e6e3",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
},
{
"lessThan": "76ef74d4a379faa451003621a84e3498044e7aa3",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
},
{
"lessThan": "696e1a48b1a1b01edad542a1ef293665864a4dd0",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_payload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.164",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.89",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.7",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits\n\nIf the offset + length goes over the ethernet + vlan header, then the\nlength is adjusted to copy the bytes that are within the boundaries of\nthe vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +\nvlan header are copied directly from the skbuff data area.\n\nFix incorrect arithmetic operator: subtract, not add, the size of the\nvlan header in case of double-tagged packets to adjust the length\naccordingly to address CVE-2023-0179."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:48:09.319Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/550efeff989b041f3746118c0ddd863c39ddc1aa"
},
{
"url": "https://git.kernel.org/stable/c/a8acfe2c6fb99f9375a9325807a179cd8c32e6e3"
},
{
"url": "https://git.kernel.org/stable/c/76ef74d4a379faa451003621a84e3498044e7aa3"
},
{
"url": "https://git.kernel.org/stable/c/696e1a48b1a1b01edad542a1ef293665864a4dd0"
}
],
"title": "netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53033",
"datePublished": "2025-03-27T16:44:01.044Z",
"dateReserved": "2025-03-27T16:40:15.758Z",
"dateUpdated": "2025-05-04T07:48:09.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49209 (GCVE-0-2022-49209)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full
If tcp_bpf_sendmsg() is running while sk msg is full. When sk_msg_alloc()
returns -ENOMEM error, tcp_bpf_sendmsg() goes to wait_for_memory. If partial
memory has been alloced by sk_msg_alloc(), that is, msg_tx->sg.size is
greater than osize after sk_msg_alloc(), memleak occurs. To fix we use
sk_msg_trim() to release the allocated memory, then goto wait for memory.
Other call paths of sk_msg_alloc() have the similar issue, such as
tls_sw_sendmsg(), so handle sk_msg_trim logic inside sk_msg_alloc(),
as Cong Wang suggested.
This issue can cause the following info:
WARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0
Call Trace:
<TASK>
inet_csk_destroy_sock+0x55/0x110
__tcp_close+0x279/0x470
tcp_close+0x1f/0x60
inet_release+0x3f/0x80
__sock_release+0x3d/0xb0
sock_close+0x11/0x20
__fput+0x92/0x250
task_work_run+0x6a/0xa0
do_exit+0x33b/0xb60
do_group_exit+0x2f/0xa0
get_signal+0xb6/0x950
arch_do_signal_or_restart+0xac/0x2a0
exit_to_user_mode_prepare+0xa9/0x200
syscall_exit_to_user_mode+0x12/0x30
do_syscall_64+0x46/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
</TASK>
WARNING: CPU: 3 PID: 2094 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260
Call Trace:
<TASK>
__sk_destruct+0x24/0x1f0
sk_psock_destroy+0x19b/0x1c0
process_one_work+0x1b3/0x3c0
kthread+0xe6/0x110
ret_from_fork+0x22/0x30
</TASK>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:55.575336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:06.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d03722c34d9603df325f67c6d30dc1b7b3c6067",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "bec34a91eba3483e1830c02bdd36f8f968642047",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "de3a8d8fab0710186f7864ec812836d8d70da3c9",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "f677328f05f52d535cbdc15cb04476db49477eb4",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "d0b85dfc6f01d26808e2576c6537c131b590e270",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "9c34e38c4a870eb30b13f42f5b44f42e9d19ccb8",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full\n\nIf tcp_bpf_sendmsg() is running while sk msg is full. When sk_msg_alloc()\nreturns -ENOMEM error, tcp_bpf_sendmsg() goes to wait_for_memory. If partial\nmemory has been alloced by sk_msg_alloc(), that is, msg_tx-\u003esg.size is\ngreater than osize after sk_msg_alloc(), memleak occurs. To fix we use\nsk_msg_trim() to release the allocated memory, then goto wait for memory.\n\nOther call paths of sk_msg_alloc() have the similar issue, such as\ntls_sw_sendmsg(), so handle sk_msg_trim logic inside sk_msg_alloc(),\nas Cong Wang suggested.\n\nThis issue can cause the following info:\nWARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0\nCall Trace:\n \u003cTASK\u003e\n inet_csk_destroy_sock+0x55/0x110\n __tcp_close+0x279/0x470\n tcp_close+0x1f/0x60\n inet_release+0x3f/0x80\n __sock_release+0x3d/0xb0\n sock_close+0x11/0x20\n __fput+0x92/0x250\n task_work_run+0x6a/0xa0\n do_exit+0x33b/0xb60\n do_group_exit+0x2f/0xa0\n get_signal+0xb6/0x950\n arch_do_signal_or_restart+0xac/0x2a0\n exit_to_user_mode_prepare+0xa9/0x200\n syscall_exit_to_user_mode+0x12/0x30\n do_syscall_64+0x46/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \u003c/TASK\u003e\n\nWARNING: CPU: 3 PID: 2094 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \u003cTASK\u003e\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n kthread+0xe6/0x110\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:24.969Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d03722c34d9603df325f67c6d30dc1b7b3c6067"
},
{
"url": "https://git.kernel.org/stable/c/bec34a91eba3483e1830c02bdd36f8f968642047"
},
{
"url": "https://git.kernel.org/stable/c/de3a8d8fab0710186f7864ec812836d8d70da3c9"
},
{
"url": "https://git.kernel.org/stable/c/f677328f05f52d535cbdc15cb04476db49477eb4"
},
{
"url": "https://git.kernel.org/stable/c/d0b85dfc6f01d26808e2576c6537c131b590e270"
},
{
"url": "https://git.kernel.org/stable/c/9c34e38c4a870eb30b13f42f5b44f42e9d19ccb8"
}
],
"title": "bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49209",
"datePublished": "2025-02-26T01:55:47.154Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-10-01T19:47:06.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46796 (GCVE-0-2024-46796)
Vulnerability from cvelistv5
Published
2024-09-18 07:12
Modified
2025-05-04 09:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix double put of @cfile in smb2_set_path_size()
If smb2_compound_op() is called with a valid @cfile and returned
-EINVAL, we need to call cifs_get_writable_path() before retrying it
as the reference of @cfile was already dropped by previous call.
This fixes the following KASAN splat when running fstests generic/013
against Windows Server 2022:
CIFS: Attempting to mount //w22-fs0/scratch
run fstests generic/013 at 2024-09-02 19:48:59
==================================================================
BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200
Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176
CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40
04/01/2014
Workqueue: cifsoplockd cifs_oplock_break [cifs]
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
? detach_if_pending+0xab/0x200
print_report+0x156/0x4d9
? detach_if_pending+0xab/0x200
? __virt_addr_valid+0x145/0x300
? __phys_addr+0x46/0x90
? detach_if_pending+0xab/0x200
kasan_report+0xda/0x110
? detach_if_pending+0xab/0x200
detach_if_pending+0xab/0x200
timer_delete+0x96/0xe0
? __pfx_timer_delete+0x10/0x10
? rcu_is_watching+0x20/0x50
try_to_grab_pending+0x46/0x3b0
__cancel_work+0x89/0x1b0
? __pfx___cancel_work+0x10/0x10
? kasan_save_track+0x14/0x30
cifs_close_deferred_file+0x110/0x2c0 [cifs]
? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]
? __pfx_down_read+0x10/0x10
cifs_oplock_break+0x4c1/0xa50 [cifs]
? __pfx_cifs_oplock_break+0x10/0x10 [cifs]
? lock_is_held_type+0x85/0xf0
? mark_held_locks+0x1a/0x90
process_one_work+0x4c6/0x9f0
? find_held_lock+0x8a/0xa0
? __pfx_process_one_work+0x10/0x10
? lock_acquired+0x220/0x550
? __list_add_valid_or_report+0x37/0x100
worker_thread+0x2e4/0x570
? __kthread_parkme+0xd1/0xf0
? __pfx_worker_thread+0x10/0x10
kthread+0x17f/0x1c0
? kthread+0xda/0x1c0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 1118:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0
cifs_new_fileinfo+0xc8/0x9d0 [cifs]
cifs_atomic_open+0x467/0x770 [cifs]
lookup_open.isra.0+0x665/0x8b0
path_openat+0x4c3/0x1380
do_filp_open+0x167/0x270
do_sys_openat2+0x129/0x160
__x64_sys_creat+0xad/0xe0
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 83:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x70
poison_slab_object+0xe9/0x160
__kasan_slab_free+0x32/0x50
kfree+0xf2/0x300
process_one_work+0x4c6/0x9f0
worker_thread+0x2e4/0x570
kthread+0x17f/0x1c0
ret_from_fork+0x31/0x60
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x30/0x50
__kasan_record_aux_stack+0xad/0xc0
insert_work+0x29/0xe0
__queue_work+0x5ea/0x760
queue_work_on+0x6d/0x90
_cifsFileInfo_put+0x3f6/0x770 [cifs]
smb2_compound_op+0x911/0x3940 [cifs]
smb2_set_path_size+0x228/0x270 [cifs]
cifs_set_file_size+0x197/0x460 [cifs]
cifs_setattr+0xd9c/0x14b0 [cifs]
notify_change+0x4e3/0x740
do_truncate+0xfa/0x180
vfs_truncate+0x195/0x200
__x64_sys_truncate+0x109/0x150
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:22:40.903539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:22:52.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a72d1edb0843e4c927a4096f81e631031c25c28",
"status": "affected",
"version": "1e60bc0e954389af82f1d9a85f13a63f6572350f",
"versionType": "git"
},
{
"lessThan": "762099898309218b4a7954f3d49e985dc4dfd638",
"status": "affected",
"version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
"versionType": "git"
},
{
"lessThan": "f9c169b51b6ce20394594ef674d6b10efba31220",
"status": "affected",
"version": "71f15c90e785d1de4bcd65a279e7256684c25c0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n CIFS: Attempting to mount //w22-fs0/scratch\n run fstests generic/013 at 2024-09-02 19:48:59\n ==================================================================\n BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n 04/01/2014\n Workqueue: cifsoplockd cifs_oplock_break [cifs]\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5d/0x80\n ? detach_if_pending+0xab/0x200\n print_report+0x156/0x4d9\n ? detach_if_pending+0xab/0x200\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? detach_if_pending+0xab/0x200\n kasan_report+0xda/0x110\n ? detach_if_pending+0xab/0x200\n detach_if_pending+0xab/0x200\n timer_delete+0x96/0xe0\n ? __pfx_timer_delete+0x10/0x10\n ? rcu_is_watching+0x20/0x50\n try_to_grab_pending+0x46/0x3b0\n __cancel_work+0x89/0x1b0\n ? __pfx___cancel_work+0x10/0x10\n ? kasan_save_track+0x14/0x30\n cifs_close_deferred_file+0x110/0x2c0 [cifs]\n ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n ? __pfx_down_read+0x10/0x10\n cifs_oplock_break+0x4c1/0xa50 [cifs]\n ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n ? lock_is_held_type+0x85/0xf0\n ? mark_held_locks+0x1a/0x90\n process_one_work+0x4c6/0x9f0\n ? find_held_lock+0x8a/0xa0\n ? __pfx_process_one_work+0x10/0x10\n ? lock_acquired+0x220/0x550\n ? __list_add_valid_or_report+0x37/0x100\n worker_thread+0x2e4/0x570\n ? __kthread_parkme+0xd1/0xf0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x17f/0x1c0\n ? kthread+0xda/0x1c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n Allocated by task 1118:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n cifs_atomic_open+0x467/0x770 [cifs]\n lookup_open.isra.0+0x665/0x8b0\n path_openat+0x4c3/0x1380\n do_filp_open+0x167/0x270\n do_sys_openat2+0x129/0x160\n __x64_sys_creat+0xad/0xe0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 83:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n poison_slab_object+0xe9/0x160\n __kasan_slab_free+0x32/0x50\n kfree+0xf2/0x300\n process_one_work+0x4c6/0x9f0\n worker_thread+0x2e4/0x570\n kthread+0x17f/0x1c0\n ret_from_fork+0x31/0x60\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x30/0x50\n __kasan_record_aux_stack+0xad/0xc0\n insert_work+0x29/0xe0\n __queue_work+0x5ea/0x760\n queue_work_on+0x6d/0x90\n _cifsFileInfo_put+0x3f6/0x770 [cifs]\n smb2_compound_op+0x911/0x3940 [cifs]\n smb2_set_path_size+0x228/0x270 [cifs]\n cifs_set_file_size+0x197/0x460 [cifs]\n cifs_setattr+0xd9c/0x14b0 [cifs]\n notify_change+0x4e3/0x740\n do_truncate+0xfa/0x180\n vfs_truncate+0x195/0x200\n __x64_sys_truncate+0x109/0x150\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:34:31.707Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28"
},
{
"url": "https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638"
},
{
"url": "https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220"
}
],
"title": "smb: client: fix double put of @cfile in smb2_set_path_size()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46796",
"datePublished": "2024-09-18T07:12:51.038Z",
"dateReserved": "2024-09-11T15:12:18.279Z",
"dateUpdated": "2025-05-04T09:34:31.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49687 (GCVE-0-2022-49687)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_net: fix xdp_rxq_info bug after suspend/resume
The following sequence currently causes a driver bug warning
when using virtio_net:
# ip link set eth0 up
# echo mem > /sys/power/state (or e.g. # rtcwake -s 10 -m mem)
<resume>
# ip link set eth0 down
Missing register, driver bug
WARNING: CPU: 0 PID: 375 at net/core/xdp.c:138 xdp_rxq_info_unreg+0x58/0x60
Call trace:
xdp_rxq_info_unreg+0x58/0x60
virtnet_close+0x58/0xac
__dev_close_many+0xac/0x140
__dev_change_flags+0xd8/0x210
dev_change_flags+0x24/0x64
do_setlink+0x230/0xdd0
...
This happens because virtnet_freeze() frees the receive_queue
completely (including struct xdp_rxq_info) but does not call
xdp_rxq_info_unreg(). Similarly, virtnet_restore() sets up the
receive_queue again but does not call xdp_rxq_info_reg().
Actually, parts of virtnet_freeze_down() and virtnet_restore_up()
are almost identical to virtnet_close() and virtnet_open(): only
the calls to xdp_rxq_info_(un)reg() are missing. This means that
we can fix this easily and avoid such problems in the future by
just calling virtnet_close()/open() from the freeze/restore handlers.
Aside from adding the missing xdp_rxq_info calls the only difference
is that the refill work is only cancelled if netif_running(). However,
this should not make any functional difference since the refill work
should only be active if the network interface is actually up.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 754b8a21a96d5f11712245aef907149606b323ae Version: 754b8a21a96d5f11712245aef907149606b323ae Version: 754b8a21a96d5f11712245aef907149606b323ae Version: 754b8a21a96d5f11712245aef907149606b323ae Version: 754b8a21a96d5f11712245aef907149606b323ae Version: 754b8a21a96d5f11712245aef907149606b323ae |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9222672fa6370f0ec3d899662cb8680e9282fc4c",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "8c7a32b7c15555beddc5810c3334d9cefff061bf",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "340fbdc8011f2dc678f622c5ce1cbb5ab8305de7",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "8d7fe9ad6fddc2af8bde4b921b4f8fab231ed38c",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "57ee40f1b198b59d43c216fbc4672f9300d3c8b0",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
},
{
"lessThan": "8af52fe9fd3bf5e7478da99193c0632276e1dfce",
"status": "affected",
"version": "754b8a21a96d5f11712245aef907149606b323ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.250",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: fix xdp_rxq_info bug after suspend/resume\n\nThe following sequence currently causes a driver bug warning\nwhen using virtio_net:\n\n # ip link set eth0 up\n # echo mem \u003e /sys/power/state (or e.g. # rtcwake -s 10 -m mem)\n \u003cresume\u003e\n # ip link set eth0 down\n\n Missing register, driver bug\n WARNING: CPU: 0 PID: 375 at net/core/xdp.c:138 xdp_rxq_info_unreg+0x58/0x60\n Call trace:\n xdp_rxq_info_unreg+0x58/0x60\n virtnet_close+0x58/0xac\n __dev_close_many+0xac/0x140\n __dev_change_flags+0xd8/0x210\n dev_change_flags+0x24/0x64\n do_setlink+0x230/0xdd0\n ...\n\nThis happens because virtnet_freeze() frees the receive_queue\ncompletely (including struct xdp_rxq_info) but does not call\nxdp_rxq_info_unreg(). Similarly, virtnet_restore() sets up the\nreceive_queue again but does not call xdp_rxq_info_reg().\n\nActually, parts of virtnet_freeze_down() and virtnet_restore_up()\nare almost identical to virtnet_close() and virtnet_open(): only\nthe calls to xdp_rxq_info_(un)reg() are missing. This means that\nwe can fix this easily and avoid such problems in the future by\njust calling virtnet_close()/open() from the freeze/restore handlers.\n\nAside from adding the missing xdp_rxq_info calls the only difference\nis that the refill work is only cancelled if netif_running(). However,\nthis should not make any functional difference since the refill work\nshould only be active if the network interface is actually up."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:19.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9222672fa6370f0ec3d899662cb8680e9282fc4c"
},
{
"url": "https://git.kernel.org/stable/c/8c7a32b7c15555beddc5810c3334d9cefff061bf"
},
{
"url": "https://git.kernel.org/stable/c/340fbdc8011f2dc678f622c5ce1cbb5ab8305de7"
},
{
"url": "https://git.kernel.org/stable/c/8d7fe9ad6fddc2af8bde4b921b4f8fab231ed38c"
},
{
"url": "https://git.kernel.org/stable/c/57ee40f1b198b59d43c216fbc4672f9300d3c8b0"
},
{
"url": "https://git.kernel.org/stable/c/8af52fe9fd3bf5e7478da99193c0632276e1dfce"
}
],
"title": "virtio_net: fix xdp_rxq_info bug after suspend/resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49687",
"datePublished": "2025-02-26T02:24:13.187Z",
"dateReserved": "2025-02-26T02:21:30.441Z",
"dateUpdated": "2025-05-04T08:43:19.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47517 (GCVE-0-2021-47517)
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2025-05-04 07:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethtool: do not perform operations on net devices being unregistered
There is a short period between a net device starts to be unregistered
and when it is actually gone. In that time frame ethtool operations
could still be performed, which might end up in unwanted or undefined
behaviours[1].
Do not allow ethtool operations after a net device starts its
unregistration. This patch targets the netlink part as the ioctl one
isn't affected: the reference to the net device is taken and the
operation is executed within an rtnl lock section and the net device
won't be found after unregister.
[1] For example adding Tx queues after unregister ends up in NULL
pointer exceptions and UaFs, such as:
BUG: KASAN: use-after-free in kobject_get+0x14/0x90
Read of size 1 at addr ffff88801961248c by task ethtool/755
CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
Call Trace:
dump_stack_lvl+0x57/0x72
print_address_description.constprop.0+0x1f/0x140
kasan_report.cold+0x7f/0x11b
kobject_get+0x14/0x90
kobject_add_internal+0x3d1/0x450
kobject_init_and_add+0xba/0xf0
netdev_queue_update_kobjects+0xcf/0x200
netif_set_real_num_tx_queues+0xb4/0x310
veth_set_channels+0x1c3/0x550
ethnl_set_channels+0x524/0x610
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T19:18:28.551288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:13:57.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:39:59.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7c26da3be1e9843a15b5318f90db8a564479d2ac"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cfd719f04267108f5f5bf802b9d7de69e99a99f9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dde91ccfa25fd58f64c397d91b81a4b393100ffa"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c26da3be1e9843a15b5318f90db8a564479d2ac",
"status": "affected",
"version": "041b1c5d4a53e97fc9e029ae32469552ca12cb9b",
"versionType": "git"
},
{
"lessThan": "cfd719f04267108f5f5bf802b9d7de69e99a99f9",
"status": "affected",
"version": "041b1c5d4a53e97fc9e029ae32469552ca12cb9b",
"versionType": "git"
},
{
"lessThan": "dde91ccfa25fd58f64c397d91b81a4b393100ffa",
"status": "affected",
"version": "041b1c5d4a53e97fc9e029ae32469552ca12cb9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.87",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.8",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: do not perform operations on net devices being unregistered\n\nThere is a short period between a net device starts to be unregistered\nand when it is actually gone. In that time frame ethtool operations\ncould still be performed, which might end up in unwanted or undefined\nbehaviours[1].\n\nDo not allow ethtool operations after a net device starts its\nunregistration. This patch targets the netlink part as the ioctl one\nisn\u0027t affected: the reference to the net device is taken and the\noperation is executed within an rtnl lock section and the net device\nwon\u0027t be found after unregister.\n\n[1] For example adding Tx queues after unregister ends up in NULL\n pointer exceptions and UaFs, such as:\n\n BUG: KASAN: use-after-free in kobject_get+0x14/0x90\n Read of size 1 at addr ffff88801961248c by task ethtool/755\n\n CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014\n Call Trace:\n dump_stack_lvl+0x57/0x72\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x7f/0x11b\n kobject_get+0x14/0x90\n kobject_add_internal+0x3d1/0x450\n kobject_init_and_add+0xba/0xf0\n netdev_queue_update_kobjects+0xcf/0x200\n netif_set_real_num_tx_queues+0xb4/0x310\n veth_set_channels+0x1c3/0x550\n ethnl_set_channels+0x524/0x610"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:12:41.633Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c26da3be1e9843a15b5318f90db8a564479d2ac"
},
{
"url": "https://git.kernel.org/stable/c/cfd719f04267108f5f5bf802b9d7de69e99a99f9"
},
{
"url": "https://git.kernel.org/stable/c/dde91ccfa25fd58f64c397d91b81a4b393100ffa"
}
],
"title": "ethtool: do not perform operations on net devices being unregistered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47517",
"datePublished": "2024-05-24T15:09:30.675Z",
"dateReserved": "2024-05-24T15:02:54.824Z",
"dateUpdated": "2025-05-04T07:12:41.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49386 (GCVE-0-2022-49386)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks
of_get_child_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
am65_cpsw_init_cpts() and am65_cpsw_nuss_probe() don't release
the refcount in error case.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:45.730008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:51.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/am65-cpsw-nuss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7ba2cc57f404d2d9f26fb85bd3833d35a477829",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
},
{
"lessThan": "a4b7ef3b159805ba6be061d0cd2403d84b9b0063",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
},
{
"lessThan": "78aca10a16f001c9f49f1cc4dadfee8d444bb173",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
},
{
"lessThan": "2e44f21c384503562713b7d3b673c40bed20af3d",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
},
{
"lessThan": "5dd89d2fc438457811cbbec07999ce0d80051ff5",
"status": "affected",
"version": "93a76530316a3d8cc2d82c3deca48424fee92100",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/am65-cpsw-nuss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nam65_cpsw_init_cpts() and am65_cpsw_nuss_probe() don\u0027t release\nthe refcount in error case.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:34.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7ba2cc57f404d2d9f26fb85bd3833d35a477829"
},
{
"url": "https://git.kernel.org/stable/c/a4b7ef3b159805ba6be061d0cd2403d84b9b0063"
},
{
"url": "https://git.kernel.org/stable/c/78aca10a16f001c9f49f1cc4dadfee8d444bb173"
},
{
"url": "https://git.kernel.org/stable/c/2e44f21c384503562713b7d3b673c40bed20af3d"
},
{
"url": "https://git.kernel.org/stable/c/5dd89d2fc438457811cbbec07999ce0d80051ff5"
}
],
"title": "net: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49386",
"datePublished": "2025-02-26T02:11:21.197Z",
"dateReserved": "2025-02-26T02:08:31.560Z",
"dateUpdated": "2025-10-01T19:46:51.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49606 (GCVE-0-2022-49606)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix sleep from invalid context BUG
Taking the qos_mutex to process RoCEv2 QP's on netdev events causes a
kernel splat.
Fix this by removing the handling for RoCEv2 in
irdma_cm_teardown_connections that uses the mutex. This handling is only
needed for iWARP to avoid having connections established while the link is
down or having connections remain functional after the IP address is
removed.
BUG: sleeping function called from invalid context at kernel/locking/mutex.
Call Trace:
kernel: dump_stack+0x66/0x90
kernel: ___might_sleep.cold.92+0x8d/0x9a
kernel: mutex_lock+0x1c/0x40
kernel: irdma_cm_teardown_connections+0x28e/0x4d0 [irdma]
kernel: ? check_preempt_curr+0x7a/0x90
kernel: ? select_idle_sibling+0x22/0x3c0
kernel: ? select_task_rq_fair+0x94c/0xc90
kernel: ? irdma_exec_cqp_cmd+0xc27/0x17c0 [irdma]
kernel: ? __wake_up_common+0x7a/0x190
kernel: irdma_if_notify+0x3cc/0x450 [irdma]
kernel: ? sched_clock_cpu+0xc/0xb0
kernel: irdma_inet6addr_event+0xc6/0x150 [irdma]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4c5115140ed1833197bad9a6b80265840ff427f",
"status": "affected",
"version": "146b9756f14c04894226fb97e2f102f217139c27",
"versionType": "git"
},
{
"lessThan": "2cae7e519032e4b4672cb9204d5586a441924364",
"status": "affected",
"version": "146b9756f14c04894226fb97e2f102f217139c27",
"versionType": "git"
},
{
"lessThan": "cc0315564d6eec91c716d314b743321be24c70b3",
"status": "affected",
"version": "146b9756f14c04894226fb97e2f102f217139c27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/cm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix sleep from invalid context BUG\n\nTaking the qos_mutex to process RoCEv2 QP\u0027s on netdev events causes a\nkernel splat.\n\nFix this by removing the handling for RoCEv2 in\nirdma_cm_teardown_connections that uses the mutex. This handling is only\nneeded for iWARP to avoid having connections established while the link is\ndown or having connections remain functional after the IP address is\nremoved.\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.\n Call Trace:\n kernel: dump_stack+0x66/0x90\n kernel: ___might_sleep.cold.92+0x8d/0x9a\n kernel: mutex_lock+0x1c/0x40\n kernel: irdma_cm_teardown_connections+0x28e/0x4d0 [irdma]\n kernel: ? check_preempt_curr+0x7a/0x90\n kernel: ? select_idle_sibling+0x22/0x3c0\n kernel: ? select_task_rq_fair+0x94c/0xc90\n kernel: ? irdma_exec_cqp_cmd+0xc27/0x17c0 [irdma]\n kernel: ? __wake_up_common+0x7a/0x190\n kernel: irdma_if_notify+0x3cc/0x450 [irdma]\n kernel: ? sched_clock_cpu+0xc/0xb0\n kernel: irdma_inet6addr_event+0xc6/0x150 [irdma]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:39.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4c5115140ed1833197bad9a6b80265840ff427f"
},
{
"url": "https://git.kernel.org/stable/c/2cae7e519032e4b4672cb9204d5586a441924364"
},
{
"url": "https://git.kernel.org/stable/c/cc0315564d6eec91c716d314b743321be24c70b3"
}
],
"title": "RDMA/irdma: Fix sleep from invalid context BUG",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49606",
"datePublished": "2025-02-26T02:23:31.346Z",
"dateReserved": "2025-02-26T02:21:30.417Z",
"dateUpdated": "2025-05-04T08:41:39.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49440 (GCVE-0-2022-49440)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas: Keep MSR[RI] set when calling RTAS
RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big
endian mode (MSR[SF,LE] unset).
The change in MSR is done in enter_rtas() in a relatively complex way,
since the MSR value could be hardcoded.
Furthermore, a panic has been reported when hitting the watchdog interrupt
while running in RTAS, this leads to the following stack trace:
watchdog: CPU 24 Hard LOCKUP
watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)
...
Supported: No, Unreleased kernel
CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
CFAR: 000000000000011c IRQMASK: 1
GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace:
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
Oops: Unrecoverable System Reset, sig: 6 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
...
Supported: No, Unreleased kernel
CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
CFAR: 000000000000011c IRQMASK: 1
GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
NIP [000000001fb41050] 0x1fb41050
LR [000000001fb4104c] 0x1fb4104c
Call Trace:
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
---[ end trace 3ddec07f638c34a2 ]---
This happens because MSR[RI] is unset when entering RTAS but there is no
valid reason to not set it here.
RTAS is expected to be called with MSR[RI] as specified in PAPR+ section
"7.2.1 Machine State":
R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect
its own critical regions from recursion by setting the MSR[RI] bit to
0 when in the critical regions.
Fixing this by reviewing the way MSR is compute before calling RTAS. Now a
hardcoded value meaning real
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/entry_64.S",
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f4367448f6817c8a0e94dc9736ed84fa8eee4a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9c41f0273826a13ac93124e66a4ff45df281ba0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/entry_64.S",
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: Keep MSR[RI] set when calling RTAS\n\nRTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big\nendian mode (MSR[SF,LE] unset).\n\nThe change in MSR is done in enter_rtas() in a relatively complex way,\nsince the MSR value could be hardcoded.\n\nFurthermore, a panic has been reported when hitting the watchdog interrupt\nwhile running in RTAS, this leads to the following stack trace:\n\n watchdog: CPU 24 Hard LOCKUP\n watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)\n ...\n Supported: No, Unreleased kernel\n CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c\n NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000\n REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)\n MSR: 8000000002981000 \u003cSF,VEC,VSX,ME\u003e CR: 48800002 XER: 20040020\n CFAR: 000000000000011c IRQMASK: 1\n GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc\n GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010\n GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034\n GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008\n GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f\n GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40\n GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000\n NIP [000000001fb41050] 0x1fb41050\n LR [000000001fb4104c] 0x1fb4104c\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n Oops: Unrecoverable System Reset, sig: 6 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n ...\n Supported: No, Unreleased kernel\n CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c\n NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000\n REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)\n MSR: 8000000002981000 \u003cSF,VEC,VSX,ME\u003e CR: 48800002 XER: 20040020\n CFAR: 000000000000011c IRQMASK: 1\n GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc\n GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010\n GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034\n GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008\n GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f\n GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40\n GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000\n NIP [000000001fb41050] 0x1fb41050\n LR [000000001fb4104c] 0x1fb4104c\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 3ddec07f638c34a2 ]---\n\nThis happens because MSR[RI] is unset when entering RTAS but there is no\nvalid reason to not set it here.\n\nRTAS is expected to be called with MSR[RI] as specified in PAPR+ section\n\"7.2.1 Machine State\":\n\n R1\u20137.2.1\u20139. If called with MSR[RI] equal to 1, then RTAS must protect\n its own critical regions from recursion by setting the MSR[RI] bit to\n 0 when in the critical regions.\n\nFixing this by reviewing the way MSR is compute before calling RTAS. Now a\nhardcoded value meaning real \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:42.677Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d"
},
{
"url": "https://git.kernel.org/stable/c/5f4367448f6817c8a0e94dc9736ed84fa8eee4a3"
},
{
"url": "https://git.kernel.org/stable/c/c9c41f0273826a13ac93124e66a4ff45df281ba0"
},
{
"url": "https://git.kernel.org/stable/c/b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5"
}
],
"title": "powerpc/rtas: Keep MSR[RI] set when calling RTAS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49440",
"datePublished": "2025-02-26T02:12:53.988Z",
"dateReserved": "2025-02-26T02:08:31.570Z",
"dateUpdated": "2025-05-04T08:37:42.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49579 (GCVE-0-2022-49579)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix data-races around sysctl_fib_multipath_hash_policy.
While reading sysctl_fib_multipath_hash_policy, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its readers.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:36:20.971537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:54.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21fb844bc1dc1461f5038d655aa1a14f39e13049",
"status": "affected",
"version": "bf4e0a3db97eb882368fd82980b3b1fa0b5b9778",
"versionType": "git"
},
{
"lessThan": "918ee6592ab9a2ff5316d06cfd4aaef60ccabec6",
"status": "affected",
"version": "bf4e0a3db97eb882368fd82980b3b1fa0b5b9778",
"versionType": "git"
},
{
"lessThan": "7998c12a08c97cc26660532c9f90a34bd7d8da5a",
"status": "affected",
"version": "bf4e0a3db97eb882368fd82980b3b1fa0b5b9778",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix data-races around sysctl_fib_multipath_hash_policy.\n\nWhile reading sysctl_fib_multipath_hash_policy, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:03.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21fb844bc1dc1461f5038d655aa1a14f39e13049"
},
{
"url": "https://git.kernel.org/stable/c/918ee6592ab9a2ff5316d06cfd4aaef60ccabec6"
},
{
"url": "https://git.kernel.org/stable/c/7998c12a08c97cc26660532c9f90a34bd7d8da5a"
}
],
"title": "ipv4: Fix data-races around sysctl_fib_multipath_hash_policy.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49579",
"datePublished": "2025-02-26T02:23:18.163Z",
"dateReserved": "2025-02-26T02:21:30.411Z",
"dateUpdated": "2025-10-01T19:36:54.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49495 (GCVE-0-2022-49495)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/hdmi: check return value after calling platform_get_resource_byname()
It will cause null-ptr-deref if platform_get_resource_byname() returns NULL,
we need check the return value.
Patchwork: https://patchwork.freedesktop.org/patch/482992/
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b Version: c6a57a50ad562a2e6fc6ac3218b710caea73a58b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:49.404258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:43.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9cb1ee33efccb8b107ee04b7b3441820de3fd2da",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "c1bfacf0daf25a5fc7d667399d6ff2dffda84cd8",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "0978fcce91b90b561b8c82e7c492ba9fc8440eef",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "2b3ed7547b1a052209da6c4ab886ffe0eed88c42",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "d9cb951d11a4ace4de5c50b1178ad211de17079e",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "4cd66a8016b872a153bf892fe4258cbc0dacf5b1",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "6369dda4a2209142ab819f01d3d2076d81e3ebdd",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "9f5495a5c51c1d11c6ffc13aa2befffec0c2651a",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "a36e506711548df923ceb7ec9f6001375be799a5",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: check return value after calling platform_get_resource_byname()\n\nIt will cause null-ptr-deref if platform_get_resource_byname() returns NULL,\nwe need check the return value.\n\nPatchwork: https://patchwork.freedesktop.org/patch/482992/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:09.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9cb1ee33efccb8b107ee04b7b3441820de3fd2da"
},
{
"url": "https://git.kernel.org/stable/c/c1bfacf0daf25a5fc7d667399d6ff2dffda84cd8"
},
{
"url": "https://git.kernel.org/stable/c/0978fcce91b90b561b8c82e7c492ba9fc8440eef"
},
{
"url": "https://git.kernel.org/stable/c/2b3ed7547b1a052209da6c4ab886ffe0eed88c42"
},
{
"url": "https://git.kernel.org/stable/c/d9cb951d11a4ace4de5c50b1178ad211de17079e"
},
{
"url": "https://git.kernel.org/stable/c/4cd66a8016b872a153bf892fe4258cbc0dacf5b1"
},
{
"url": "https://git.kernel.org/stable/c/6369dda4a2209142ab819f01d3d2076d81e3ebdd"
},
{
"url": "https://git.kernel.org/stable/c/9f5495a5c51c1d11c6ffc13aa2befffec0c2651a"
},
{
"url": "https://git.kernel.org/stable/c/a36e506711548df923ceb7ec9f6001375be799a5"
}
],
"title": "drm/msm/hdmi: check return value after calling platform_get_resource_byname()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49495",
"datePublished": "2025-02-26T02:13:30.846Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-10-01T19:46:43.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49623 (GCVE-0-2022-49623)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/xive/spapr: correct bitmap allocation size
kasan detects access beyond the end of the xibm->bitmap allocation:
BUG: KASAN: slab-out-of-bounds in _find_first_zero_bit+0x40/0x140
Read of size 8 at addr c00000001d1d0118 by task swapper/0/1
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28
Call Trace:
[c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable)
[c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710
[c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354
[c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0
[c00000001d98f970] [c0000000011c6ed0] _find_first_zero_bit+0x40/0x140
[c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260
[c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450
[c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118
[c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac
[c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640
[c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0
[c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64
Allocated by task 0:
kasan_save_stack+0x34/0x70
__kasan_kmalloc+0xb4/0xf0
__kmalloc+0x268/0x540
xive_spapr_init+0x4d0/0x77c
pseries_init_irq+0x40/0x27c
init_IRQ+0x44/0x84
start_kernel+0x2a4/0x538
start_here_common+0x1c/0x20
The buggy address belongs to the object at c00000001d1d0118
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [c00000001d1d0118, c00000001d1d0120)
The buggy address belongs to the physical page:
page:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d
flags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff)
raw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480
raw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
>c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc
^
c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc
c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc
This happens because the allocation uses the wrong unit (bits) when it
should pass (BITS_TO_LONGS(count) * sizeof(long)) or equivalent. With small
numbers of bits, the allocated object can be smaller than sizeof(long),
which results in invalid accesses.
Use bitmap_zalloc() to allocate and initialize the irq bitmap, paired with
bitmap_free() for consistency.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:34.646128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:50.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/xive/spapr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10f2cd373e65bcd3be8f3cdc71c330c25763dfd8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99d1c36bddd93919072b5a51a89297bbb5ad6a6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "19fc5bb93c6bbdce8292b4d7eed04e2fa118d2fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/sysdev/xive/spapr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xive/spapr: correct bitmap allocation size\n\nkasan detects access beyond the end of the xibm-\u003ebitmap allocation:\n\nBUG: KASAN: slab-out-of-bounds in _find_first_zero_bit+0x40/0x140\nRead of size 8 at addr c00000001d1d0118 by task swapper/0/1\n\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28\nCall Trace:\n[c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable)\n[c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710\n[c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354\n[c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0\n[c00000001d98f970] [c0000000011c6ed0] _find_first_zero_bit+0x40/0x140\n[c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260\n[c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450\n[c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118\n[c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac\n[c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640\n[c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0\n[c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64\n\nAllocated by task 0:\n kasan_save_stack+0x34/0x70\n __kasan_kmalloc+0xb4/0xf0\n __kmalloc+0x268/0x540\n xive_spapr_init+0x4d0/0x77c\n pseries_init_irq+0x40/0x27c\n init_IRQ+0x44/0x84\n start_kernel+0x2a4/0x538\n start_here_common+0x1c/0x20\n\nThe buggy address belongs to the object at c00000001d1d0118\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n 8-byte region [c00000001d1d0118, c00000001d1d0120)\n\nThe buggy address belongs to the physical page:\npage:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d\nflags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff)\nraw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480\nraw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003ec00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc\n c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc\n\nThis happens because the allocation uses the wrong unit (bits) when it\nshould pass (BITS_TO_LONGS(count) * sizeof(long)) or equivalent. With small\nnumbers of bits, the allocated object can be smaller than sizeof(long),\nwhich results in invalid accesses.\n\nUse bitmap_zalloc() to allocate and initialize the irq bitmap, paired with\nbitmap_free() for consistency."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:00.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10f2cd373e65bcd3be8f3cdc71c330c25763dfd8"
},
{
"url": "https://git.kernel.org/stable/c/99d1c36bddd93919072b5a51a89297bbb5ad6a6f"
},
{
"url": "https://git.kernel.org/stable/c/19fc5bb93c6bbdce8292b4d7eed04e2fa118d2fe"
}
],
"title": "powerpc/xive/spapr: correct bitmap allocation size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49623",
"datePublished": "2025-02-26T02:23:39.834Z",
"dateReserved": "2025-02-26T02:21:30.420Z",
"dateUpdated": "2025-10-01T19:36:50.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49488 (GCVE-0-2022-49488)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected
There is a possibility for mdp5_get_global_state to return
-EDEADLK when acquiring the modeset lock, but currently global_state in
mdp5_mixer_release doesn't check for if an error is returned.
To avoid a NULL dereference error, let's have mdp5_mixer_release
check if an error is returned and propagate that error.
Patchwork: https://patchwork.freedesktop.org/patch/485181/
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c Version: 7907a0d77cb461f58045763c205a5830be72e97c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_mixer.c",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_mixer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a5d1474026ea4f1a6f931075ca2adb884af39cf",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "22d8424913b1348c6324916745fadaeea5273f0e",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "883f1d52a57bf51e1d7a80c432345e2c6222477e",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "09bdeedc1fc53e64b8282e1de67752c69e43bdba",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "47e393061049aff6818d1b9fdca7351411a23fc2",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "46e5ce63924a96af452c4fc5ee0bb3b241e1b9f4",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
},
{
"lessThan": "ca75f6f7c6f89365e40f10f641b15981b1f07c31",
"status": "affected",
"version": "7907a0d77cb461f58045763c205a5830be72e97c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_mixer.c",
"drivers/gpu/drm/msm/disp/mdp5/mdp5_mixer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected\n\nThere is a possibility for mdp5_get_global_state to return\n-EDEADLK when acquiring the modeset lock, but currently global_state in\nmdp5_mixer_release doesn\u0027t check for if an error is returned.\n\nTo avoid a NULL dereference error, let\u0027s have mdp5_mixer_release\ncheck if an error is returned and propagate that error.\n\nPatchwork: https://patchwork.freedesktop.org/patch/485181/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:58.996Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a5d1474026ea4f1a6f931075ca2adb884af39cf"
},
{
"url": "https://git.kernel.org/stable/c/22d8424913b1348c6324916745fadaeea5273f0e"
},
{
"url": "https://git.kernel.org/stable/c/883f1d52a57bf51e1d7a80c432345e2c6222477e"
},
{
"url": "https://git.kernel.org/stable/c/09bdeedc1fc53e64b8282e1de67752c69e43bdba"
},
{
"url": "https://git.kernel.org/stable/c/47e393061049aff6818d1b9fdca7351411a23fc2"
},
{
"url": "https://git.kernel.org/stable/c/46e5ce63924a96af452c4fc5ee0bb3b241e1b9f4"
},
{
"url": "https://git.kernel.org/stable/c/ca75f6f7c6f89365e40f10f641b15981b1f07c31"
}
],
"title": "drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49488",
"datePublished": "2025-02-26T02:13:26.116Z",
"dateReserved": "2025-02-26T02:08:31.583Z",
"dateUpdated": "2025-05-04T08:38:58.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49626 (GCVE-0-2022-49626)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sfc: fix use after free when disabling sriov
Use after free is detected by kfence when disabling sriov. What was read
after being freed was vf->pci_dev: it was freed from pci_disable_sriov
and later read in efx_ef10_sriov_free_vf_vports, called from
efx_ef10_sriov_free_vf_vswitching.
Set the pointer to NULL at release time to not trying to read it later.
Reproducer and dmesg log (note that kfence doesn't detect it every time):
$ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs
$ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs
BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]
Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224):
efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]
efx_ef10_pci_sriov_disable+0x38/0x70 [sfc]
efx_pci_sriov_configure+0x24/0x40 [sfc]
sriov_numvfs_store+0xfe/0x140
kernfs_fop_write_iter+0x11c/0x1b0
new_sync_write+0x11f/0x1b0
vfs_write+0x1eb/0x280
ksys_write+0x5f/0xe0
do_syscall_64+0x5c/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k
allocated by task 6771 on cpu 10 at 3137.860196s:
pci_alloc_dev+0x21/0x60
pci_iov_add_virtfn+0x2a2/0x320
sriov_enable+0x212/0x3e0
efx_ef10_sriov_configure+0x67/0x80 [sfc]
efx_pci_sriov_configure+0x24/0x40 [sfc]
sriov_numvfs_store+0xba/0x140
kernfs_fop_write_iter+0x11c/0x1b0
new_sync_write+0x11f/0x1b0
vfs_write+0x1eb/0x280
ksys_write+0x5f/0xe0
do_syscall_64+0x5c/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
freed by task 6771 on cpu 12 at 3170.991309s:
device_release+0x34/0x90
kobject_cleanup+0x3a/0x130
pci_iov_remove_virtfn+0xd9/0x120
sriov_disable+0x30/0xe0
efx_ef10_pci_sriov_disable+0x57/0x70 [sfc]
efx_pci_sriov_configure+0x24/0x40 [sfc]
sriov_numvfs_store+0xfe/0x140
kernfs_fop_write_iter+0x11c/0x1b0
new_sync_write+0x11f/0x1b0
vfs_write+0x1eb/0x280
ksys_write+0x5f/0xe0
do_syscall_64+0x5c/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3c5eb87605e85146a78de589b5070a37862425db Version: 3c5eb87605e85146a78de589b5070a37862425db Version: 3c5eb87605e85146a78de589b5070a37862425db Version: 3c5eb87605e85146a78de589b5070a37862425db Version: 3c5eb87605e85146a78de589b5070a37862425db Version: 3c5eb87605e85146a78de589b5070a37862425db Version: 3c5eb87605e85146a78de589b5070a37862425db Version: 3c5eb87605e85146a78de589b5070a37862425db |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:26.254621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:31.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef10_sriov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3199e34912d84cdfb8a93a984c5ae5c73fb13e84",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
},
{
"lessThan": "c9e75bb22a26e391f189f5a5133dd63dcb57fdaa",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
},
{
"lessThan": "9c854ae512b89229aeee93849e9bd4c115b37909",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
},
{
"lessThan": "bcad880865bfb421885364b1f0c7351280fe2b97",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
},
{
"lessThan": "c2240500817b3b4b996cdf2a461a3a5679f49b94",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
},
{
"lessThan": "58d93e9d160c0de6d867c7eb4c2206671a351eb1",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
},
{
"lessThan": "e435c4aeeaa073091f7f3b7735af2ef5c97d63f2",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
},
{
"lessThan": "ebe41da5d47ac0fff877e57bd14c54dccf168827",
"status": "affected",
"version": "3c5eb87605e85146a78de589b5070a37862425db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef10_sriov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.324",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.289",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix use after free when disabling sriov\n\nUse after free is detected by kfence when disabling sriov. What was read\nafter being freed was vf-\u003epci_dev: it was freed from pci_disable_sriov\nand later read in efx_ef10_sriov_free_vf_vports, called from\nefx_ef10_sriov_free_vf_vswitching.\n\nSet the pointer to NULL at release time to not trying to read it later.\n\nReproducer and dmesg log (note that kfence doesn\u0027t detect it every time):\n$ echo 1 \u003e /sys/class/net/enp65s0f0np0/device/sriov_numvfs\n$ echo 0 \u003e /sys/class/net/enp65s0f0np0/device/sriov_numvfs\n\n BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]\n\n Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224):\n efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]\n efx_ef10_pci_sriov_disable+0x38/0x70 [sfc]\n efx_pci_sriov_configure+0x24/0x40 [sfc]\n sriov_numvfs_store+0xfe/0x140\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k\n\n allocated by task 6771 on cpu 10 at 3137.860196s:\n pci_alloc_dev+0x21/0x60\n pci_iov_add_virtfn+0x2a2/0x320\n sriov_enable+0x212/0x3e0\n efx_ef10_sriov_configure+0x67/0x80 [sfc]\n efx_pci_sriov_configure+0x24/0x40 [sfc]\n sriov_numvfs_store+0xba/0x140\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n freed by task 6771 on cpu 12 at 3170.991309s:\n device_release+0x34/0x90\n kobject_cleanup+0x3a/0x130\n pci_iov_remove_virtfn+0xd9/0x120\n sriov_disable+0x30/0xe0\n efx_ef10_pci_sriov_disable+0x57/0x70 [sfc]\n efx_pci_sriov_configure+0x24/0x40 [sfc]\n sriov_numvfs_store+0xfe/0x140\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:05.577Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3199e34912d84cdfb8a93a984c5ae5c73fb13e84"
},
{
"url": "https://git.kernel.org/stable/c/c9e75bb22a26e391f189f5a5133dd63dcb57fdaa"
},
{
"url": "https://git.kernel.org/stable/c/9c854ae512b89229aeee93849e9bd4c115b37909"
},
{
"url": "https://git.kernel.org/stable/c/bcad880865bfb421885364b1f0c7351280fe2b97"
},
{
"url": "https://git.kernel.org/stable/c/c2240500817b3b4b996cdf2a461a3a5679f49b94"
},
{
"url": "https://git.kernel.org/stable/c/58d93e9d160c0de6d867c7eb4c2206671a351eb1"
},
{
"url": "https://git.kernel.org/stable/c/e435c4aeeaa073091f7f3b7735af2ef5c97d63f2"
},
{
"url": "https://git.kernel.org/stable/c/ebe41da5d47ac0fff877e57bd14c54dccf168827"
}
],
"title": "sfc: fix use after free when disabling sriov",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49626",
"datePublished": "2025-02-26T02:23:41.274Z",
"dateReserved": "2025-02-26T02:21:30.421Z",
"dateUpdated": "2025-05-04T08:42:05.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53176 (GCVE-0-2024-53176)
Vulnerability from cvelistv5
Published
2024-12-27 13:49
Modified
2025-05-04 09:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: During unmount, ensure all cached dir instances drop their dentry
The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can
race with various cached directory operations, which ultimately results
in dentries not being dropped and these kernel BUGs:
BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]
VFS: Busy inodes after unmount of cifs (cifs)
------------[ cut here ]------------
kernel BUG at fs/super.c:661!
This happens when a cfid is in the process of being cleaned up when, and
has been removed from the cfids->entries list, including:
- Receiving a lease break from the server
- Server reconnection triggers invalidate_all_cached_dirs(), which
removes all the cfids from the list
- The laundromat thread decides to expire an old cfid.
To solve these problems, dropping the dentry is done in queued work done
in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs()
flushes that workqueue after it drops all the dentries of which it's
aware. This is a global workqueue (rather than scoped to a mount), but
the queued work is minimal.
The final cleanup work for cleaning up a cfid is performed via work
queued in the serverclose_wq workqueue; this is done separate from
dropping the dentries so that close_all_cached_dirs() doesn't block on
any server operations.
Both of these queued works expect to invoked with a cfid reference and
a tcon reference to avoid those objects from being freed while the work
is ongoing.
While we're here, add proper locking to close_all_cached_dirs(), and
locking around the freeing of cfid->dentry.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c",
"fs/smb/client/cached_dir.h",
"fs/smb/client/cifsfs.c",
"fs/smb/client/cifsglob.h",
"fs/smb/client/inode.c",
"fs/smb/client/trace.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73934e535cffbda1490fa97d82690a0f9aa73e94",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "ff4528bbc82d0d90073751f7b49e7b9e9c7e5638",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "548812afd96982a76a93ba76c0582ea670c40d9e",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "3fa640d035e5ae526769615c35cb9ed4be6e3662",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c",
"fs/smb/client/cached_dir.h",
"fs/smb/client/cifsfs.c",
"fs/smb/client/cifsglob.h",
"fs/smb/client/inode.c",
"fs/smb/client/trace.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: During unmount, ensure all cached dir instances drop their dentry\n\nThe unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can\nrace with various cached directory operations, which ultimately results\nin dentries not being dropped and these kernel BUGs:\n\nBUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]\nVFS: Busy inodes after unmount of cifs (cifs)\n------------[ cut here ]------------\nkernel BUG at fs/super.c:661!\n\nThis happens when a cfid is in the process of being cleaned up when, and\nhas been removed from the cfids-\u003eentries list, including:\n\n- Receiving a lease break from the server\n- Server reconnection triggers invalidate_all_cached_dirs(), which\n removes all the cfids from the list\n- The laundromat thread decides to expire an old cfid.\n\nTo solve these problems, dropping the dentry is done in queued work done\nin a newly-added cfid_put_wq workqueue, and close_all_cached_dirs()\nflushes that workqueue after it drops all the dentries of which it\u0027s\naware. This is a global workqueue (rather than scoped to a mount), but\nthe queued work is minimal.\n\nThe final cleanup work for cleaning up a cfid is performed via work\nqueued in the serverclose_wq workqueue; this is done separate from\ndropping the dentries so that close_all_cached_dirs() doesn\u0027t block on\nany server operations.\n\nBoth of these queued works expect to invoked with a cfid reference and\na tcon reference to avoid those objects from being freed while the work\nis ongoing.\n\nWhile we\u0027re here, add proper locking to close_all_cached_dirs(), and\nlocking around the freeing of cfid-\u003edentry."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:54:58.234Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73934e535cffbda1490fa97d82690a0f9aa73e94"
},
{
"url": "https://git.kernel.org/stable/c/ff4528bbc82d0d90073751f7b49e7b9e9c7e5638"
},
{
"url": "https://git.kernel.org/stable/c/548812afd96982a76a93ba76c0582ea670c40d9e"
},
{
"url": "https://git.kernel.org/stable/c/3fa640d035e5ae526769615c35cb9ed4be6e3662"
}
],
"title": "smb: During unmount, ensure all cached dir instances drop their dentry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53176",
"datePublished": "2024-12-27T13:49:20.518Z",
"dateReserved": "2024-11-19T17:17:25.007Z",
"dateUpdated": "2025-05-04T09:54:58.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49394 (GCVE-0-2022-49394)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-iolatency: Fix inflight count imbalances and IO hangs on offline
iolatency needs to track the number of inflight IOs per cgroup. As this
tracking can be expensive, it is disabled when no cgroup has iolatency
configured for the device. To ensure that the inflight counters stay
balanced, iolatency_set_limit() freezes the request_queue while manipulating
the enabled counter, which ensures that no IO is in flight and thus all
counters are zero.
Unfortunately, iolatency_set_limit() isn't the only place where the enabled
counter is manipulated. iolatency_pd_offline() can also dec the counter and
trigger disabling. As this disabling happens without freezing the q, this
can easily happen while some IOs are in flight and thus leak the counts.
This can be easily demonstrated by turning on iolatency on an one empty
cgroup while IOs are in flight in other cgroups and then removing the
cgroup. Note that iolatency shouldn't have been enabled elsewhere in the
system to ensure that removing the cgroup disables iolatency for the whole
device.
The following keeps flipping on and off iolatency on sda:
echo +io > /sys/fs/cgroup/cgroup.subtree_control
while true; do
mkdir -p /sys/fs/cgroup/test
echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency
sleep 1
rmdir /sys/fs/cgroup/test
sleep 1
done
and there's concurrent fio generating direct rand reads:
fio --name test --filename=/dev/sda --direct=1 --rw=randread \
--runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k
while monitoring with the following drgn script:
while True:
for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()):
for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list):
blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node')
pd = blkg.pd[prog['blkcg_policy_iolatency'].plid]
if pd.value_() == 0:
continue
iolat = container_of(pd, 'struct iolatency_grp', 'pd')
inflight = iolat.rq_wait.inflight.counter.value_()
if inflight:
print(f'inflight={inflight} {disk_name(blkg.q.disk).decode("utf-8")} '
f'{cgroup_path(css.cgroup).decode("utf-8")}')
time.sleep(1)
The monitoring output looks like the following:
inflight=1 sda /user.slice
inflight=1 sda /user.slice
...
inflight=14 sda /user.slice
inflight=13 sda /user.slice
inflight=17 sda /user.slice
inflight=15 sda /user.slice
inflight=18 sda /user.slice
inflight=17 sda /user.slice
inflight=20 sda /user.slice
inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19
inflight=19 sda /user.slice
inflight=19 sda /user.slice
If a cgroup with stuck inflight ends up getting throttled, the throttled IOs
will never get issued as there's no completion event to wake it up leading
to an indefinite hang.
This patch fixes the bug by unifying enable handling into a work item which
is automatically kicked off from iolatency_set_min_lat_nsec() which is
called from both iolatency_set_limit() and iolatency_pd_offline() paths.
Punting to a work item is necessary as iolatency_pd_offline() is called
under spinlocks while freezing a request_queue requires a sleepable context.
This also simplifies the code reducing LOC sans the comments and avoids the
unnecessary freezes which were happening whenever a cgroup's latency target
is newly set or cleared.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6d482bc5697763eb1214f207286daa201b32d20a Version: 8c772a9bfc7c07c76f4a58b58910452fbb20843b Version: 8c772a9bfc7c07c76f4a58b58910452fbb20843b Version: 8c772a9bfc7c07c76f4a58b58910452fbb20843b Version: 8c772a9bfc7c07c76f4a58b58910452fbb20843b Version: 8c772a9bfc7c07c76f4a58b58910452fbb20843b Version: 8c772a9bfc7c07c76f4a58b58910452fbb20843b Version: beed6109acd4efc2f1717c31bddcd0ad7ebbf253 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-iolatency.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "515d077ee3085ae343b6bea7fd031f9906645f38",
"status": "affected",
"version": "6d482bc5697763eb1214f207286daa201b32d20a",
"versionType": "git"
},
{
"lessThan": "d19fa8f252000d141f9199ca32959c50314e1f05",
"status": "affected",
"version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b",
"versionType": "git"
},
{
"lessThan": "77692c02e1517c54f2fd0535f41aa4286ac9f140",
"status": "affected",
"version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b",
"versionType": "git"
},
{
"lessThan": "a30acbb5dfb7bcc813ad6a18ca31011ac44e5547",
"status": "affected",
"version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b",
"versionType": "git"
},
{
"lessThan": "968f7a239c590454ffba79c126fbe0e963a0ba78",
"status": "affected",
"version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b",
"versionType": "git"
},
{
"lessThan": "5b0ff3ebbef791341695b718f8d2870869cf1d01",
"status": "affected",
"version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b",
"versionType": "git"
},
{
"lessThan": "8a177a36da6c54c98b8685d4f914cb3637d53c0d",
"status": "affected",
"version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b",
"versionType": "git"
},
{
"status": "affected",
"version": "beed6109acd4efc2f1717c31bddcd0ad7ebbf253",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-iolatency.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.19.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iolatency: Fix inflight count imbalances and IO hangs on offline\n\niolatency needs to track the number of inflight IOs per cgroup. As this\ntracking can be expensive, it is disabled when no cgroup has iolatency\nconfigured for the device. To ensure that the inflight counters stay\nbalanced, iolatency_set_limit() freezes the request_queue while manipulating\nthe enabled counter, which ensures that no IO is in flight and thus all\ncounters are zero.\n\nUnfortunately, iolatency_set_limit() isn\u0027t the only place where the enabled\ncounter is manipulated. iolatency_pd_offline() can also dec the counter and\ntrigger disabling. As this disabling happens without freezing the q, this\ncan easily happen while some IOs are in flight and thus leak the counts.\n\nThis can be easily demonstrated by turning on iolatency on an one empty\ncgroup while IOs are in flight in other cgroups and then removing the\ncgroup. Note that iolatency shouldn\u0027t have been enabled elsewhere in the\nsystem to ensure that removing the cgroup disables iolatency for the whole\ndevice.\n\nThe following keeps flipping on and off iolatency on sda:\n\n echo +io \u003e /sys/fs/cgroup/cgroup.subtree_control\n while true; do\n mkdir -p /sys/fs/cgroup/test\n echo \u00278:0 target=100000\u0027 \u003e /sys/fs/cgroup/test/io.latency\n sleep 1\n rmdir /sys/fs/cgroup/test\n sleep 1\n done\n\nand there\u0027s concurrent fio generating direct rand reads:\n\n fio --name test --filename=/dev/sda --direct=1 --rw=randread \\\n --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k\n\nwhile monitoring with the following drgn script:\n\n while True:\n for css in css_for_each_descendant_pre(prog[\u0027blkcg_root\u0027].css.address_of_()):\n for pos in hlist_for_each(container_of(css, \u0027struct blkcg\u0027, \u0027css\u0027).blkg_list):\n blkg = container_of(pos, \u0027struct blkcg_gq\u0027, \u0027blkcg_node\u0027)\n pd = blkg.pd[prog[\u0027blkcg_policy_iolatency\u0027].plid]\n if pd.value_() == 0:\n continue\n iolat = container_of(pd, \u0027struct iolatency_grp\u0027, \u0027pd\u0027)\n inflight = iolat.rq_wait.inflight.counter.value_()\n if inflight:\n print(f\u0027inflight={inflight} {disk_name(blkg.q.disk).decode(\"utf-8\")} \u0027\n f\u0027{cgroup_path(css.cgroup).decode(\"utf-8\")}\u0027)\n time.sleep(1)\n\nThe monitoring output looks like the following:\n\n inflight=1 sda /user.slice\n inflight=1 sda /user.slice\n ...\n inflight=14 sda /user.slice\n inflight=13 sda /user.slice\n inflight=17 sda /user.slice\n inflight=15 sda /user.slice\n inflight=18 sda /user.slice\n inflight=17 sda /user.slice\n inflight=20 sda /user.slice\n inflight=19 sda /user.slice \u003c- fio stopped, inflight stuck at 19\n inflight=19 sda /user.slice\n inflight=19 sda /user.slice\n\nIf a cgroup with stuck inflight ends up getting throttled, the throttled IOs\nwill never get issued as there\u0027s no completion event to wake it up leading\nto an indefinite hang.\n\nThis patch fixes the bug by unifying enable handling into a work item which\nis automatically kicked off from iolatency_set_min_lat_nsec() which is\ncalled from both iolatency_set_limit() and iolatency_pd_offline() paths.\nPunting to a work item is necessary as iolatency_pd_offline() is called\nunder spinlocks while freezing a request_queue requires a sleepable context.\n\nThis also simplifies the code reducing LOC sans the comments and avoids the\nunnecessary freezes which were happening whenever a cgroup\u0027s latency target\nis newly set or cleared."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:35.305Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/515d077ee3085ae343b6bea7fd031f9906645f38"
},
{
"url": "https://git.kernel.org/stable/c/d19fa8f252000d141f9199ca32959c50314e1f05"
},
{
"url": "https://git.kernel.org/stable/c/77692c02e1517c54f2fd0535f41aa4286ac9f140"
},
{
"url": "https://git.kernel.org/stable/c/a30acbb5dfb7bcc813ad6a18ca31011ac44e5547"
},
{
"url": "https://git.kernel.org/stable/c/968f7a239c590454ffba79c126fbe0e963a0ba78"
},
{
"url": "https://git.kernel.org/stable/c/5b0ff3ebbef791341695b718f8d2870869cf1d01"
},
{
"url": "https://git.kernel.org/stable/c/8a177a36da6c54c98b8685d4f914cb3637d53c0d"
}
],
"title": "blk-iolatency: Fix inflight count imbalances and IO hangs on offline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49394",
"datePublished": "2025-02-26T02:11:25.197Z",
"dateReserved": "2025-02-26T02:08:31.562Z",
"dateUpdated": "2025-05-04T12:44:35.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56651 (GCVE-0-2024-56651)
Vulnerability from cvelistv5
Published
2024-12-27 15:02
Modified
2025-11-03 20:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: hi3110_can_ist(): fix potential use-after-free
The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr
during bus-off") removed the reporting of rxerr and txerr even in case
of correct operation (i. e. not bus-off).
The error count information added to the CAN frame after netif_rx() is
a potential use after free, since there is no guarantee that the skb
is in the same state. It might be freed or reused.
Fix the issue by postponing the netif_rx() call in case of txerr and
rxerr reporting.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a22bd630cfff496b270211745536e50e98eb3a45 Version: a22bd630cfff496b270211745536e50e98eb3a45 Version: a22bd630cfff496b270211745536e50e98eb3a45 Version: a22bd630cfff496b270211745536e50e98eb3a45 Version: 303733fdab728d34708014b3096dc69ebae6e531 Version: 410054f1cf75378a6f009359e5952a240102a1a2 Version: d20bf7e76136fd4c1e47502a1f5773f2290013ed Version: 22e382d47de09e865a9214cc5c9f99256e65deaa Version: dcfcd5fc999b1eb7946de1fd031bc3aaf224c5ae Version: 330b0ac34beec4fef8b002549af5bc6d0b6f0836 Version: f3d865a6b791abbc874739ed702ae64ad2607511 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:41:42.778830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:21.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:51:58.194Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ad77eb8f2e07bcfa0e28887d3c7dbb732d92cc1",
"status": "affected",
"version": "a22bd630cfff496b270211745536e50e98eb3a45",
"versionType": "git"
},
{
"lessThan": "1128022009444faf49359bd406cd665b177cb643",
"status": "affected",
"version": "a22bd630cfff496b270211745536e50e98eb3a45",
"versionType": "git"
},
{
"lessThan": "bc30b2fe8c54694f8ae08a5b8a5d174d16d93075",
"status": "affected",
"version": "a22bd630cfff496b270211745536e50e98eb3a45",
"versionType": "git"
},
{
"lessThan": "9ad86d377ef4a19c75a9c639964879a5b25a433b",
"status": "affected",
"version": "a22bd630cfff496b270211745536e50e98eb3a45",
"versionType": "git"
},
{
"status": "affected",
"version": "303733fdab728d34708014b3096dc69ebae6e531",
"versionType": "git"
},
{
"status": "affected",
"version": "410054f1cf75378a6f009359e5952a240102a1a2",
"versionType": "git"
},
{
"status": "affected",
"version": "d20bf7e76136fd4c1e47502a1f5773f2290013ed",
"versionType": "git"
},
{
"status": "affected",
"version": "22e382d47de09e865a9214cc5c9f99256e65deaa",
"versionType": "git"
},
{
"status": "affected",
"version": "dcfcd5fc999b1eb7946de1fd031bc3aaf224c5ae",
"versionType": "git"
},
{
"status": "affected",
"version": "330b0ac34beec4fef8b002549af5bc6d0b6f0836",
"versionType": "git"
},
{
"status": "affected",
"version": "f3d865a6b791abbc874739ed702ae64ad2607511",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/hi311x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: hi3110_can_ist(): fix potential use-after-free\n\nThe commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr\nduring bus-off\") removed the reporting of rxerr and txerr even in case\nof correct operation (i. e. not bus-off).\n\nThe error count information added to the CAN frame after netif_rx() is\na potential use after free, since there is no guarantee that the skb\nis in the same state. It might be freed or reused.\n\nFix the issue by postponing the netif_rx() call in case of txerr and\nrxerr reporting."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:01:00.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ad77eb8f2e07bcfa0e28887d3c7dbb732d92cc1"
},
{
"url": "https://git.kernel.org/stable/c/1128022009444faf49359bd406cd665b177cb643"
},
{
"url": "https://git.kernel.org/stable/c/bc30b2fe8c54694f8ae08a5b8a5d174d16d93075"
},
{
"url": "https://git.kernel.org/stable/c/9ad86d377ef4a19c75a9c639964879a5b25a433b"
}
],
"title": "can: hi311x: hi3110_can_ist(): fix potential use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56651",
"datePublished": "2024-12-27T15:02:50.759Z",
"dateReserved": "2024-12-27T15:00:39.841Z",
"dateUpdated": "2025-11-03T20:51:58.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-1184 (GCVE-0-2022-1184)
Vulnerability from cvelistv5
Published
2022-08-29 00:00
Modified
2024-08-02 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - - Use After Free
Summary
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2070205"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-1184"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2022-1184"
},
{
"name": "DSA-5257",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5257"
},
{
"name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Not-known"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel\u2019s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 - Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2070205"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2022-1184"
},
{
"url": "https://ubuntu.com/security/CVE-2022-1184"
},
{
"name": "DSA-5257",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5257"
},
{
"name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1184",
"datePublished": "2022-08-29T00:00:00",
"dateReserved": "2022-03-30T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58017 (GCVE-0-2024-58017)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX
Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which
leads to undefined behavior. To prevent this, cast 1 to u32 before
performing the shift, ensuring well-defined behavior.
This change explicitly avoids any potential overflow by ensuring that
the shift occurs on an unsigned 32-bit integer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e Version: 55b2c1ccb82143be1ed9e1922976dbe63917fe68 Version: 089d475a4cdb5848998b3cb37e545413ed054784 Version: 695583334b6b7f82c39ee124edfbfa48145ed571 Version: 3404019d6d0f4c0108b77d44e97e2e39ca937e6f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:36.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/printk/printk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54c14022fa2ba427dc543455c2cf9225903a7174",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"lessThan": "dfb7b179741ee09506dc7719d92f9e1cea01f10e",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"lessThan": "bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"lessThan": "9a6d43844de2479a3ff8d674c3e2a16172e01598",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"lessThan": "4acf6bab775dbd22a9a799030a808a7305e01d63",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"lessThan": "404e5fd918a0b14abec06c7eca128f04c9b98e41",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"lessThan": "4a2c4e7265b8eed83c25d86d702cea06493cab18",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"lessThan": "3d6f83df8ff2d5de84b50377e4f0d45e25311c7a",
"status": "affected",
"version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
"versionType": "git"
},
{
"status": "affected",
"version": "55b2c1ccb82143be1ed9e1922976dbe63917fe68",
"versionType": "git"
},
{
"status": "affected",
"version": "089d475a4cdb5848998b3cb37e545413ed054784",
"versionType": "git"
},
{
"status": "affected",
"version": "695583334b6b7f82c39ee124edfbfa48145ed571",
"versionType": "git"
},
{
"status": "affected",
"version": "3404019d6d0f4c0108b77d44e97e2e39ca937e6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/printk/printk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.156",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nprintk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX\n\nShifting 1 \u003c\u003c 31 on a 32-bit int causes signed integer overflow, which\nleads to undefined behavior. To prevent this, cast 1 to u32 before\nperforming the shift, ensuring well-defined behavior.\n\nThis change explicitly avoids any potential overflow by ensuring that\nthe shift occurs on an unsigned 32-bit integer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:59:23.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54c14022fa2ba427dc543455c2cf9225903a7174"
},
{
"url": "https://git.kernel.org/stable/c/dfb7b179741ee09506dc7719d92f9e1cea01f10e"
},
{
"url": "https://git.kernel.org/stable/c/bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1"
},
{
"url": "https://git.kernel.org/stable/c/9a6d43844de2479a3ff8d674c3e2a16172e01598"
},
{
"url": "https://git.kernel.org/stable/c/4acf6bab775dbd22a9a799030a808a7305e01d63"
},
{
"url": "https://git.kernel.org/stable/c/404e5fd918a0b14abec06c7eca128f04c9b98e41"
},
{
"url": "https://git.kernel.org/stable/c/4a2c4e7265b8eed83c25d86d702cea06493cab18"
},
{
"url": "https://git.kernel.org/stable/c/3d6f83df8ff2d5de84b50377e4f0d45e25311c7a"
}
],
"title": "printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58017",
"datePublished": "2025-02-27T02:12:09.075Z",
"dateReserved": "2025-02-27T02:10:48.228Z",
"dateUpdated": "2025-11-03T19:33:36.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57980 (GCVE-0-2024-57980)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix double free in error path
If the uvc_status_init() function fails to allocate the int_urb, it will
free the dev->status pointer but doesn't reset the pointer to NULL. This
results in the kfree() call in uvc_status_cleanup() trying to
double-free the memory. Fix it by resetting the dev->status pointer to
NULL after freeing it.
Reviewed by: Ricardo Ribalda <ribalda@chromium.org>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:59.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_status.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "87522ef165e5b6de8ef98cc318f3335166a1512c",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "9232719ac9ce4d5c213cebda23d72aec3e1c4c0d",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "6c36dcd662ec5276782838660f8533a7cb26be49",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "d1f8e69eec91d5a75ef079778a5d0151db2a7f22",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "d8e63dd7b6683969d3d47c7b8e9635f96d554ad4",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
},
{
"lessThan": "c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac",
"status": "affected",
"version": "a31a4055473bf0a7b2b06cb2262347200d0711e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_status.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix double free in error path\n\nIf the uvc_status_init() function fails to allocate the int_urb, it will\nfree the dev-\u003estatus pointer but doesn\u0027t reset the pointer to NULL. This\nresults in the kfree() call in uvc_status_cleanup() trying to\ndouble-free the memory. Fix it by resetting the dev-\u003estatus pointer to\nNULL after freeing it.\n\nReviewed by: Ricardo Ribalda \u003cribalda@chromium.org\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:38.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d"
},
{
"url": "https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c"
},
{
"url": "https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277"
},
{
"url": "https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d"
},
{
"url": "https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49"
},
{
"url": "https://git.kernel.org/stable/c/d1f8e69eec91d5a75ef079778a5d0151db2a7f22"
},
{
"url": "https://git.kernel.org/stable/c/d8e63dd7b6683969d3d47c7b8e9635f96d554ad4"
},
{
"url": "https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac"
}
],
"title": "media: uvcvideo: Fix double free in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57980",
"datePublished": "2025-02-27T02:07:06.849Z",
"dateReserved": "2025-02-27T02:04:28.912Z",
"dateUpdated": "2025-11-03T19:32:59.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49472 (GCVE-0-2022-49472)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: micrel: Allow probing without .driver_data
Currently, if the .probe element is present in the phy_driver structure
and the .driver_data is not, a NULL pointer dereference happens.
Allow passing .probe without .driver_data by inserting NULL checks
for priv->type.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:46.280244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:46.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/micrel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7dcb404662839a4ed1a9703658fee979eb894ca4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91e720b32cba25fa58eaa4c88fe957009cffe9f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1e5fbfc2a6f384e3195446c14bbd3bc298eb88c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "abb5594ae2ba7b82cce85917cc6337ec5d774837",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "660dfa033ccc9afb032015b6dc76e846bba42cfb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "143878e18001c5a61fcc7ae5c5240323753bb641",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd219273b4e004a3f853da72e111fc8f81357501",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2ef6f7539c68c6bd6c32323d8845ee102b7c450",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/micrel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: micrel: Allow probing without .driver_data\n\nCurrently, if the .probe element is present in the phy_driver structure\nand the .driver_data is not, a NULL pointer dereference happens.\n\nAllow passing .probe without .driver_data by inserting NULL checks\nfor priv-\u003etype."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:27.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7dcb404662839a4ed1a9703658fee979eb894ca4"
},
{
"url": "https://git.kernel.org/stable/c/91e720b32cba25fa58eaa4c88fe957009cffe9f3"
},
{
"url": "https://git.kernel.org/stable/c/1e5fbfc2a6f384e3195446c14bbd3bc298eb88c2"
},
{
"url": "https://git.kernel.org/stable/c/abb5594ae2ba7b82cce85917cc6337ec5d774837"
},
{
"url": "https://git.kernel.org/stable/c/660dfa033ccc9afb032015b6dc76e846bba42cfb"
},
{
"url": "https://git.kernel.org/stable/c/143878e18001c5a61fcc7ae5c5240323753bb641"
},
{
"url": "https://git.kernel.org/stable/c/bd219273b4e004a3f853da72e111fc8f81357501"
},
{
"url": "https://git.kernel.org/stable/c/f2ef6f7539c68c6bd6c32323d8845ee102b7c450"
}
],
"title": "net: phy: micrel: Allow probing without .driver_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49472",
"datePublished": "2025-02-26T02:13:15.337Z",
"dateReserved": "2025-02-26T02:08:31.579Z",
"dateUpdated": "2025-10-01T19:46:46.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49617 (GCVE-0-2022-49617)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: sof_sdw: handle errors on card registration
If the card registration fails, typically because of deferred probes,
the device properties added for headset codecs are not removed, which
leads to kernel oopses in driver bind/unbind tests.
We already clean-up the device properties when the card is removed,
this code can be moved as a helper and called upon card registration
errors.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/sof_sdw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2556ce6b35ae0fc72000a4daa21ded12665e2f2",
"status": "affected",
"version": "52db12d193d45728e738df6119702cba08fd46a2",
"versionType": "git"
},
{
"lessThan": "09bca0ffc95c50369f1345d80ecfaca51864126f",
"status": "affected",
"version": "52db12d193d45728e738df6119702cba08fd46a2",
"versionType": "git"
},
{
"lessThan": "fe154c4ff376bc31041c6441958a08243df09c99",
"status": "affected",
"version": "52db12d193d45728e738df6119702cba08fd46a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/boards/sof_sdw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof_sdw: handle errors on card registration\n\nIf the card registration fails, typically because of deferred probes,\nthe device properties added for headset codecs are not removed, which\nleads to kernel oopses in driver bind/unbind tests.\n\nWe already clean-up the device properties when the card is removed,\nthis code can be moved as a helper and called upon card registration\nerrors."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:52.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2556ce6b35ae0fc72000a4daa21ded12665e2f2"
},
{
"url": "https://git.kernel.org/stable/c/09bca0ffc95c50369f1345d80ecfaca51864126f"
},
{
"url": "https://git.kernel.org/stable/c/fe154c4ff376bc31041c6441958a08243df09c99"
}
],
"title": "ASoC: Intel: sof_sdw: handle errors on card registration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49617",
"datePublished": "2025-02-26T02:23:36.654Z",
"dateReserved": "2025-02-26T02:21:30.419Z",
"dateUpdated": "2025-05-04T08:41:52.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49275 (GCVE-0-2022-49275)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: m_can: m_can_tx_handler(): fix use after free of skb
can_put_echo_skb() will clone skb then free the skb. Move the
can_put_echo_skb() for the m_can version 3.0.x directly before the
start of the xmit in hardware, similar to the 3.1.x branch.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 Version: 80646733f11c2e9de3b6339f7e635047e6087280 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T18:03:19.289491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T18:07:17.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/m_can/m_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d93ed9aff64968f4cdad690712eb4f48ae537bde",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "d3892a747ab16b1eb6593a19d29f62c3b3f020ac",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "7728d937ec403a1ceff9483023252d2cb8777f81",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "08d90846e438ac22dc56fc49ec0b0d195831c5ed",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "869016a2938ac44f7b2fb7fc22c89edad99eb9b3",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "f43e64076ff1b1dcb893fb77ad1204105f710a29",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "4db7d6f481990dd179a9ee7126dc7aa31ea4fff3",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "31417073493f302d26ab66b3abc098d43227b835",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
},
{
"lessThan": "2e8e79c416aae1de224c0f1860f2e3350fa171f8",
"status": "affected",
"version": "80646733f11c2e9de3b6339f7e635047e6087280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/m_can/m_can.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.324",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.289",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: m_can_tx_handler(): fix use after free of skb\n\ncan_put_echo_skb() will clone skb then free the skb. Move the\ncan_put_echo_skb() for the m_can version 3.0.x directly before the\nstart of the xmit in hardware, similar to the 3.1.x branch."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:58.443Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d93ed9aff64968f4cdad690712eb4f48ae537bde"
},
{
"url": "https://git.kernel.org/stable/c/d3892a747ab16b1eb6593a19d29f62c3b3f020ac"
},
{
"url": "https://git.kernel.org/stable/c/7728d937ec403a1ceff9483023252d2cb8777f81"
},
{
"url": "https://git.kernel.org/stable/c/08d90846e438ac22dc56fc49ec0b0d195831c5ed"
},
{
"url": "https://git.kernel.org/stable/c/869016a2938ac44f7b2fb7fc22c89edad99eb9b3"
},
{
"url": "https://git.kernel.org/stable/c/f43e64076ff1b1dcb893fb77ad1204105f710a29"
},
{
"url": "https://git.kernel.org/stable/c/4db7d6f481990dd179a9ee7126dc7aa31ea4fff3"
},
{
"url": "https://git.kernel.org/stable/c/31417073493f302d26ab66b3abc098d43227b835"
},
{
"url": "https://git.kernel.org/stable/c/2e8e79c416aae1de224c0f1860f2e3350fa171f8"
}
],
"title": "can: m_can: m_can_tx_handler(): fix use after free of skb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49275",
"datePublished": "2025-02-26T01:56:20.066Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:33:58.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21708 (GCVE-0-2025-21708)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: enable basic endpoint checking
Syzkaller reports [1] encountering a common issue of utilizing a wrong
usb endpoint type during URB submitting stage. This, in turn, triggers
a warning shown below.
For now, enable simple endpoint checking (specifically, bulk and
interrupt eps, testing control one is not essential) to mitigate
the issue with a view to do other related cosmetic changes later,
if they are necessary.
[1] Syzkaller report:
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv>
Modules linked in:
CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617>
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8>
RSP: 0018:ffffc9000441f740 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9
RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001
RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c
FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733
__dev_open+0x2d4/0x4e0 net/core/dev.c:1474
__dev_change_flags+0x561/0x720 net/core/dev.c:8838
dev_change_flags+0x8f/0x160 net/core/dev.c:8910
devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177
inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003
sock_do_ioctl+0x116/0x280 net/socket.c:1222
sock_ioctl+0x22e/0x6c0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc04ef73d49
...
This change has not been tested on real hardware.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:01.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "431be4f78220d34ce21d67a6b843b7ca81bd82e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f78a2b9ed4cb1e62c60d0a8905d9a37bc18c20d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d42168f109f96b5d18812a789086015a435ee667",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e10b392a7495a5dbbb25247e2c17d380d9899263",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c706829ceb6e347bd4ddfd17f1d3048acd69da2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f395b7efcee8df54309eb2d4a624ef13f5d88b66",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c843515ad2be7349dd6b60e5fd299d0da0b8458b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90b7f2961798793275b4844348619b622f983907",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: enable basic endpoint checking\n\nSyzkaller reports [1] encountering a common issue of utilizing a wrong\nusb endpoint type during URB submitting stage. This, in turn, triggers\na warning shown below.\n\nFor now, enable simple endpoint checking (specifically, bulk and\ninterrupt eps, testing control one is not essential) to mitigate\nthe issue with a view to do other related cosmetic changes later,\nif they are necessary.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv\u003e\nModules linked in:\nCPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617\u003e\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nCode: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8\u003e\nRSP: 0018:ffffc9000441f740 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9\nRDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001\nRBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c\nFS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733\n __dev_open+0x2d4/0x4e0 net/core/dev.c:1474\n __dev_change_flags+0x561/0x720 net/core/dev.c:8838\n dev_change_flags+0x8f/0x160 net/core/dev.c:8910\n devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177\n inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003\n sock_do_ioctl+0x116/0x280 net/socket.c:1222\n sock_ioctl+0x22e/0x6c0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fc04ef73d49\n...\n\nThis change has not been tested on real hardware."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:26.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/431be4f78220d34ce21d67a6b843b7ca81bd82e9"
},
{
"url": "https://git.kernel.org/stable/c/8f78a2b9ed4cb1e62c60d0a8905d9a37bc18c20d"
},
{
"url": "https://git.kernel.org/stable/c/d42168f109f96b5d18812a789086015a435ee667"
},
{
"url": "https://git.kernel.org/stable/c/e10b392a7495a5dbbb25247e2c17d380d9899263"
},
{
"url": "https://git.kernel.org/stable/c/3c706829ceb6e347bd4ddfd17f1d3048acd69da2"
},
{
"url": "https://git.kernel.org/stable/c/f395b7efcee8df54309eb2d4a624ef13f5d88b66"
},
{
"url": "https://git.kernel.org/stable/c/c843515ad2be7349dd6b60e5fd299d0da0b8458b"
},
{
"url": "https://git.kernel.org/stable/c/90b7f2961798793275b4844348619b622f983907"
}
],
"title": "net: usb: rtl8150: enable basic endpoint checking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21708",
"datePublished": "2025-02-27T02:07:21.814Z",
"dateReserved": "2024-12-29T08:45:45.752Z",
"dateUpdated": "2025-11-03T19:36:01.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49430 (GCVE-0-2022-49430)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: gpio-keys - cancel delayed work only in case of GPIO
gpio_keys module can either accept gpios or interrupts. The module
initializes delayed work in case of gpios only and is only used if
debounce timer is not used, so make sure cancel_delayed_work_sync()
is called only when its gpio-backed and debounce_use_hrtimer is false.
This fixes the issue seen below when the gpio_keys module is unloaded and
an interrupt pin is used instead of GPIO:
[ 360.297569] ------------[ cut here ]------------
[ 360.302303] WARNING: CPU: 0 PID: 237 at kernel/workqueue.c:3066 __flush_work+0x414/0x470
[ 360.310531] Modules linked in: gpio_keys(-)
[ 360.314797] CPU: 0 PID: 237 Comm: rmmod Not tainted 5.18.0-rc5-arm64-renesas-00116-g73636105874d-dirty #166
[ 360.324662] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT)
[ 360.331270] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 360.338318] pc : __flush_work+0x414/0x470
[ 360.342385] lr : __cancel_work_timer+0x140/0x1b0
[ 360.347065] sp : ffff80000a7fba00
[ 360.350423] x29: ffff80000a7fba00 x28: ffff000012b9c5c0 x27: 0000000000000000
[ 360.357664] x26: ffff80000a7fbb80 x25: ffff80000954d0a8 x24: 0000000000000001
[ 360.364904] x23: ffff800009757000 x22: 0000000000000000 x21: ffff80000919b000
[ 360.372143] x20: ffff00000f5974e0 x19: ffff00000f5974e0 x18: ffff8000097fcf48
[ 360.379382] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000053f40
[ 360.386622] x14: ffff800009850e88 x13: 0000000000000002 x12: 000000000000a60c
[ 360.393861] x11: 000000000000a610 x10: 0000000000000000 x9 : 0000000000000008
[ 360.401100] x8 : 0101010101010101 x7 : 00000000a473c394 x6 : 0080808080808080
[ 360.408339] x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff80000919b458
[ 360.415578] x2 : ffff8000097577f0 x1 : 0000000000000001 x0 : 0000000000000000
[ 360.422818] Call trace:
[ 360.425299] __flush_work+0x414/0x470
[ 360.429012] __cancel_work_timer+0x140/0x1b0
[ 360.433340] cancel_delayed_work_sync+0x10/0x18
[ 360.437931] gpio_keys_quiesce_key+0x28/0x58 [gpio_keys]
[ 360.443327] devm_action_release+0x10/0x18
[ 360.447481] release_nodes+0x8c/0x1a0
[ 360.451194] devres_release_all+0x90/0x100
[ 360.455346] device_unbind_cleanup+0x14/0x60
[ 360.459677] device_release_driver_internal+0xe8/0x168
[ 360.464883] driver_detach+0x4c/0x90
[ 360.468509] bus_remove_driver+0x54/0xb0
[ 360.472485] driver_unregister+0x2c/0x58
[ 360.476462] platform_driver_unregister+0x10/0x18
[ 360.481230] gpio_keys_exit+0x14/0x828 [gpio_keys]
[ 360.486088] __arm64_sys_delete_module+0x1e0/0x270
[ 360.490945] invoke_syscall+0x40/0xf8
[ 360.494661] el0_svc_common.constprop.3+0xf0/0x110
[ 360.499515] do_el0_svc+0x20/0x78
[ 360.502877] el0_svc+0x48/0xf8
[ 360.505977] el0t_64_sync_handler+0x88/0xb0
[ 360.510216] el0t_64_sync+0x148/0x14c
[ 360.513930] irq event stamp: 4306
[ 360.517288] hardirqs last enabled at (4305): [<ffff8000080b0300>] __cancel_work_timer+0x130/0x1b0
[ 360.526359] hardirqs last disabled at (4306): [<ffff800008d194fc>] el1_dbg+0x24/0x88
[ 360.534204] softirqs last enabled at (4278): [<ffff8000080104a0>] _stext+0x4a0/0x5e0
[ 360.542133] softirqs last disabled at (4267): [<ffff8000080932ac>] irq_exit_rcu+0x18c/0x1b0
[ 360.550591] ---[ end trace 0000000000000000 ]---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/gpio_keys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96c460687813915dedca9dd7d04ae0e90607fd79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4160e09619086fc155b51ccdb3462a3f233a5f4b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8b1ae300c2953257c146b5f0757537935c0b6027",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cee409bbba0d1bd3fb73064fb480ff365f453b5d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/gpio_keys.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: gpio-keys - cancel delayed work only in case of GPIO\n\ngpio_keys module can either accept gpios or interrupts. The module\ninitializes delayed work in case of gpios only and is only used if\ndebounce timer is not used, so make sure cancel_delayed_work_sync()\nis called only when its gpio-backed and debounce_use_hrtimer is false.\n\nThis fixes the issue seen below when the gpio_keys module is unloaded and\nan interrupt pin is used instead of GPIO:\n\n[ 360.297569] ------------[ cut here ]------------\n[ 360.302303] WARNING: CPU: 0 PID: 237 at kernel/workqueue.c:3066 __flush_work+0x414/0x470\n[ 360.310531] Modules linked in: gpio_keys(-)\n[ 360.314797] CPU: 0 PID: 237 Comm: rmmod Not tainted 5.18.0-rc5-arm64-renesas-00116-g73636105874d-dirty #166\n[ 360.324662] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT)\n[ 360.331270] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 360.338318] pc : __flush_work+0x414/0x470\n[ 360.342385] lr : __cancel_work_timer+0x140/0x1b0\n[ 360.347065] sp : ffff80000a7fba00\n[ 360.350423] x29: ffff80000a7fba00 x28: ffff000012b9c5c0 x27: 0000000000000000\n[ 360.357664] x26: ffff80000a7fbb80 x25: ffff80000954d0a8 x24: 0000000000000001\n[ 360.364904] x23: ffff800009757000 x22: 0000000000000000 x21: ffff80000919b000\n[ 360.372143] x20: ffff00000f5974e0 x19: ffff00000f5974e0 x18: ffff8000097fcf48\n[ 360.379382] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000053f40\n[ 360.386622] x14: ffff800009850e88 x13: 0000000000000002 x12: 000000000000a60c\n[ 360.393861] x11: 000000000000a610 x10: 0000000000000000 x9 : 0000000000000008\n[ 360.401100] x8 : 0101010101010101 x7 : 00000000a473c394 x6 : 0080808080808080\n[ 360.408339] x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff80000919b458\n[ 360.415578] x2 : ffff8000097577f0 x1 : 0000000000000001 x0 : 0000000000000000\n[ 360.422818] Call trace:\n[ 360.425299] __flush_work+0x414/0x470\n[ 360.429012] __cancel_work_timer+0x140/0x1b0\n[ 360.433340] cancel_delayed_work_sync+0x10/0x18\n[ 360.437931] gpio_keys_quiesce_key+0x28/0x58 [gpio_keys]\n[ 360.443327] devm_action_release+0x10/0x18\n[ 360.447481] release_nodes+0x8c/0x1a0\n[ 360.451194] devres_release_all+0x90/0x100\n[ 360.455346] device_unbind_cleanup+0x14/0x60\n[ 360.459677] device_release_driver_internal+0xe8/0x168\n[ 360.464883] driver_detach+0x4c/0x90\n[ 360.468509] bus_remove_driver+0x54/0xb0\n[ 360.472485] driver_unregister+0x2c/0x58\n[ 360.476462] platform_driver_unregister+0x10/0x18\n[ 360.481230] gpio_keys_exit+0x14/0x828 [gpio_keys]\n[ 360.486088] __arm64_sys_delete_module+0x1e0/0x270\n[ 360.490945] invoke_syscall+0x40/0xf8\n[ 360.494661] el0_svc_common.constprop.3+0xf0/0x110\n[ 360.499515] do_el0_svc+0x20/0x78\n[ 360.502877] el0_svc+0x48/0xf8\n[ 360.505977] el0t_64_sync_handler+0x88/0xb0\n[ 360.510216] el0t_64_sync+0x148/0x14c\n[ 360.513930] irq event stamp: 4306\n[ 360.517288] hardirqs last enabled at (4305): [\u003cffff8000080b0300\u003e] __cancel_work_timer+0x130/0x1b0\n[ 360.526359] hardirqs last disabled at (4306): [\u003cffff800008d194fc\u003e] el1_dbg+0x24/0x88\n[ 360.534204] softirqs last enabled at (4278): [\u003cffff8000080104a0\u003e] _stext+0x4a0/0x5e0\n[ 360.542133] softirqs last disabled at (4267): [\u003cffff8000080932ac\u003e] irq_exit_rcu+0x18c/0x1b0\n[ 360.550591] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:30.249Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96c460687813915dedca9dd7d04ae0e90607fd79"
},
{
"url": "https://git.kernel.org/stable/c/4160e09619086fc155b51ccdb3462a3f233a5f4b"
},
{
"url": "https://git.kernel.org/stable/c/8b1ae300c2953257c146b5f0757537935c0b6027"
},
{
"url": "https://git.kernel.org/stable/c/cee409bbba0d1bd3fb73064fb480ff365f453b5d"
}
],
"title": "Input: gpio-keys - cancel delayed work only in case of GPIO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49430",
"datePublished": "2025-02-26T02:12:49.114Z",
"dateReserved": "2025-02-26T02:08:31.569Z",
"dateUpdated": "2025-05-04T08:37:30.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21793 (GCVE-0-2025-21793)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: sn-f-ospi: Fix division by zero
When there is no dummy cycle in the spi-nor commands, both dummy bus cycle
bytes and width are zero. Because of the cpu's warning when divided by
zero, the warning should be avoided. Return just zero to avoid such
calculations.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:29:03.317315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-369",
"description": "CWE-369 Divide By Zero",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:39.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-sn-f-ospi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "966328191b4c389c0f2159fa242915f51cbc1679",
"status": "affected",
"version": "1b74dd64c8612619e399e5a31da79a3636914495",
"versionType": "git"
},
{
"lessThan": "4df6f005bef04a3dd16c028124a1b5684db3922b",
"status": "affected",
"version": "1b74dd64c8612619e399e5a31da79a3636914495",
"versionType": "git"
},
{
"lessThan": "7434135553bc03809a55803ee6a8dcaae6240d55",
"status": "affected",
"version": "1b74dd64c8612619e399e5a31da79a3636914495",
"versionType": "git"
},
{
"lessThan": "3588b1c0fde2f58d166e3f94a5a58d64b893526c",
"status": "affected",
"version": "1b74dd64c8612619e399e5a31da79a3636914495",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-sn-f-ospi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sn-f-ospi: Fix division by zero\n\nWhen there is no dummy cycle in the spi-nor commands, both dummy bus cycle\nbytes and width are zero. Because of the cpu\u0027s warning when divided by\nzero, the warning should be avoided. Return just zero to avoid such\ncalculations."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:21.201Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/966328191b4c389c0f2159fa242915f51cbc1679"
},
{
"url": "https://git.kernel.org/stable/c/4df6f005bef04a3dd16c028124a1b5684db3922b"
},
{
"url": "https://git.kernel.org/stable/c/7434135553bc03809a55803ee6a8dcaae6240d55"
},
{
"url": "https://git.kernel.org/stable/c/3588b1c0fde2f58d166e3f94a5a58d64b893526c"
}
],
"title": "spi: sn-f-ospi: Fix division by zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21793",
"datePublished": "2025-02-27T02:18:30.281Z",
"dateReserved": "2024-12-29T08:45:45.767Z",
"dateUpdated": "2025-10-01T19:36:39.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47641 (GCVE-0-2021-47641)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: cirrusfb: check pixclock to avoid divide by zero
Do a sanity check on pixclock value to avoid divide by zero.
If the pixclock value is zero, the cirrusfb driver will round up
pixclock to get the derived frequency as close to maxclock as
possible.
Syzkaller reported a divide error in cirrusfb_check_pixclock.
divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2
RIP: 0010:cirrusfb_check_var+0x6f1/0x1260
Call Trace:
fb_set_var+0x398/0xf90
do_fb_ioctl+0x4b8/0x6f0
fb_ioctl+0xeb/0x130
__x64_sys_ioctl+0x19d/0x220
do_syscall_64+0x3a/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:40.514584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-369",
"description": "CWE-369 Divide By Zero",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:08.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/cirrusfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c656d04247a2654ede5cead2ecbf83431dad5261",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d3fb46439ad4e8f0c5739eb33d1875ac9e0f135",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40b13e3d85744210db13457785646634e2d056bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53a2088a396cfa1da92690a1da289634cd73bf0d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c7e2141fb89c620ab4e41512e262fbf25b8260d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6fe23ff94e7840097202e85c148688940b37c9b1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "45800c42ef000f417270bcfc08630e42486fca99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e498b504f8c81b07efab9febf8503448de4dc9cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5c6f402bdcf9e7239c6bc7087eda71ac99b31379",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/cirrusfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: cirrusfb: check pixclock to avoid divide by zero\n\nDo a sanity check on pixclock value to avoid divide by zero.\n\nIf the pixclock value is zero, the cirrusfb driver will round up\npixclock to get the derived frequency as close to maxclock as\npossible.\n\nSyzkaller reported a divide error in cirrusfb_check_pixclock.\n\ndivide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2\nRIP: 0010:cirrusfb_check_var+0x6f1/0x1260\n\nCall Trace:\n fb_set_var+0x398/0xf90\n do_fb_ioctl+0x4b8/0x6f0\n fb_ioctl+0xeb/0x130\n __x64_sys_ioctl+0x19d/0x220\n do_syscall_64+0x3a/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:20.810Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c656d04247a2654ede5cead2ecbf83431dad5261"
},
{
"url": "https://git.kernel.org/stable/c/1d3fb46439ad4e8f0c5739eb33d1875ac9e0f135"
},
{
"url": "https://git.kernel.org/stable/c/40b13e3d85744210db13457785646634e2d056bd"
},
{
"url": "https://git.kernel.org/stable/c/53a2088a396cfa1da92690a1da289634cd73bf0d"
},
{
"url": "https://git.kernel.org/stable/c/8c7e2141fb89c620ab4e41512e262fbf25b8260d"
},
{
"url": "https://git.kernel.org/stable/c/6fe23ff94e7840097202e85c148688940b37c9b1"
},
{
"url": "https://git.kernel.org/stable/c/45800c42ef000f417270bcfc08630e42486fca99"
},
{
"url": "https://git.kernel.org/stable/c/e498b504f8c81b07efab9febf8503448de4dc9cf"
},
{
"url": "https://git.kernel.org/stable/c/5c6f402bdcf9e7239c6bc7087eda71ac99b31379"
}
],
"title": "video: fbdev: cirrusfb: check pixclock to avoid divide by zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47641",
"datePublished": "2025-02-26T01:54:12.680Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-10-01T19:57:08.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49078 (GCVE-0-2022-49078)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-09-03 12:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lz4: fix LZ4_decompress_safe_partial read out of bound
When partialDecoding, it is EOF if we've either filled the output buffer
or can't proceed with reading an offset for following match.
In some extreme corner cases when compressed data is suitably corrupted,
UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial
may lead to read out of bound problem during decoding. lz4 upstream has
fixed it [2] and this issue has been disscussed here [3] before.
current decompression routine was ported from lz4 v1.8.3, bumping
lib/lz4 to v1.9.+ is certainly a huge work to be done later, so, we'd
better fix it first.
[1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/
[2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad#
[3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2209fda323e2fd2a2d0885595fd5097717f8d2aa Version: 2209fda323e2fd2a2d0885595fd5097717f8d2aa Version: 2209fda323e2fd2a2d0885595fd5097717f8d2aa Version: 2209fda323e2fd2a2d0885595fd5097717f8d2aa Version: 2209fda323e2fd2a2d0885595fd5097717f8d2aa Version: 2209fda323e2fd2a2d0885595fd5097717f8d2aa |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:16.973304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/lz4/lz4_decompress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73953dfa9d50e5c9fe98ee13fd1d3427aa12a0a3",
"status": "affected",
"version": "2209fda323e2fd2a2d0885595fd5097717f8d2aa",
"versionType": "git"
},
{
"lessThan": "6adc01a7aa37445dafe8846faa0610a86029b253",
"status": "affected",
"version": "2209fda323e2fd2a2d0885595fd5097717f8d2aa",
"versionType": "git"
},
{
"lessThan": "9fb8bc6cfc58773ce95414e11c9ccc8fc6ac4927",
"status": "affected",
"version": "2209fda323e2fd2a2d0885595fd5097717f8d2aa",
"versionType": "git"
},
{
"lessThan": "e64dbe97c05c769525cbca099ddbd22485630235",
"status": "affected",
"version": "2209fda323e2fd2a2d0885595fd5097717f8d2aa",
"versionType": "git"
},
{
"lessThan": "467d5e200ab4486b744fe1776154a43d1aa22d4b",
"status": "affected",
"version": "2209fda323e2fd2a2d0885595fd5097717f8d2aa",
"versionType": "git"
},
{
"lessThan": "eafc0a02391b7b36617b36c97c4b5d6832cf5e24",
"status": "affected",
"version": "2209fda323e2fd2a2d0885595fd5097717f8d2aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/lz4/lz4_decompress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlz4: fix LZ4_decompress_safe_partial read out of bound\n\nWhen partialDecoding, it is EOF if we\u0027ve either filled the output buffer\nor can\u0027t proceed with reading an offset for following match.\n\nIn some extreme corner cases when compressed data is suitably corrupted,\nUAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial\nmay lead to read out of bound problem during decoding. lz4 upstream has\nfixed it [2] and this issue has been disscussed here [3] before.\n\ncurrent decompression routine was ported from lz4 v1.8.3, bumping\nlib/lz4 to v1.9.+ is certainly a huge work to be done later, so, we\u0027d\nbetter fix it first.\n\n[1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/\n[2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad#\n[3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:58:36.144Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73953dfa9d50e5c9fe98ee13fd1d3427aa12a0a3"
},
{
"url": "https://git.kernel.org/stable/c/6adc01a7aa37445dafe8846faa0610a86029b253"
},
{
"url": "https://git.kernel.org/stable/c/9fb8bc6cfc58773ce95414e11c9ccc8fc6ac4927"
},
{
"url": "https://git.kernel.org/stable/c/e64dbe97c05c769525cbca099ddbd22485630235"
},
{
"url": "https://git.kernel.org/stable/c/467d5e200ab4486b744fe1776154a43d1aa22d4b"
},
{
"url": "https://git.kernel.org/stable/c/eafc0a02391b7b36617b36c97c4b5d6832cf5e24"
}
],
"title": "lz4: fix LZ4_decompress_safe_partial read out of bound",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49078",
"datePublished": "2025-02-26T01:54:40.207Z",
"dateReserved": "2025-02-26T01:49:39.247Z",
"dateUpdated": "2025-09-03T12:58:36.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53005 (GCVE-0-2023-53005)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
trace_events_hist: add check for return value of 'create_hist_field'
Function 'create_hist_field' is called recursively at
trace_events_hist.c:1954 and can return NULL-value that's why we have
to check it to avoid null pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:06.528036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:03.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2d1ada58e7cc100b8d7d6b082d19321ba4a700a",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "31b2414abeaa6de0490e85164badc6dcb1bb8ec9",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "886aa449235f478e262bbd5dcdee6ed6bc202949",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "592ba7116fa620425725ff0972691f352ba3caf6",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "b4e7e81b4fdfcf457daee6b7a61769f62198d840",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "8b152e9150d07a885f95e1fd401fc81af202d9a4",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntrace_events_hist: add check for return value of \u0027create_hist_field\u0027\n\nFunction \u0027create_hist_field\u0027 is called recursively at\ntrace_events_hist.c:1954 and can return NULL-value that\u0027s why we have\nto check it to avoid null pointer dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:21.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2d1ada58e7cc100b8d7d6b082d19321ba4a700a"
},
{
"url": "https://git.kernel.org/stable/c/31b2414abeaa6de0490e85164badc6dcb1bb8ec9"
},
{
"url": "https://git.kernel.org/stable/c/886aa449235f478e262bbd5dcdee6ed6bc202949"
},
{
"url": "https://git.kernel.org/stable/c/592ba7116fa620425725ff0972691f352ba3caf6"
},
{
"url": "https://git.kernel.org/stable/c/b4e7e81b4fdfcf457daee6b7a61769f62198d840"
},
{
"url": "https://git.kernel.org/stable/c/8b152e9150d07a885f95e1fd401fc81af202d9a4"
}
],
"title": "trace_events_hist: add check for return value of \u0027create_hist_field\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53005",
"datePublished": "2025-03-27T16:43:36.547Z",
"dateReserved": "2025-03-27T16:40:15.744Z",
"dateUpdated": "2025-10-01T20:17:03.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49565 (GCVE-0-2022-49565)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel/lbr: Fix unchecked MSR access error on HSW
The fuzzer triggers the below trace.
[ 7763.384369] unchecked MSR access error: WRMSR to 0x689
(tried to write 0x1fffffff8101349e) at rIP: 0xffffffff810704a4
(native_write_msr+0x4/0x20)
[ 7763.397420] Call Trace:
[ 7763.399881] <TASK>
[ 7763.401994] intel_pmu_lbr_restore+0x9a/0x1f0
[ 7763.406363] intel_pmu_lbr_sched_task+0x91/0x1c0
[ 7763.410992] __perf_event_task_sched_in+0x1cd/0x240
On a machine with the LBR format LBR_FORMAT_EIP_FLAGS2, when the TSX is
disabled, a TSX quirk is required to access LBR from registers.
The lbr_from_signext_quirk_needed() is introduced to determine whether
the TSX quirk should be applied. However, the
lbr_from_signext_quirk_needed() is invoked before the
intel_pmu_lbr_init(), which parses the LBR format information. Without
the correct LBR format information, the TSX quirk never be applied.
Move the lbr_from_signext_quirk_needed() into the intel_pmu_lbr_init().
Checking x86_pmu.lbr_has_tsx in the lbr_from_signext_quirk_needed() is
not required anymore.
Both LBR_FORMAT_EIP_FLAGS2 and LBR_FORMAT_INFO have LBR_TSX flag, but
only the LBR_FORMAT_EIP_FLAGS2 requirs the quirk. Update the comments
accordingly.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/intel/lbr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "625bcd0685a1612225df83468c83412fc0edb3d7",
"status": "affected",
"version": "1ac7fd8159a842b3aa51f0b46a351fa3eeb8fbf3",
"versionType": "git"
},
{
"lessThan": "b0380e13502adf7dd8be4c47d622c3522aae6c63",
"status": "affected",
"version": "1ac7fd8159a842b3aa51f0b46a351fa3eeb8fbf3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/intel/lbr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/lbr: Fix unchecked MSR access error on HSW\n\nThe fuzzer triggers the below trace.\n\n[ 7763.384369] unchecked MSR access error: WRMSR to 0x689\n(tried to write 0x1fffffff8101349e) at rIP: 0xffffffff810704a4\n(native_write_msr+0x4/0x20)\n[ 7763.397420] Call Trace:\n[ 7763.399881] \u003cTASK\u003e\n[ 7763.401994] intel_pmu_lbr_restore+0x9a/0x1f0\n[ 7763.406363] intel_pmu_lbr_sched_task+0x91/0x1c0\n[ 7763.410992] __perf_event_task_sched_in+0x1cd/0x240\n\nOn a machine with the LBR format LBR_FORMAT_EIP_FLAGS2, when the TSX is\ndisabled, a TSX quirk is required to access LBR from registers.\nThe lbr_from_signext_quirk_needed() is introduced to determine whether\nthe TSX quirk should be applied. However, the\nlbr_from_signext_quirk_needed() is invoked before the\nintel_pmu_lbr_init(), which parses the LBR format information. Without\nthe correct LBR format information, the TSX quirk never be applied.\n\nMove the lbr_from_signext_quirk_needed() into the intel_pmu_lbr_init().\nChecking x86_pmu.lbr_has_tsx in the lbr_from_signext_quirk_needed() is\nnot required anymore.\n\nBoth LBR_FORMAT_EIP_FLAGS2 and LBR_FORMAT_INFO have LBR_TSX flag, but\nonly the LBR_FORMAT_EIP_FLAGS2 requirs the quirk. Update the comments\naccordingly."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:45.536Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/625bcd0685a1612225df83468c83412fc0edb3d7"
},
{
"url": "https://git.kernel.org/stable/c/b0380e13502adf7dd8be4c47d622c3522aae6c63"
}
],
"title": "perf/x86/intel/lbr: Fix unchecked MSR access error on HSW",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49565",
"datePublished": "2025-02-26T02:23:11.213Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-05-04T08:40:45.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49280 (GCVE-0-2022-49280)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: prevent underflow in nfssvc_decode_writeargs()
Smatch complains:
fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()
warn: no lower bound on 'args->len'
Change the type to unsigned to prevent this issue.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:22.983376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:00.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsproc.c",
"fs/nfsd/xdr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a33e0de60feda402d05ac8a6cf409c19ea3e0b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "438068f4912183a59fcb6b7496a06437f7fd4e2b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f0f048c1bfa7867d565a95fd8c28f4484ba1043",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "85259340fc9bd54e3d567b41b881ecb4d0055da1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65e21cc042f4c1518c8c55283f53bc725b78419d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "614a61e1592051cc42d3c38f899c9f7bdaad8a1d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2764af8ce0bf03cc43ee4a11897cab96bde6caae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "413d8fefafe531a9442bb623e3fe292a38f88d65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "184416d4b98509fb4c3d8fc3d6dc1437896cc159",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsproc.c",
"fs/nfsd/xdr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: prevent underflow in nfssvc_decode_writeargs()\n\nSmatch complains:\n\n\tfs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()\n\twarn: no lower bound on \u0027args-\u003elen\u0027\n\nChange the type to unsigned to prevent this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:04.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a33e0de60feda402d05ac8a6cf409c19ea3e0b3"
},
{
"url": "https://git.kernel.org/stable/c/438068f4912183a59fcb6b7496a06437f7fd4e2b"
},
{
"url": "https://git.kernel.org/stable/c/9f0f048c1bfa7867d565a95fd8c28f4484ba1043"
},
{
"url": "https://git.kernel.org/stable/c/85259340fc9bd54e3d567b41b881ecb4d0055da1"
},
{
"url": "https://git.kernel.org/stable/c/65e21cc042f4c1518c8c55283f53bc725b78419d"
},
{
"url": "https://git.kernel.org/stable/c/614a61e1592051cc42d3c38f899c9f7bdaad8a1d"
},
{
"url": "https://git.kernel.org/stable/c/2764af8ce0bf03cc43ee4a11897cab96bde6caae"
},
{
"url": "https://git.kernel.org/stable/c/413d8fefafe531a9442bb623e3fe292a38f88d65"
},
{
"url": "https://git.kernel.org/stable/c/184416d4b98509fb4c3d8fc3d6dc1437896cc159"
}
],
"title": "NFSD: prevent underflow in nfssvc_decode_writeargs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49280",
"datePublished": "2025-02-26T01:56:22.662Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-10-01T19:47:00.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58012 (GCVE-0-2024-58012)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params
Each cpu DAI should associate with a widget. However, the topology might
not create the right number of DAI widgets for aggregated amps. And it
will cause NULL pointer deference.
Check that the DAI widget associated with the CPU DAI is valid to prevent
NULL pointer deference due to missing DAI widgets in topologies with
aggregated amps.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:27.061847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:05.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda-dai.c",
"sound/soc/sof/intel/hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e012a77e4d7632cf615ba9625b1600ed8985c3b5",
"status": "affected",
"version": "4c414da93a4642d02c67fbe82f1834be7bf586b7",
"versionType": "git"
},
{
"lessThan": "789a2fbf0900982788408d3b0034e0e3f914fb3b",
"status": "affected",
"version": "4c414da93a4642d02c67fbe82f1834be7bf586b7",
"versionType": "git"
},
{
"lessThan": "569922b82ca660f8b24e705f6cf674e6b1f99cc7",
"status": "affected",
"version": "4c414da93a4642d02c67fbe82f1834be7bf586b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda-dai.c",
"sound/soc/sof/intel/hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params\n\nEach cpu DAI should associate with a widget. However, the topology might\nnot create the right number of DAI widgets for aggregated amps. And it\nwill cause NULL pointer deference.\nCheck that the DAI widget associated with the CPU DAI is valid to prevent\nNULL pointer deference due to missing DAI widgets in topologies with\naggregated amps."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:24.874Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e012a77e4d7632cf615ba9625b1600ed8985c3b5"
},
{
"url": "https://git.kernel.org/stable/c/789a2fbf0900982788408d3b0034e0e3f914fb3b"
},
{
"url": "https://git.kernel.org/stable/c/569922b82ca660f8b24e705f6cf674e6b1f99cc7"
}
],
"title": "ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58012",
"datePublished": "2025-02-27T02:12:06.202Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-10-01T20:17:05.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52933 (GCVE-0-2023-52933)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: fix handling and sanity checking of xattr_ids count
A Sysbot [1] corrupted filesystem exposes two flaws in the handling and
sanity checking of the xattr_ids count in the filesystem. Both of these
flaws cause computation overflow due to incorrect typing.
In the corrupted filesystem the xattr_ids value is 4294967071, which
stored in a signed variable becomes the negative number -225.
Flaw 1 (64-bit systems only):
The signed integer xattr_ids variable causes sign extension.
This causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The
variable is first multiplied by sizeof(struct squashfs_xattr_id) where the
type of the sizeof operator is "unsigned long".
On a 64-bit system this is 64-bits in size, and causes the negative number
to be sign extended and widened to 64-bits and then become unsigned. This
produces the very large number 18446744073709548016 or 2^64 - 3600. This
number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and
divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0
(stored in len).
Flaw 2 (32-bit systems only):
On a 32-bit system the integer variable is not widened by the unsigned
long type of the sizeof operator (32-bits), and the signedness of the
variable has no effect due it always being treated as unsigned.
The above corrupted xattr_ids value of 4294967071, when multiplied
overflows and produces the number 4294963696 or 2^32 - 3400. This number
when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by
SQUASHFS_METADATA_SIZE overflows again and produces a length of 0.
The effect of the 0 length computation:
In conjunction with the corrupted xattr_ids field, the filesystem also has
a corrupted xattr_table_start value, where it matches the end of
filesystem value of 850.
This causes the following sanity check code to fail because the
incorrectly computed len of 0 matches the incorrect size of the table
reported by the superblock (0 bytes).
len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);
/*
* The computed size of the index table (len bytes) should exactly
* match the table start and end points
*/
start = table_start + sizeof(*id_table);
end = msblk->bytes_used;
if (len != (end - start))
return ERR_PTR(-EINVAL);
Changing the xattr_ids variable to be "usigned int" fixes the flaw on a
64-bit system. This relies on the fact the computation is widened by the
unsigned long type of the sizeof operator.
Casting the variable to u64 in the above macro fixes this flaw on a 32-bit
system.
It also means 64-bit systems do not implicitly rely on the type of the
sizeof operator to widen the computation.
[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: ff49cace7b8cf00d27665f7536a863d406963d06 Version: a8717b34003f4f7353b23826617ad872f85d85d8 Version: 3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad Version: bddcce15cd1fb9675ddd46a76d8fe2d0a571313b Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b Version: eca93bf20f70e0f78c8c28720951942f61a49117 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/squashfs_fs.h",
"fs/squashfs/squashfs_fs_sb.h",
"fs/squashfs/xattr.h",
"fs/squashfs/xattr_id.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fe583c9bec10cd4b76231c51b37f3e4ca646e01",
"status": "affected",
"version": "ff49cace7b8cf00d27665f7536a863d406963d06",
"versionType": "git"
},
{
"lessThan": "b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2",
"status": "affected",
"version": "a8717b34003f4f7353b23826617ad872f85d85d8",
"versionType": "git"
},
{
"lessThan": "1369322c1de52c7b9b988b95c9903110a4566778",
"status": "affected",
"version": "3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad",
"versionType": "git"
},
{
"lessThan": "5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e",
"status": "affected",
"version": "bddcce15cd1fb9675ddd46a76d8fe2d0a571313b",
"versionType": "git"
},
{
"lessThan": "997bed0f3cde78a3e639d624985bf4a95cf767e6",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"lessThan": "a7da7d01ac5ce9b369a1ac70e1197999cc6c9686",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"lessThan": "f65c4bbbd682b0877b669828b4e033b8d5d0a2dc",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"status": "affected",
"version": "91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b",
"versionType": "git"
},
{
"status": "affected",
"version": "eca93bf20f70e0f78c8c28720951942f61a49117",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/squashfs_fs.h",
"fs/squashfs/squashfs_fs_sb.h",
"fs/squashfs/xattr.h",
"fs/squashfs/xattr_id.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "4.14.222",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "4.19.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.4.98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.258",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix handling and sanity checking of xattr_ids count\n\nA Sysbot [1] corrupted filesystem exposes two flaws in the handling and\nsanity checking of the xattr_ids count in the filesystem. Both of these\nflaws cause computation overflow due to incorrect typing.\n\nIn the corrupted filesystem the xattr_ids value is 4294967071, which\nstored in a signed variable becomes the negative number -225.\n\nFlaw 1 (64-bit systems only):\n\nThe signed integer xattr_ids variable causes sign extension.\n\nThis causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The\nvariable is first multiplied by sizeof(struct squashfs_xattr_id) where the\ntype of the sizeof operator is \"unsigned long\".\n\nOn a 64-bit system this is 64-bits in size, and causes the negative number\nto be sign extended and widened to 64-bits and then become unsigned. This\nproduces the very large number 18446744073709548016 or 2^64 - 3600. This\nnumber when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and\ndivided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0\n(stored in len).\n\nFlaw 2 (32-bit systems only):\n\nOn a 32-bit system the integer variable is not widened by the unsigned\nlong type of the sizeof operator (32-bits), and the signedness of the\nvariable has no effect due it always being treated as unsigned.\n\nThe above corrupted xattr_ids value of 4294967071, when multiplied\noverflows and produces the number 4294963696 or 2^32 - 3400. This number\nwhen rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by\nSQUASHFS_METADATA_SIZE overflows again and produces a length of 0.\n\nThe effect of the 0 length computation:\n\nIn conjunction with the corrupted xattr_ids field, the filesystem also has\na corrupted xattr_table_start value, where it matches the end of\nfilesystem value of 850.\n\nThis causes the following sanity check code to fail because the\nincorrectly computed len of 0 matches the incorrect size of the table\nreported by the superblock (0 bytes).\n\n len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);\n indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);\n\n /*\n * The computed size of the index table (len bytes) should exactly\n * match the table start and end points\n */\n start = table_start + sizeof(*id_table);\n end = msblk-\u003ebytes_used;\n\n if (len != (end - start))\n return ERR_PTR(-EINVAL);\n\nChanging the xattr_ids variable to be \"usigned int\" fixes the flaw on a\n64-bit system. This relies on the fact the computation is widened by the\nunsigned long type of the sizeof operator.\n\nCasting the variable to u64 in the above macro fixes this flaw on a 32-bit\nsystem.\n\nIt also means 64-bit systems do not implicitly rely on the type of the\nsizeof operator to widen the computation.\n\n[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:53.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fe583c9bec10cd4b76231c51b37f3e4ca646e01"
},
{
"url": "https://git.kernel.org/stable/c/b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2"
},
{
"url": "https://git.kernel.org/stable/c/1369322c1de52c7b9b988b95c9903110a4566778"
},
{
"url": "https://git.kernel.org/stable/c/5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e"
},
{
"url": "https://git.kernel.org/stable/c/997bed0f3cde78a3e639d624985bf4a95cf767e6"
},
{
"url": "https://git.kernel.org/stable/c/a7da7d01ac5ce9b369a1ac70e1197999cc6c9686"
},
{
"url": "https://git.kernel.org/stable/c/f65c4bbbd682b0877b669828b4e033b8d5d0a2dc"
}
],
"title": "Squashfs: fix handling and sanity checking of xattr_ids count",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52933",
"datePublished": "2025-03-27T16:37:14.230Z",
"dateReserved": "2024-08-21T06:07:11.020Z",
"dateUpdated": "2025-05-04T12:49:53.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49099 (GCVE-0-2022-49099)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Fix initialization of device object in vmbus_device_register()
Initialize the device's dma_{mask,parms} pointers and the device's
dma_mask value before invoking device_register(). Address the
following trace with 5.17-rc7:
[ 49.646839] WARNING: CPU: 0 PID: 189 at include/linux/dma-mapping.h:543
netvsc_probe+0x37a/0x3a0 [hv_netvsc]
[ 49.646928] Call Trace:
[ 49.646930] <TASK>
[ 49.646935] vmbus_probe+0x40/0x60 [hv_vmbus]
[ 49.646942] really_probe+0x1ce/0x3b0
[ 49.646948] __driver_probe_device+0x109/0x180
[ 49.646952] driver_probe_device+0x23/0xa0
[ 49.646955] __device_attach_driver+0x76/0xe0
[ 49.646958] ? driver_allows_async_probing+0x50/0x50
[ 49.646961] bus_for_each_drv+0x84/0xd0
[ 49.646964] __device_attach+0xed/0x170
[ 49.646967] device_initial_probe+0x13/0x20
[ 49.646970] bus_probe_device+0x8f/0xa0
[ 49.646973] device_add+0x41a/0x8e0
[ 49.646975] ? hrtimer_init+0x28/0x80
[ 49.646981] device_register+0x1b/0x20
[ 49.646983] vmbus_device_register+0x5e/0xf0 [hv_vmbus]
[ 49.646991] vmbus_add_channel_work+0x12d/0x190 [hv_vmbus]
[ 49.646999] process_one_work+0x21d/0x3f0
[ 49.647002] worker_thread+0x4a/0x3b0
[ 49.647005] ? process_one_work+0x3f0/0x3f0
[ 49.647007] kthread+0xff/0x130
[ 49.647011] ? kthread_complete_and_exit+0x20/0x20
[ 49.647015] ret_from_fork+0x22/0x30
[ 49.647020] </TASK>
[ 49.647021] ---[ end trace 0000000000000000 ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fe4b8631427618175a32f125062df91a5fe3f73",
"status": "affected",
"version": "743b237c3a7b0f5b44aa704aae8a1058877b6322",
"versionType": "git"
},
{
"lessThan": "3a5469582c241abca22500f36a9cb8e9331969cf",
"status": "affected",
"version": "743b237c3a7b0f5b44aa704aae8a1058877b6322",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/vmbus_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Fix initialization of device object in vmbus_device_register()\n\nInitialize the device\u0027s dma_{mask,parms} pointers and the device\u0027s\ndma_mask value before invoking device_register(). Address the\nfollowing trace with 5.17-rc7:\n\n[ 49.646839] WARNING: CPU: 0 PID: 189 at include/linux/dma-mapping.h:543\n\tnetvsc_probe+0x37a/0x3a0 [hv_netvsc]\n[ 49.646928] Call Trace:\n[ 49.646930] \u003cTASK\u003e\n[ 49.646935] vmbus_probe+0x40/0x60 [hv_vmbus]\n[ 49.646942] really_probe+0x1ce/0x3b0\n[ 49.646948] __driver_probe_device+0x109/0x180\n[ 49.646952] driver_probe_device+0x23/0xa0\n[ 49.646955] __device_attach_driver+0x76/0xe0\n[ 49.646958] ? driver_allows_async_probing+0x50/0x50\n[ 49.646961] bus_for_each_drv+0x84/0xd0\n[ 49.646964] __device_attach+0xed/0x170\n[ 49.646967] device_initial_probe+0x13/0x20\n[ 49.646970] bus_probe_device+0x8f/0xa0\n[ 49.646973] device_add+0x41a/0x8e0\n[ 49.646975] ? hrtimer_init+0x28/0x80\n[ 49.646981] device_register+0x1b/0x20\n[ 49.646983] vmbus_device_register+0x5e/0xf0 [hv_vmbus]\n[ 49.646991] vmbus_add_channel_work+0x12d/0x190 [hv_vmbus]\n[ 49.646999] process_one_work+0x21d/0x3f0\n[ 49.647002] worker_thread+0x4a/0x3b0\n[ 49.647005] ? process_one_work+0x3f0/0x3f0\n[ 49.647007] kthread+0xff/0x130\n[ 49.647011] ? kthread_complete_and_exit+0x20/0x20\n[ 49.647015] ret_from_fork+0x22/0x30\n[ 49.647020] \u003c/TASK\u003e\n[ 49.647021] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:51.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fe4b8631427618175a32f125062df91a5fe3f73"
},
{
"url": "https://git.kernel.org/stable/c/3a5469582c241abca22500f36a9cb8e9331969cf"
}
],
"title": "Drivers: hv: vmbus: Fix initialization of device object in vmbus_device_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49099",
"datePublished": "2025-02-26T01:54:50.571Z",
"dateReserved": "2025-02-26T01:49:39.250Z",
"dateUpdated": "2025-05-04T08:29:51.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52984 (GCVE-0-2023-52984)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices
The probe() function is only used for the DP83822 PHY, leaving the
private data pointer uninitialized for the smaller DP83825/26 models.
While all uses of the private data structure are hidden in 82822 specific
callbacks, configuring the interrupt is shared across all models.
This causes a NULL pointer dereference on the smaller PHYs as it accesses
the private data unchecked. Verifying the pointer avoids that.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:20:57.142951Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:20:59.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/dp83822.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "362a2f5531dc0e5b0b5b3e3a541000dbffa75461",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
},
{
"lessThan": "2cd1e9c013ec56421c58921b1ddf1d2d53bd47fa",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
},
{
"lessThan": "78901b10522cdf6badf24acf65a892637596bccc",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
},
{
"lessThan": "422ae7d9c7221e8d4c8526d0f54106307d69d2dc",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/dp83822.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices\n\nThe probe() function is only used for the DP83822 PHY, leaving the\nprivate data pointer uninitialized for the smaller DP83825/26 models.\nWhile all uses of the private data structure are hidden in 82822 specific\ncallbacks, configuring the interrupt is shared across all models.\nThis causes a NULL pointer dereference on the smaller PHYs as it accesses\nthe private data unchecked. Verifying the pointer avoids that."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:50.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/362a2f5531dc0e5b0b5b3e3a541000dbffa75461"
},
{
"url": "https://git.kernel.org/stable/c/2cd1e9c013ec56421c58921b1ddf1d2d53bd47fa"
},
{
"url": "https://git.kernel.org/stable/c/78901b10522cdf6badf24acf65a892637596bccc"
},
{
"url": "https://git.kernel.org/stable/c/422ae7d9c7221e8d4c8526d0f54106307d69d2dc"
}
],
"title": "net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52984",
"datePublished": "2025-03-27T16:43:22.283Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-10-01T17:20:59.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49484 (GCVE-0-2022-49484)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector
Fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector
routine if the chip does not support dbdc and the hw reports band_idx
set to 1.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:13.492274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:44.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "268e8ef187eb8780d021b0e4f5ffa92dee5c4983",
"status": "affected",
"version": "78fc30a21cf1175e97567fa5153c0efc7d955a45",
"versionType": "git"
},
{
"lessThan": "62fdc974894eec80d678523458cf99bbdb887e22",
"status": "affected",
"version": "78fc30a21cf1175e97567fa5153c0efc7d955a45",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector\n\nFix possible NULL pointer dereference in mt7915_mac_fill_rx_vector\nroutine if the chip does not support dbdc and the hw reports band_idx\nset to 1."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:54.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/268e8ef187eb8780d021b0e4f5ffa92dee5c4983"
},
{
"url": "https://git.kernel.org/stable/c/62fdc974894eec80d678523458cf99bbdb887e22"
}
],
"title": "mt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49484",
"datePublished": "2025-02-26T02:13:23.452Z",
"dateReserved": "2025-02-26T02:08:31.582Z",
"dateUpdated": "2025-10-01T19:46:44.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49722 (GCVE-0-2022-49722)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix memory corruption in VF driver
Disable VF's RX/TX queues, when it's disabled. VF can have queues enabled,
when it requests a reset. If PF driver assumes that VF is disabled,
while VF still has queues configured, VF may unmap DMA resources.
In such scenario device still can map packets to memory, which ends up
silently corrupting it.
Previously, VF driver could experience memory corruption, which lead to
crash:
[ 5119.170157] BUG: unable to handle kernel paging request at 00001b9780003237
[ 5119.170166] PGD 0 P4D 0
[ 5119.170173] Oops: 0002 [#1] PREEMPT_RT SMP PTI
[ 5119.170181] CPU: 30 PID: 427592 Comm: kworker/u96:2 Kdump: loaded Tainted: G W I --------- - - 4.18.0-372.9.1.rt7.166.el8.x86_64 #1
[ 5119.170189] Hardware name: Dell Inc. PowerEdge R740/014X06, BIOS 2.3.10 08/15/2019
[ 5119.170193] Workqueue: iavf iavf_adminq_task [iavf]
[ 5119.170219] RIP: 0010:__page_frag_cache_drain+0x5/0x30
[ 5119.170238] Code: 0f 0f b6 77 51 85 f6 74 07 31 d2 e9 05 df ff ff e9 90 fe ff ff 48 8b 05 49 db 33 01 eb b4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 <f0> 29 77 34 74 01 c3 48 8b 07 f6 c4 80 74 0f 0f b6 77 51 85 f6 74
[ 5119.170244] RSP: 0018:ffffa43b0bdcfd78 EFLAGS: 00010282
[ 5119.170250] RAX: ffffffff896b3e40 RBX: ffff8fb282524000 RCX: 0000000000000002
[ 5119.170254] RDX: 0000000049000000 RSI: 0000000000000000 RDI: 00001b9780003203
[ 5119.170259] RBP: ffff8fb248217b00 R08: 0000000000000022 R09: 0000000000000009
[ 5119.170262] R10: 2b849d6300000000 R11: 0000000000000020 R12: 0000000000000000
[ 5119.170265] R13: 0000000000001000 R14: 0000000000000009 R15: 0000000000000000
[ 5119.170269] FS: 0000000000000000(0000) GS:ffff8fb1201c0000(0000) knlGS:0000000000000000
[ 5119.170274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5119.170279] CR2: 00001b9780003237 CR3: 00000008f3e1a003 CR4: 00000000007726e0
[ 5119.170283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5119.170286] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5119.170290] PKRU: 55555554
[ 5119.170292] Call Trace:
[ 5119.170298] iavf_clean_rx_ring+0xad/0x110 [iavf]
[ 5119.170324] iavf_free_rx_resources+0xe/0x50 [iavf]
[ 5119.170342] iavf_free_all_rx_resources.part.51+0x30/0x40 [iavf]
[ 5119.170358] iavf_virtchnl_completion+0xd8a/0x15b0 [iavf]
[ 5119.170377] ? iavf_clean_arq_element+0x210/0x280 [iavf]
[ 5119.170397] iavf_adminq_task+0x126/0x2e0 [iavf]
[ 5119.170416] process_one_work+0x18f/0x420
[ 5119.170429] worker_thread+0x30/0x370
[ 5119.170437] ? process_one_work+0x420/0x420
[ 5119.170445] kthread+0x151/0x170
[ 5119.170452] ? set_kthread_struct+0x40/0x40
[ 5119.170460] ret_from_fork+0x35/0x40
[ 5119.170477] Modules linked in: iavf sctp ip6_udp_tunnel udp_tunnel mlx4_en mlx4_core nfp tls vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache sunrpc intel_rapl_msr iTCO_wdt iTCO_vendor_support dell_smbios wmi_bmof dell_wmi_descriptor dcdbas kvm_intel kvm irqbypass intel_rapl_common isst_if_common skx_edac irdma nfit libnvdimm x86_pkg_temp_thermal i40e intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ib_uverbs rapl ipmi_ssif intel_cstate intel_uncore mei_me pcspkr acpi_ipmi ib_core mei lpc_ich i2c_i801 ipmi_si ipmi_devintf wmi ipmi_msghandler acpi_power_meter xfs libcrc32c sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ice ahci drm libahci crc32c_intel libata tg3 megaraid_sas
[ 5119.170613] i2c_algo_bit dm_mirror dm_region_hash dm_log dm_mod fuse [last unloaded: iavf]
[ 5119.170627] CR2: 00001b9780003237
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_vf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bb8253b1dd44cf004e12c333acc6f25ee286cf3",
"status": "affected",
"version": "ec4f5a436bdf0e5453ad15c4f34a59b9b675ff48",
"versionType": "git"
},
{
"lessThan": "efe41860008e57fb6b69855b4b93fdf34bc42798",
"status": "affected",
"version": "ec4f5a436bdf0e5453ad15c4f34a59b9b675ff48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_vf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix memory corruption in VF driver\n\nDisable VF\u0027s RX/TX queues, when it\u0027s disabled. VF can have queues enabled,\nwhen it requests a reset. If PF driver assumes that VF is disabled,\nwhile VF still has queues configured, VF may unmap DMA resources.\nIn such scenario device still can map packets to memory, which ends up\nsilently corrupting it.\nPreviously, VF driver could experience memory corruption, which lead to\ncrash:\n[ 5119.170157] BUG: unable to handle kernel paging request at 00001b9780003237\n[ 5119.170166] PGD 0 P4D 0\n[ 5119.170173] Oops: 0002 [#1] PREEMPT_RT SMP PTI\n[ 5119.170181] CPU: 30 PID: 427592 Comm: kworker/u96:2 Kdump: loaded Tainted: G W I --------- - - 4.18.0-372.9.1.rt7.166.el8.x86_64 #1\n[ 5119.170189] Hardware name: Dell Inc. PowerEdge R740/014X06, BIOS 2.3.10 08/15/2019\n[ 5119.170193] Workqueue: iavf iavf_adminq_task [iavf]\n[ 5119.170219] RIP: 0010:__page_frag_cache_drain+0x5/0x30\n[ 5119.170238] Code: 0f 0f b6 77 51 85 f6 74 07 31 d2 e9 05 df ff ff e9 90 fe ff ff 48 8b 05 49 db 33 01 eb b4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 \u003cf0\u003e 29 77 34 74 01 c3 48 8b 07 f6 c4 80 74 0f 0f b6 77 51 85 f6 74\n[ 5119.170244] RSP: 0018:ffffa43b0bdcfd78 EFLAGS: 00010282\n[ 5119.170250] RAX: ffffffff896b3e40 RBX: ffff8fb282524000 RCX: 0000000000000002\n[ 5119.170254] RDX: 0000000049000000 RSI: 0000000000000000 RDI: 00001b9780003203\n[ 5119.170259] RBP: ffff8fb248217b00 R08: 0000000000000022 R09: 0000000000000009\n[ 5119.170262] R10: 2b849d6300000000 R11: 0000000000000020 R12: 0000000000000000\n[ 5119.170265] R13: 0000000000001000 R14: 0000000000000009 R15: 0000000000000000\n[ 5119.170269] FS: 0000000000000000(0000) GS:ffff8fb1201c0000(0000) knlGS:0000000000000000\n[ 5119.170274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5119.170279] CR2: 00001b9780003237 CR3: 00000008f3e1a003 CR4: 00000000007726e0\n[ 5119.170283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 5119.170286] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 5119.170290] PKRU: 55555554\n[ 5119.170292] Call Trace:\n[ 5119.170298] iavf_clean_rx_ring+0xad/0x110 [iavf]\n[ 5119.170324] iavf_free_rx_resources+0xe/0x50 [iavf]\n[ 5119.170342] iavf_free_all_rx_resources.part.51+0x30/0x40 [iavf]\n[ 5119.170358] iavf_virtchnl_completion+0xd8a/0x15b0 [iavf]\n[ 5119.170377] ? iavf_clean_arq_element+0x210/0x280 [iavf]\n[ 5119.170397] iavf_adminq_task+0x126/0x2e0 [iavf]\n[ 5119.170416] process_one_work+0x18f/0x420\n[ 5119.170429] worker_thread+0x30/0x370\n[ 5119.170437] ? process_one_work+0x420/0x420\n[ 5119.170445] kthread+0x151/0x170\n[ 5119.170452] ? set_kthread_struct+0x40/0x40\n[ 5119.170460] ret_from_fork+0x35/0x40\n[ 5119.170477] Modules linked in: iavf sctp ip6_udp_tunnel udp_tunnel mlx4_en mlx4_core nfp tls vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache sunrpc intel_rapl_msr iTCO_wdt iTCO_vendor_support dell_smbios wmi_bmof dell_wmi_descriptor dcdbas kvm_intel kvm irqbypass intel_rapl_common isst_if_common skx_edac irdma nfit libnvdimm x86_pkg_temp_thermal i40e intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ib_uverbs rapl ipmi_ssif intel_cstate intel_uncore mei_me pcspkr acpi_ipmi ib_core mei lpc_ich i2c_i801 ipmi_si ipmi_devintf wmi ipmi_msghandler acpi_power_meter xfs libcrc32c sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ice ahci drm libahci crc32c_intel libata tg3 megaraid_sas\n[ 5119.170613] i2c_algo_bit dm_mirror dm_region_hash dm_log dm_mod fuse [last unloaded: iavf]\n[ 5119.170627] CR2: 00001b9780003237"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:05.634Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bb8253b1dd44cf004e12c333acc6f25ee286cf3"
},
{
"url": "https://git.kernel.org/stable/c/efe41860008e57fb6b69855b4b93fdf34bc42798"
}
],
"title": "ice: Fix memory corruption in VF driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49722",
"datePublished": "2025-02-26T02:24:35.357Z",
"dateReserved": "2025-02-26T02:21:30.446Z",
"dateUpdated": "2025-05-04T08:44:05.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49492 (GCVE-0-2022-49492)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags
In nvme_alloc_admin_tags, the admin_q can be set to an error (typically
-ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which
is checked immediately after the call. However, when we return the error
message up the stack, to nvme_reset_work the error takes us to
nvme_remove_dead_ctrl()
nvme_dev_disable()
nvme_suspend_queue(&dev->queues[0]).
Here, we only check that the admin_q is non-NULL, rather than not
an error or NULL, and begin quiescing a queue that never existed, leading
to bad / NULL pointer dereference.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:56.150719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:43.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8321b17789f614414206af07e17ce4751c95dc76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e649471b396fa0139d53919354ce1eace9b9a24",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8da2b7bdb47e94bbc4062a3978c708926bcb022c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f76729662650cd7bc8f8194e057af381370349a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af98940dd33c9f9e1beb4f71c0a39260100e2a65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "906c81dba8ee8057523859b5e1a2479e9fd34860",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a28556082d1fbcbc599baf1c24252dfc73efefc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "54a4c1e47d1b2585e74920399455bd9abbfb2bd7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da42761181627e9bdc37d18368b827948a583929",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags\n\nIn nvme_alloc_admin_tags, the admin_q can be set to an error (typically\n-ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which\nis checked immediately after the call. However, when we return the error\nmessage up the stack, to nvme_reset_work the error takes us to\nnvme_remove_dead_ctrl()\n nvme_dev_disable()\n nvme_suspend_queue(\u0026dev-\u003equeues[0]).\n\nHere, we only check that the admin_q is non-NULL, rather than not\nan error or NULL, and begin quiescing a queue that never existed, leading\nto bad / NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:05.167Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8321b17789f614414206af07e17ce4751c95dc76"
},
{
"url": "https://git.kernel.org/stable/c/9e649471b396fa0139d53919354ce1eace9b9a24"
},
{
"url": "https://git.kernel.org/stable/c/8da2b7bdb47e94bbc4062a3978c708926bcb022c"
},
{
"url": "https://git.kernel.org/stable/c/f76729662650cd7bc8f8194e057af381370349a7"
},
{
"url": "https://git.kernel.org/stable/c/af98940dd33c9f9e1beb4f71c0a39260100e2a65"
},
{
"url": "https://git.kernel.org/stable/c/906c81dba8ee8057523859b5e1a2479e9fd34860"
},
{
"url": "https://git.kernel.org/stable/c/7a28556082d1fbcbc599baf1c24252dfc73efefc"
},
{
"url": "https://git.kernel.org/stable/c/54a4c1e47d1b2585e74920399455bd9abbfb2bd7"
},
{
"url": "https://git.kernel.org/stable/c/da42761181627e9bdc37d18368b827948a583929"
}
],
"title": "nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49492",
"datePublished": "2025-02-26T02:13:28.820Z",
"dateReserved": "2025-02-26T02:08:31.585Z",
"dateUpdated": "2025-10-01T19:46:43.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49230 (GCVE-0-2022-49230)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta
Free allocated skb in mt7915_mcu_add_sta routine in case of failures.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:15.475112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:03.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "daf02c7e3c3dc82ffa925999597bd455cf799551",
"status": "affected",
"version": "89bbd3730f382f15cfcc2c9264c65b5901ce02fa",
"versionType": "git"
},
{
"lessThan": "b334a245ff1d76b1e97af8cea648ea6798b9eb87",
"status": "affected",
"version": "89bbd3730f382f15cfcc2c9264c65b5901ce02fa",
"versionType": "git"
},
{
"lessThan": "a43736cd12d82913102eb49cb56787a5553e028f",
"status": "affected",
"version": "89bbd3730f382f15cfcc2c9264c65b5901ce02fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7915/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta\n\nFree allocated skb in mt7915_mcu_add_sta routine in case of failures."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:55.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/daf02c7e3c3dc82ffa925999597bd455cf799551"
},
{
"url": "https://git.kernel.org/stable/c/b334a245ff1d76b1e97af8cea648ea6798b9eb87"
},
{
"url": "https://git.kernel.org/stable/c/a43736cd12d82913102eb49cb56787a5553e028f"
}
],
"title": "mt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49230",
"datePublished": "2025-02-26T01:55:57.662Z",
"dateReserved": "2025-02-26T01:49:39.293Z",
"dateUpdated": "2025-10-01T19:47:03.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49605 (GCVE-0-2022-49605)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igc: Reinstate IGC_REMOVED logic and implement it properly
The initially merged version of the igc driver code (via commit
146740f9abc4, "igc: Add support for PF") contained the following
IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:
u32 igc_rd32(struct igc_hw *hw, u32 reg)
{
u8 __iomem *hw_addr = READ_ONCE(hw->hw_addr);
u32 value = 0;
if (IGC_REMOVED(hw_addr))
return ~value;
value = readl(&hw_addr[reg]);
/* reads should not return all F's */
if (!(~value) && (!reg || !(~readl(hw_addr))))
hw->hw_addr = NULL;
return value;
}
And:
#define wr32(reg, val) \
do { \
u8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \
if (!IGC_REMOVED(hw_addr)) \
writel((val), &hw_addr[(reg)]); \
} while (0)
E.g. igb has similar checks in its MMIO accessors, and has a similar
macro E1000_REMOVED, which is implemented as follows:
#define E1000_REMOVED(h) unlikely(!(h))
These checks serve to detect and take note of an 0xffffffff MMIO read
return from the device, which can be caused by a PCIe link flap or some
other kind of PCI bus error, and to avoid performing MMIO reads and
writes from that point onwards.
However, the IGC_REMOVED macro was not originally implemented:
#ifndef IGC_REMOVED
#define IGC_REMOVED(a) (0)
#endif /* IGC_REMOVED */
This led to the IGC_REMOVED logic to be removed entirely in a
subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED
function"), with the rationale that such checks matter only for
virtualization and that igc does not support virtualization -- but a
PCIe device can become detached even without virtualization being in
use, and without proper checks, a PCIe bus error affecting an igc
adapter will lead to various NULL pointer dereferences, as the first
access after the error will set hw->hw_addr to NULL, and subsequent
accesses will blindly dereference this now-NULL pointer.
This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and
implements IGC_REMOVED the way it is done for igb, by checking for the
unlikely() case of hw_addr being NULL. This change prevents the oopses
seen when a PCIe link flap occurs on an igc adapter.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igc/igc_main.c",
"drivers/net/ethernet/intel/igc/igc_regs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16cb6717f4f42487ef10583eb8bc98e7d1e33d65",
"status": "affected",
"version": "146740f9abc4976e4f0af1aa302efee1c699d2e4",
"versionType": "git"
},
{
"lessThan": "77836dbe35382aaf8108489060c5c89530c77494",
"status": "affected",
"version": "146740f9abc4976e4f0af1aa302efee1c699d2e4",
"versionType": "git"
},
{
"lessThan": "e75b73081f1ec169518773626c2ff3950476660b",
"status": "affected",
"version": "146740f9abc4976e4f0af1aa302efee1c699d2e4",
"versionType": "git"
},
{
"lessThan": "70965b6e5c03aa70cc754af1226b9f9cde0c4bf3",
"status": "affected",
"version": "146740f9abc4976e4f0af1aa302efee1c699d2e4",
"versionType": "git"
},
{
"lessThan": "7c1ddcee5311f3315096217881d2dbe47cc683f9",
"status": "affected",
"version": "146740f9abc4976e4f0af1aa302efee1c699d2e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igc/igc_main.c",
"drivers/net/ethernet/intel/igc/igc_regs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Reinstate IGC_REMOVED logic and implement it properly\n\nThe initially merged version of the igc driver code (via commit\n146740f9abc4, \"igc: Add support for PF\") contained the following\nIGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:\n\n\tu32 igc_rd32(struct igc_hw *hw, u32 reg)\n\t{\n\t\tu8 __iomem *hw_addr = READ_ONCE(hw-\u003ehw_addr);\n\t\tu32 value = 0;\n\n\t\tif (IGC_REMOVED(hw_addr))\n\t\t\treturn ~value;\n\n\t\tvalue = readl(\u0026hw_addr[reg]);\n\n\t\t/* reads should not return all F\u0027s */\n\t\tif (!(~value) \u0026\u0026 (!reg || !(~readl(hw_addr))))\n\t\t\thw-\u003ehw_addr = NULL;\n\n\t\treturn value;\n\t}\n\nAnd:\n\n\t#define wr32(reg, val) \\\n\tdo { \\\n\t\tu8 __iomem *hw_addr = READ_ONCE((hw)-\u003ehw_addr); \\\n\t\tif (!IGC_REMOVED(hw_addr)) \\\n\t\t\twritel((val), \u0026hw_addr[(reg)]); \\\n\t} while (0)\n\nE.g. igb has similar checks in its MMIO accessors, and has a similar\nmacro E1000_REMOVED, which is implemented as follows:\n\n\t#define E1000_REMOVED(h) unlikely(!(h))\n\nThese checks serve to detect and take note of an 0xffffffff MMIO read\nreturn from the device, which can be caused by a PCIe link flap or some\nother kind of PCI bus error, and to avoid performing MMIO reads and\nwrites from that point onwards.\n\nHowever, the IGC_REMOVED macro was not originally implemented:\n\n\t#ifndef IGC_REMOVED\n\t#define IGC_REMOVED(a) (0)\n\t#endif /* IGC_REMOVED */\n\nThis led to the IGC_REMOVED logic to be removed entirely in a\nsubsequent commit (commit 3c215fb18e70, \"igc: remove IGC_REMOVED\nfunction\"), with the rationale that such checks matter only for\nvirtualization and that igc does not support virtualization -- but a\nPCIe device can become detached even without virtualization being in\nuse, and without proper checks, a PCIe bus error affecting an igc\nadapter will lead to various NULL pointer dereferences, as the first\naccess after the error will set hw-\u003ehw_addr to NULL, and subsequent\naccesses will blindly dereference this now-NULL pointer.\n\nThis patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and\nimplements IGC_REMOVED the way it is done for igb, by checking for the\nunlikely() case of hw_addr being NULL. This change prevents the oopses\nseen when a PCIe link flap occurs on an igc adapter."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:38.201Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16cb6717f4f42487ef10583eb8bc98e7d1e33d65"
},
{
"url": "https://git.kernel.org/stable/c/77836dbe35382aaf8108489060c5c89530c77494"
},
{
"url": "https://git.kernel.org/stable/c/e75b73081f1ec169518773626c2ff3950476660b"
},
{
"url": "https://git.kernel.org/stable/c/70965b6e5c03aa70cc754af1226b9f9cde0c4bf3"
},
{
"url": "https://git.kernel.org/stable/c/7c1ddcee5311f3315096217881d2dbe47cc683f9"
}
],
"title": "igc: Reinstate IGC_REMOVED logic and implement it properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49605",
"datePublished": "2025-02-26T02:23:30.873Z",
"dateReserved": "2025-02-26T02:21:30.416Z",
"dateUpdated": "2025-05-04T08:41:38.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50126 (GCVE-0-2024-50126)
Vulnerability from cvelistv5
Published
2024-11-05 17:10
Modified
2025-11-03 22:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: use RCU read-side critical section in taprio_dump()
Fix possible use-after-free in 'taprio_dump()' by adding RCU
read-side critical section there. Never seen on x86 but
found on a KASAN-enabled arm64 system when investigating
https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:
[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0
[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862
[T15862]
[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2
[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024
[T15862] Call trace:
[T15862] dump_backtrace+0x20c/0x220
[T15862] show_stack+0x2c/0x40
[T15862] dump_stack_lvl+0xf8/0x174
[T15862] print_report+0x170/0x4d8
[T15862] kasan_report+0xb8/0x1d4
[T15862] __asan_report_load4_noabort+0x20/0x2c
[T15862] taprio_dump+0xa0c/0xbb0
[T15862] tc_fill_qdisc+0x540/0x1020
[T15862] qdisc_notify.isra.0+0x330/0x3a0
[T15862] tc_modify_qdisc+0x7b8/0x1838
[T15862] rtnetlink_rcv_msg+0x3c8/0xc20
[T15862] netlink_rcv_skb+0x1f8/0x3d4
[T15862] rtnetlink_rcv+0x28/0x40
[T15862] netlink_unicast+0x51c/0x790
[T15862] netlink_sendmsg+0x79c/0xc20
[T15862] __sock_sendmsg+0xe0/0x1a0
[T15862] ____sys_sendmsg+0x6c0/0x840
[T15862] ___sys_sendmsg+0x1ac/0x1f0
[T15862] __sys_sendmsg+0x110/0x1d0
[T15862] __arm64_sys_sendmsg+0x74/0xb0
[T15862] invoke_syscall+0x88/0x2e0
[T15862] el0_svc_common.constprop.0+0xe4/0x2a0
[T15862] do_el0_svc+0x44/0x60
[T15862] el0_svc+0x50/0x184
[T15862] el0t_64_sync_handler+0x120/0x12c
[T15862] el0t_64_sync+0x190/0x194
[T15862]
[T15862] Allocated by task 15857:
[T15862] kasan_save_stack+0x3c/0x70
[T15862] kasan_save_track+0x20/0x3c
[T15862] kasan_save_alloc_info+0x40/0x60
[T15862] __kasan_kmalloc+0xd4/0xe0
[T15862] __kmalloc_cache_noprof+0x194/0x334
[T15862] taprio_change+0x45c/0x2fe0
[T15862] tc_modify_qdisc+0x6a8/0x1838
[T15862] rtnetlink_rcv_msg+0x3c8/0xc20
[T15862] netlink_rcv_skb+0x1f8/0x3d4
[T15862] rtnetlink_rcv+0x28/0x40
[T15862] netlink_unicast+0x51c/0x790
[T15862] netlink_sendmsg+0x79c/0xc20
[T15862] __sock_sendmsg+0xe0/0x1a0
[T15862] ____sys_sendmsg+0x6c0/0x840
[T15862] ___sys_sendmsg+0x1ac/0x1f0
[T15862] __sys_sendmsg+0x110/0x1d0
[T15862] __arm64_sys_sendmsg+0x74/0xb0
[T15862] invoke_syscall+0x88/0x2e0
[T15862] el0_svc_common.constprop.0+0xe4/0x2a0
[T15862] do_el0_svc+0x44/0x60
[T15862] el0_svc+0x50/0x184
[T15862] el0t_64_sync_handler+0x120/0x12c
[T15862] el0t_64_sync+0x190/0x194
[T15862]
[T15862] Freed by task 6192:
[T15862] kasan_save_stack+0x3c/0x70
[T15862] kasan_save_track+0x20/0x3c
[T15862] kasan_save_free_info+0x4c/0x80
[T15862] poison_slab_object+0x110/0x160
[T15862] __kasan_slab_free+0x3c/0x74
[T15862] kfree+0x134/0x3c0
[T15862] taprio_free_sched_cb+0x18c/0x220
[T15862] rcu_core+0x920/0x1b7c
[T15862] rcu_core_si+0x10/0x1c
[T15862] handle_softirqs+0x2e8/0xd64
[T15862] __do_softirq+0x14/0x20
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:28:25.069183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:33.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:25:47.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b911fa9e92ee586e36479ad57b88f20471acaca1",
"status": "affected",
"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
"versionType": "git"
},
{
"lessThan": "5d282467245f267c0b9ada3f7f309ff838521536",
"status": "affected",
"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
"versionType": "git"
},
{
"lessThan": "e4369cb6acf6b895ac2453cc1cdf2f4326122c6d",
"status": "affected",
"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
"versionType": "git"
},
{
"lessThan": "b22db8b8befe90b61c98626ca1a2fbb0505e9fe3",
"status": "affected",
"version": "18cdd2f0998a4967b1fff4c43ed9aef049e42c39",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in \u0027taprio_dump()\u0027 by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:46:38.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1"
},
{
"url": "https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536"
},
{
"url": "https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d"
},
{
"url": "https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3"
}
],
"title": "net: sched: use RCU read-side critical section in taprio_dump()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50126",
"datePublished": "2024-11-05T17:10:53.741Z",
"dateReserved": "2024-10-21T19:36:19.954Z",
"dateUpdated": "2025-11-03T22:25:47.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49721 (GCVE-0-2022-49721)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: ftrace: consistently handle PLTs.
Sometimes it is necessary to use a PLT entry to call an ftrace
trampoline. This is handled by ftrace_make_call() and ftrace_make_nop(),
with each having *almost* identical logic, but this is not handled by
ftrace_modify_call() since its introduction in commit:
3b23e4991fb66f6d ("arm64: implement ftrace with regs")
Due to this, if we ever were to call ftrace_modify_call() for a callsite
which requires a PLT entry for a trampoline, then either:
a) If the old addr requires a trampoline, ftrace_modify_call() will use
an out-of-range address to generate the 'old' branch instruction.
This will result in warnings from aarch64_insn_gen_branch_imm() and
ftrace_modify_code(), and no instructions will be modified. As
ftrace_modify_call() will return an error, this will result in
subsequent internal ftrace errors.
b) If the old addr does not require a trampoline, but the new addr does,
ftrace_modify_call() will use an out-of-range address to generate the
'new' branch instruction. This will result in warnings from
aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace
the 'old' branch with a BRK. This will result in a kernel panic when
this BRK is later executed.
Practically speaking, case (a) is vastly more likely than case (b), and
typically this will result in internal ftrace errors that don't
necessarily affect the rest of the system. This can be demonstrated with
an out-of-tree test module which triggers ftrace_modify_call(), e.g.
| # insmod test_ftrace.ko
| test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024
| branch_imm_common: offset out of range
| branch_imm_common: offset out of range
| ------------[ ftrace bug ]------------
| ftrace failed to modify
| [<ffffb37493992024>] test_function+0x8/0x38 [test_ftrace]
| actual: 1d:00:00:94
| Updating ftrace call site to call a different ftrace function
| ftrace record flags: e0000002
| (2) R
| expected tramp: ffffb374ae42ed54
| ------------[ cut here ]------------
| WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0
| Modules linked in: test_ftrace(+)
| CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13
| Hardware name: linux,dummy-virt (DT)
| pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : ftrace_bug+0x280/0x2b0
| lr : ftrace_bug+0x280/0x2b0
| sp : ffff80000839ba00
| x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0
| x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000
| x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8
| x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff
| x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4
| x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666
| x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8
| x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167
| x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000
| x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022
| Call trace:
| ftrace_bug+0x280/0x2b0
| ftrace_replace_code+0x98/0xa0
| ftrace_modify_all_code+0xe0/0x144
| arch_ftrace_update_code+0x14/0x20
| ftrace_startup+0xf8/0x1b0
| register_ftrace_function+0x38/0x90
| test_ftrace_init+0xd0/0x1000 [test_ftrace]
| do_one_initcall+0x50/0x2b0
| do_init_module+0x50/0x1f0
| load_module+0x17c8/0x1d64
| __do_sys_finit_module+0xa8/0x100
| __arm64_sys_finit_module+0x2c/0x3c
| invoke_syscall+0x50/0x120
| el0_svc_common.constprop.0+0xdc/0x100
| do_el0_svc+0x3c/0xd0
| el0_svc+0x34/0xb0
| el0t_64_sync_handler+0xbc/0x140
| el0t_64_sync+0x18c/0x190
| ---[ end trace 0000000000000000 ]---
We can solve this by consistently determining whether to use a PLT entry
for an address.
Note that since (the earlier) commit:
f1a54ae9
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc28fde90937a920f7714ec4408269cac744f796",
"status": "affected",
"version": "3b23e4991fb66f6d152f9055ede271a726ef9f21",
"versionType": "git"
},
{
"lessThan": "db73aa9466338ec821ed2a0b01721fe4d06876b1",
"status": "affected",
"version": "3b23e4991fb66f6d152f9055ede271a726ef9f21",
"versionType": "git"
},
{
"lessThan": "dcecc96ed16f73417de5550f384e348c9d56f279",
"status": "affected",
"version": "3b23e4991fb66f6d152f9055ede271a726ef9f21",
"versionType": "git"
},
{
"lessThan": "a6253579977e4c6f7818eeb05bf2bc65678a7187",
"status": "affected",
"version": "3b23e4991fb66f6d152f9055ede271a726ef9f21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ftrace: consistently handle PLTs.\n\nSometimes it is necessary to use a PLT entry to call an ftrace\ntrampoline. This is handled by ftrace_make_call() and ftrace_make_nop(),\nwith each having *almost* identical logic, but this is not handled by\nftrace_modify_call() since its introduction in commit:\n\n 3b23e4991fb66f6d (\"arm64: implement ftrace with regs\")\n\nDue to this, if we ever were to call ftrace_modify_call() for a callsite\nwhich requires a PLT entry for a trampoline, then either:\n\na) If the old addr requires a trampoline, ftrace_modify_call() will use\n an out-of-range address to generate the \u0027old\u0027 branch instruction.\n This will result in warnings from aarch64_insn_gen_branch_imm() and\n ftrace_modify_code(), and no instructions will be modified. As\n ftrace_modify_call() will return an error, this will result in\n subsequent internal ftrace errors.\n\nb) If the old addr does not require a trampoline, but the new addr does,\n ftrace_modify_call() will use an out-of-range address to generate the\n \u0027new\u0027 branch instruction. This will result in warnings from\n aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace\n the \u0027old\u0027 branch with a BRK. This will result in a kernel panic when\n this BRK is later executed.\n\nPractically speaking, case (a) is vastly more likely than case (b), and\ntypically this will result in internal ftrace errors that don\u0027t\nnecessarily affect the rest of the system. This can be demonstrated with\nan out-of-tree test module which triggers ftrace_modify_call(), e.g.\n\n| # insmod test_ftrace.ko\n| test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024\n| branch_imm_common: offset out of range\n| branch_imm_common: offset out of range\n| ------------[ ftrace bug ]------------\n| ftrace failed to modify\n| [\u003cffffb37493992024\u003e] test_function+0x8/0x38 [test_ftrace]\n| actual: 1d:00:00:94\n| Updating ftrace call site to call a different ftrace function\n| ftrace record flags: e0000002\n| (2) R\n| expected tramp: ffffb374ae42ed54\n| ------------[ cut here ]------------\n| WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0\n| Modules linked in: test_ftrace(+)\n| CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : ftrace_bug+0x280/0x2b0\n| lr : ftrace_bug+0x280/0x2b0\n| sp : ffff80000839ba00\n| x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0\n| x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000\n| x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8\n| x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff\n| x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4\n| x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666\n| x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8\n| x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167\n| x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000\n| x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022\n| Call trace:\n| ftrace_bug+0x280/0x2b0\n| ftrace_replace_code+0x98/0xa0\n| ftrace_modify_all_code+0xe0/0x144\n| arch_ftrace_update_code+0x14/0x20\n| ftrace_startup+0xf8/0x1b0\n| register_ftrace_function+0x38/0x90\n| test_ftrace_init+0xd0/0x1000 [test_ftrace]\n| do_one_initcall+0x50/0x2b0\n| do_init_module+0x50/0x1f0\n| load_module+0x17c8/0x1d64\n| __do_sys_finit_module+0xa8/0x100\n| __arm64_sys_finit_module+0x2c/0x3c\n| invoke_syscall+0x50/0x120\n| el0_svc_common.constprop.0+0xdc/0x100\n| do_el0_svc+0x3c/0xd0\n| el0_svc+0x34/0xb0\n| el0t_64_sync_handler+0xbc/0x140\n| el0t_64_sync+0x18c/0x190\n| ---[ end trace 0000000000000000 ]---\n\nWe can solve this by consistently determining whether to use a PLT entry\nfor an address.\n\nNote that since (the earlier) commit:\n\n f1a54ae9\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:04.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc28fde90937a920f7714ec4408269cac744f796"
},
{
"url": "https://git.kernel.org/stable/c/db73aa9466338ec821ed2a0b01721fe4d06876b1"
},
{
"url": "https://git.kernel.org/stable/c/dcecc96ed16f73417de5550f384e348c9d56f279"
},
{
"url": "https://git.kernel.org/stable/c/a6253579977e4c6f7818eeb05bf2bc65678a7187"
}
],
"title": "arm64: ftrace: consistently handle PLTs.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49721",
"datePublished": "2025-02-26T02:24:34.685Z",
"dateReserved": "2025-02-26T02:21:30.446Z",
"dateUpdated": "2025-05-04T08:44:04.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49086 (GCVE-0-2022-49086)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix leak of nested actions
While parsing user-provided actions, openvswitch module may dynamically
allocate memory and store pointers in the internal copy of the actions.
So this memory has to be freed while destroying the actions.
Currently there are only two such actions: ct() and set(). However,
there are many actions that can hold nested lists of actions and
ovs_nla_free_flow_actions() just jumps over them leaking the memory.
For example, removal of the flow with the following actions will lead
to a leak of the memory allocated by nf_ct_tmpl_alloc():
actions:clone(ct(commit),0)
Non-freed set() action may also leak the 'dst' structure for the
tunnel info including device references.
Under certain conditions with a high rate of flow rotation that may
cause significant memory leak problem (2MB per second in reporter's
case). The problem is also hard to mitigate, because the user doesn't
have direct control over the datapath flows generated by OVS.
Fix that by iterating over all the nested actions and freeing
everything that needs to be freed recursively.
New build time assertion should protect us from this problem if new
actions will be added in the future.
Unfortunately, openvswitch module doesn't use NLA_F_NESTED, so all
attributes has to be explicitly checked. sample() and clone() actions
are mixing extra attributes into the user-provided action list. That
prevents some code generalization too.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 34ae932a40369be6bd6ea97d66b6686361b4370d Version: 34ae932a40369be6bd6ea97d66b6686361b4370d Version: 34ae932a40369be6bd6ea97d66b6686361b4370d Version: 34ae932a40369be6bd6ea97d66b6686361b4370d Version: 34ae932a40369be6bd6ea97d66b6686361b4370d Version: 34ae932a40369be6bd6ea97d66b6686361b4370d Version: 34ae932a40369be6bd6ea97d66b6686361b4370d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7438dc55c0709819b813f4778aec2c48b782990b",
"status": "affected",
"version": "34ae932a40369be6bd6ea97d66b6686361b4370d",
"versionType": "git"
},
{
"lessThan": "ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40",
"status": "affected",
"version": "34ae932a40369be6bd6ea97d66b6686361b4370d",
"versionType": "git"
},
{
"lessThan": "5ae05b5eb58773cfec307ff88aff4cfd843c4cff",
"status": "affected",
"version": "34ae932a40369be6bd6ea97d66b6686361b4370d",
"versionType": "git"
},
{
"lessThan": "837b96d8103938e35e7d92cd9db96af914ca4fff",
"status": "affected",
"version": "34ae932a40369be6bd6ea97d66b6686361b4370d",
"versionType": "git"
},
{
"lessThan": "3554c214b83ec9a839ed574263a34218f372990c",
"status": "affected",
"version": "34ae932a40369be6bd6ea97d66b6686361b4370d",
"versionType": "git"
},
{
"lessThan": "53bce9d19b0a9d245b25cd050b81652ed974a509",
"status": "affected",
"version": "34ae932a40369be6bd6ea97d66b6686361b4370d",
"versionType": "git"
},
{
"lessThan": "1f30fb9166d4f15a1aa19449b9da871fe0ed4796",
"status": "affected",
"version": "34ae932a40369be6bd6ea97d66b6686361b4370d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix leak of nested actions\n\nWhile parsing user-provided actions, openvswitch module may dynamically\nallocate memory and store pointers in the internal copy of the actions.\nSo this memory has to be freed while destroying the actions.\n\nCurrently there are only two such actions: ct() and set(). However,\nthere are many actions that can hold nested lists of actions and\novs_nla_free_flow_actions() just jumps over them leaking the memory.\n\nFor example, removal of the flow with the following actions will lead\nto a leak of the memory allocated by nf_ct_tmpl_alloc():\n\n actions:clone(ct(commit),0)\n\nNon-freed set() action may also leak the \u0027dst\u0027 structure for the\ntunnel info including device references.\n\nUnder certain conditions with a high rate of flow rotation that may\ncause significant memory leak problem (2MB per second in reporter\u0027s\ncase). The problem is also hard to mitigate, because the user doesn\u0027t\nhave direct control over the datapath flows generated by OVS.\n\nFix that by iterating over all the nested actions and freeing\neverything that needs to be freed recursively.\n\nNew build time assertion should protect us from this problem if new\nactions will be added in the future.\n\nUnfortunately, openvswitch module doesn\u0027t use NLA_F_NESTED, so all\nattributes has to be explicitly checked. sample() and clone() actions\nare mixing extra attributes into the user-provided action list. That\nprevents some code generalization too."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:25.798Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7438dc55c0709819b813f4778aec2c48b782990b"
},
{
"url": "https://git.kernel.org/stable/c/ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40"
},
{
"url": "https://git.kernel.org/stable/c/5ae05b5eb58773cfec307ff88aff4cfd843c4cff"
},
{
"url": "https://git.kernel.org/stable/c/837b96d8103938e35e7d92cd9db96af914ca4fff"
},
{
"url": "https://git.kernel.org/stable/c/3554c214b83ec9a839ed574263a34218f372990c"
},
{
"url": "https://git.kernel.org/stable/c/53bce9d19b0a9d245b25cd050b81652ed974a509"
},
{
"url": "https://git.kernel.org/stable/c/1f30fb9166d4f15a1aa19449b9da871fe0ed4796"
}
],
"title": "net: openvswitch: fix leak of nested actions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49086",
"datePublished": "2025-02-26T01:54:44.072Z",
"dateReserved": "2025-02-26T01:49:39.248Z",
"dateUpdated": "2025-05-04T08:29:25.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49516 (GCVE-0-2022-49516)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: always check VF VSI pointer values
The ice_get_vf_vsi function can return NULL in some cases, such as if
handling messages during a reset where the VSI is being removed and
recreated.
Several places throughout the driver do not bother to check whether this
VSI pointer is valid. Static analysis tools maybe report issues because
they detect paths where a potentially NULL pointer could be dereferenced.
Fix this by checking the return value of ice_get_vf_vsi everywhere.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:15.969011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:42.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_devlink.c",
"drivers/net/ethernet/intel/ice/ice_repr.c",
"drivers/net/ethernet/intel/ice/ice_sriov.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib.c",
"drivers/net/ethernet/intel/ice/ice_virtchnl.c",
"drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7be3877589d539c52e5d1d23a625f889b541b9d",
"status": "affected",
"version": "37165e3f5664ee901e89ff9c13723c2743c5e47f",
"versionType": "git"
},
{
"lessThan": "baeb705fd6a7245cc1fa69ed991a9cffdf44a174",
"status": "affected",
"version": "37165e3f5664ee901e89ff9c13723c2743c5e47f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_devlink.c",
"drivers/net/ethernet/intel/ice/ice_repr.c",
"drivers/net/ethernet/intel/ice/ice_sriov.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib.c",
"drivers/net/ethernet/intel/ice/ice_virtchnl.c",
"drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: always check VF VSI pointer values\n\nThe ice_get_vf_vsi function can return NULL in some cases, such as if\nhandling messages during a reset where the VSI is being removed and\nrecreated.\n\nSeveral places throughout the driver do not bother to check whether this\nVSI pointer is valid. Static analysis tools maybe report issues because\nthey detect paths where a potentially NULL pointer could be dereferenced.\n\nFix this by checking the return value of ice_get_vf_vsi everywhere."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:37.028Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7be3877589d539c52e5d1d23a625f889b541b9d"
},
{
"url": "https://git.kernel.org/stable/c/baeb705fd6a7245cc1fa69ed991a9cffdf44a174"
}
],
"title": "ice: always check VF VSI pointer values",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49516",
"datePublished": "2025-02-26T02:13:44.359Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-10-01T19:46:42.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52976 (GCVE-0-2023-52976)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: fix potential NULL deref in efi_mem_reserve_persistent
When iterating on a linked list, a result of memremap is dereferenced
without checking it for NULL.
This patch adds a check that falls back on allocating a new page in
case memremap doesn't succeed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
[ardb: return -ENOMEM instead of breaking out of the loop]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: b5961ecad7121fec138ebee7d9eba4863f9dc6e7 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:22:07.723841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:22:10.974Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d92a25627bcdf264183670da73c9a60c0bac327e",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "87d4ff18738fd71e7e3c10827c80257da6283697",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "d8fc0b5fb3e816a4a8684bcd3ed02cbef0fce23c",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "a2e6a9ff89f13666a1c3ff7195612ab949ea9afc",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "966d47e1f27c45507c5df82b2a2157e5a4fd3909",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"status": "affected",
"version": "b5961ecad7121fec138ebee7d9eba4863f9dc6e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.1.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix potential NULL deref in efi_mem_reserve_persistent\n\nWhen iterating on a linked list, a result of memremap is dereferenced\nwithout checking it for NULL.\n\nThis patch adds a check that falls back on allocating a new page in\ncase memremap doesn\u0027t succeed.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[ardb: return -ENOMEM instead of breaking out of the loop]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:57.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d92a25627bcdf264183670da73c9a60c0bac327e"
},
{
"url": "https://git.kernel.org/stable/c/87d4ff18738fd71e7e3c10827c80257da6283697"
},
{
"url": "https://git.kernel.org/stable/c/d8fc0b5fb3e816a4a8684bcd3ed02cbef0fce23c"
},
{
"url": "https://git.kernel.org/stable/c/a2e6a9ff89f13666a1c3ff7195612ab949ea9afc"
},
{
"url": "https://git.kernel.org/stable/c/966d47e1f27c45507c5df82b2a2157e5a4fd3909"
}
],
"title": "efi: fix potential NULL deref in efi_mem_reserve_persistent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52976",
"datePublished": "2025-03-27T16:43:16.596Z",
"dateReserved": "2025-03-27T16:40:15.738Z",
"dateUpdated": "2025-10-01T17:22:10.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53016 (GCVE-0-2023-53016)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
syzbot reports a possible deadlock in rfcomm_sk_state_change [1].
While rfcomm_sock_connect acquires the sk lock and waits for
the rfcomm lock, rfcomm_sock_release could have the rfcomm
lock and hit a deadlock for acquiring the sk lock.
Here's a simplified flow:
rfcomm_sock_connect:
lock_sock(sk)
rfcomm_dlc_open:
rfcomm_lock()
rfcomm_sock_release:
rfcomm_sock_shutdown:
rfcomm_lock()
__rfcomm_dlc_close:
rfcomm_k_state_change:
lock_sock(sk)
This patch drops the sk lock before calling rfcomm_dlc_open to
avoid the possible deadlock and holds sk's reference count to
prevent use-after-free after rfcomm_dlc_open completes.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:20:21.041847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:20:23.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/rfcomm/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98aec50ff7f60cc6f2d6a4396b475c547e58b04d",
"status": "affected",
"version": "1804fdf6e494e5e2938c65d8391690b59bcff897",
"versionType": "git"
},
{
"lessThan": "17511bd84871f4a6106cb335616e086880313f3f",
"status": "affected",
"version": "1804fdf6e494e5e2938c65d8391690b59bcff897",
"versionType": "git"
},
{
"lessThan": "1d80d57ffcb55488f0ec0b77928d4f82d16b6a90",
"status": "affected",
"version": "1804fdf6e494e5e2938c65d8391690b59bcff897",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/rfcomm/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix possible deadlock in rfcomm_sk_state_change\n\nsyzbot reports a possible deadlock in rfcomm_sk_state_change [1].\nWhile rfcomm_sock_connect acquires the sk lock and waits for\nthe rfcomm lock, rfcomm_sock_release could have the rfcomm\nlock and hit a deadlock for acquiring the sk lock.\nHere\u0027s a simplified flow:\n\nrfcomm_sock_connect:\n lock_sock(sk)\n rfcomm_dlc_open:\n rfcomm_lock()\n\nrfcomm_sock_release:\n rfcomm_sock_shutdown:\n rfcomm_lock()\n __rfcomm_dlc_close:\n rfcomm_k_state_change:\n\t lock_sock(sk)\n\nThis patch drops the sk lock before calling rfcomm_dlc_open to\navoid the possible deadlock and holds sk\u0027s reference count to\nprevent use-after-free after rfcomm_dlc_open completes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:44.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98aec50ff7f60cc6f2d6a4396b475c547e58b04d"
},
{
"url": "https://git.kernel.org/stable/c/17511bd84871f4a6106cb335616e086880313f3f"
},
{
"url": "https://git.kernel.org/stable/c/1d80d57ffcb55488f0ec0b77928d4f82d16b6a90"
}
],
"title": "Bluetooth: Fix possible deadlock in rfcomm_sk_state_change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53016",
"datePublished": "2025-03-27T16:43:44.528Z",
"dateReserved": "2025-03-27T16:40:15.750Z",
"dateUpdated": "2025-10-01T17:20:23.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49537 (GCVE-0-2022-49537)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-29 10:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix call trace observed during I/O with CMF enabled
The following was seen with CMF enabled:
BUG: using smp_processor_id() in preemptible
code: systemd-udevd/31711
kernel: caller is lpfc_update_cmf_cmd+0x214/0x420 [lpfc]
kernel: CPU: 12 PID: 31711 Comm: systemd-udevd
kernel: Call Trace:
kernel: <TASK>
kernel: dump_stack_lvl+0x44/0x57
kernel: check_preemption_disabled+0xbf/0xe0
kernel: lpfc_update_cmf_cmd+0x214/0x420 [lpfc]
kernel: lpfc_nvme_fcp_io_submit+0x23b4/0x4df0 [lpfc]
this_cpu_ptr() calls smp_processor_id() in a preemptible context.
Fix by using per_cpu_ptr() with raw_smp_processor_id() instead.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae373d66c427812754db5292eb1481b181daf9ce",
"status": "affected",
"version": "02243836ad6f384284f10302e6b820b893960d1c",
"versionType": "git"
},
{
"lessThan": "cd7f899de4b1b829125d72ee6fbfd878b637b815",
"status": "affected",
"version": "02243836ad6f384284f10302e6b820b893960d1c",
"versionType": "git"
},
{
"lessThan": "517e0835cfb2007713ff16c4fb8479f08b16aec7",
"status": "affected",
"version": "02243836ad6f384284f10302e6b820b893960d1c",
"versionType": "git"
},
{
"lessThan": "d6d45f67a11136cb88a70a29ab22ea6db8ae6bd5",
"status": "affected",
"version": "02243836ad6f384284f10302e6b820b893960d1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_scsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix call trace observed during I/O with CMF enabled\n\nThe following was seen with CMF enabled:\n\nBUG: using smp_processor_id() in preemptible\ncode: systemd-udevd/31711\nkernel: caller is lpfc_update_cmf_cmd+0x214/0x420 [lpfc]\nkernel: CPU: 12 PID: 31711 Comm: systemd-udevd\nkernel: Call Trace:\nkernel: \u003cTASK\u003e\nkernel: dump_stack_lvl+0x44/0x57\nkernel: check_preemption_disabled+0xbf/0xe0\nkernel: lpfc_update_cmf_cmd+0x214/0x420 [lpfc]\nkernel: lpfc_nvme_fcp_io_submit+0x23b4/0x4df0 [lpfc]\n\nthis_cpu_ptr() calls smp_processor_id() in a preemptible context.\n\nFix by using per_cpu_ptr() with raw_smp_processor_id() instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:50:03.168Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae373d66c427812754db5292eb1481b181daf9ce"
},
{
"url": "https://git.kernel.org/stable/c/cd7f899de4b1b829125d72ee6fbfd878b637b815"
},
{
"url": "https://git.kernel.org/stable/c/517e0835cfb2007713ff16c4fb8479f08b16aec7"
},
{
"url": "https://git.kernel.org/stable/c/d6d45f67a11136cb88a70a29ab22ea6db8ae6bd5"
}
],
"title": "scsi: lpfc: Fix call trace observed during I/O with CMF enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49537",
"datePublished": "2025-02-26T02:13:54.542Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-10-29T10:50:03.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52974 (GCVE-0-2023-52974)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52974",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:50.791219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "496af9d3682ed4c28fb734342a09e6cc0c056ea4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6abd4698f4c8a78e7bbfc421205c060c199554a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d4d765f4761f9e3a2d62992f825aeee593bcb6b9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9758ffe1c07b86aefd7ca8e40d9a461293427ca0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0aaabdb900c7415caa2006ef580322f7eac5f6b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "61e43ebfd243bcbad11be26bd921723027b77441",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress\n\nIf during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,\nuserspace could be accessing the host\u0027s ipaddress attr. If we then free the\nsession via iscsi_session_teardown() while userspace is still accessing the\nsession we will hit a use after free bug.\n\nSet the tcp_sw_host-\u003esession after we have completed session creation and\ncan no longer fail."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:36.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/496af9d3682ed4c28fb734342a09e6cc0c056ea4"
},
{
"url": "https://git.kernel.org/stable/c/6abd4698f4c8a78e7bbfc421205c060c199554a0"
},
{
"url": "https://git.kernel.org/stable/c/d4d765f4761f9e3a2d62992f825aeee593bcb6b9"
},
{
"url": "https://git.kernel.org/stable/c/9758ffe1c07b86aefd7ca8e40d9a461293427ca0"
},
{
"url": "https://git.kernel.org/stable/c/0aaabdb900c7415caa2006ef580322f7eac5f6b6"
},
{
"url": "https://git.kernel.org/stable/c/61e43ebfd243bcbad11be26bd921723027b77441"
},
{
"url": "https://git.kernel.org/stable/c/f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3"
}
],
"title": "scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52974",
"datePublished": "2025-03-27T16:43:13.792Z",
"dateReserved": "2025-03-27T16:40:15.737Z",
"dateUpdated": "2025-05-04T07:46:36.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49507 (GCVE-0-2022-49507)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: da9121: Fix uninit-value in da9121_assign_chip_model()
KASAN report slab-out-of-bounds in __regmap_init as follows:
BUG: KASAN: slab-out-of-bounds in __regmap_init drivers/base/regmap/regmap.c:841
Read of size 1 at addr ffff88803678cdf1 by task xrun/9137
CPU: 0 PID: 9137 Comm: xrun Tainted: G W 5.18.0-rc2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x15a lib/dump_stack.c:88
print_report.cold+0xcd/0x69b mm/kasan/report.c:313
kasan_report+0x8e/0xc0 mm/kasan/report.c:491
__regmap_init+0x4540/0x4ba0 drivers/base/regmap/regmap.c:841
__devm_regmap_init+0x7a/0x100 drivers/base/regmap/regmap.c:1266
__devm_regmap_init_i2c+0x65/0x80 drivers/base/regmap/regmap-i2c.c:394
da9121_i2c_probe+0x386/0x6d1 drivers/regulator/da9121-regulator.c:1039
i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563
This happend when da9121 device is probe by da9121_i2c_id, but with
invalid dts. Thus, chip->subvariant_id is set to -EINVAL, and later
da9121_assign_chip_model() will access 'regmap' without init it.
Fix it by return -EINVAL from da9121_assign_chip_model() if
'chip->subvariant_id' is invalid.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:28.959306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:42.759Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9121-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be96baa0c79588084e0d7a4fa21c574cec9a57f4",
"status": "affected",
"version": "f3fbd5566f6a8cdb7c48ab29bd1096205b7fbcaf",
"versionType": "git"
},
{
"lessThan": "7da64c7c82c9b29b628a62c88a8c2fb06990563d",
"status": "affected",
"version": "f3fbd5566f6a8cdb7c48ab29bd1096205b7fbcaf",
"versionType": "git"
},
{
"lessThan": "60f21eda69f1b5727a97d2077da766eb27fcc21f",
"status": "affected",
"version": "f3fbd5566f6a8cdb7c48ab29bd1096205b7fbcaf",
"versionType": "git"
},
{
"lessThan": "bab76514aca36bc513224525d5598da676938218",
"status": "affected",
"version": "f3fbd5566f6a8cdb7c48ab29bd1096205b7fbcaf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9121-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9121: Fix uninit-value in da9121_assign_chip_model()\n\nKASAN report slab-out-of-bounds in __regmap_init as follows:\n\nBUG: KASAN: slab-out-of-bounds in __regmap_init drivers/base/regmap/regmap.c:841\nRead of size 1 at addr ffff88803678cdf1 by task xrun/9137\n\nCPU: 0 PID: 9137 Comm: xrun Tainted: G W 5.18.0-rc2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x15a lib/dump_stack.c:88\n print_report.cold+0xcd/0x69b mm/kasan/report.c:313\n kasan_report+0x8e/0xc0 mm/kasan/report.c:491\n __regmap_init+0x4540/0x4ba0 drivers/base/regmap/regmap.c:841\n __devm_regmap_init+0x7a/0x100 drivers/base/regmap/regmap.c:1266\n __devm_regmap_init_i2c+0x65/0x80 drivers/base/regmap/regmap-i2c.c:394\n da9121_i2c_probe+0x386/0x6d1 drivers/regulator/da9121-regulator.c:1039\n i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563\n\nThis happend when da9121 device is probe by da9121_i2c_id, but with\ninvalid dts. Thus, chip-\u003esubvariant_id is set to -EINVAL, and later\nda9121_assign_chip_model() will access \u0027regmap\u0027 without init it.\n\nFix it by return -EINVAL from da9121_assign_chip_model() if\n\u0027chip-\u003esubvariant_id\u0027 is invalid."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:25.569Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be96baa0c79588084e0d7a4fa21c574cec9a57f4"
},
{
"url": "https://git.kernel.org/stable/c/7da64c7c82c9b29b628a62c88a8c2fb06990563d"
},
{
"url": "https://git.kernel.org/stable/c/60f21eda69f1b5727a97d2077da766eb27fcc21f"
},
{
"url": "https://git.kernel.org/stable/c/bab76514aca36bc513224525d5598da676938218"
}
],
"title": "regulator: da9121: Fix uninit-value in da9121_assign_chip_model()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49507",
"datePublished": "2025-02-26T02:13:38.821Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-10-01T19:46:42.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49257 (GCVE-0-2022-49257)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Fix NULL dereference in error cleanup
In watch_queue_set_size(), the error cleanup code doesn't take account of
the fact that __free_page() can't handle a NULL pointer when trying to free
up buffer pages that did get allocated.
Fix this by only calling __free_page() on the pages actually allocated.
Without the fix, this can lead to something like the following:
BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473
Read of size 4 at addr 0000000000000034 by task syz-executor168/3599
...
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:446 [inline]
kasan_report.cold+0x66/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
page_ref_count include/linux/page_ref.h:67 [inline]
put_page_testzero include/linux/mm.h:717 [inline]
__free_pages+0x1f/0x1b0 mm/page_alloc.c:5473
watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275
pipe_ioctl+0xac/0x2b0 fs/pipe.c:632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ae75b4ed30322b42abaa75ef1b784addfdb7dc9",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "695c47cea02b9101e2fc2e7d36d552128592b347",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "112a2f9b0a8457794095a0450598f150724ec456",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "a635415a064e77bcfbf43da413fd9dfe0bbed9cb",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix NULL dereference in error cleanup\n\nIn watch_queue_set_size(), the error cleanup code doesn\u0027t take account of\nthe fact that __free_page() can\u0027t handle a NULL pointer when trying to free\nup buffer pages that did get allocated.\n\nFix this by only calling __free_page() on the pages actually allocated.\n\nWithout the fix, this can lead to something like the following:\n\nBUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473\nRead of size 4 at addr 0000000000000034 by task syz-executor168/3599\n...\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n __kasan_report mm/kasan/report.c:446 [inline]\n kasan_report.cold+0x66/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:71 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]\n page_ref_count include/linux/page_ref.h:67 [inline]\n put_page_testzero include/linux/mm.h:717 [inline]\n __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473\n watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275\n pipe_ioctl+0xac/0x2b0 fs/pipe.c:632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:31.060Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ae75b4ed30322b42abaa75ef1b784addfdb7dc9"
},
{
"url": "https://git.kernel.org/stable/c/695c47cea02b9101e2fc2e7d36d552128592b347"
},
{
"url": "https://git.kernel.org/stable/c/112a2f9b0a8457794095a0450598f150724ec456"
},
{
"url": "https://git.kernel.org/stable/c/b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d"
},
{
"url": "https://git.kernel.org/stable/c/a635415a064e77bcfbf43da413fd9dfe0bbed9cb"
}
],
"title": "watch_queue: Fix NULL dereference in error cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49257",
"datePublished": "2025-02-26T01:56:11.072Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:31.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49119 (GCVE-0-2022-49119)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix memory leak in pm8001_chip_fw_flash_update_req()
In pm8001_chip_fw_flash_update_build(), if
pm8001_chip_fw_flash_update_build() fails, the struct fw_control_ex
allocated must be freed.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:39.389216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:03.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d83574666bac4b1462e90df393fbed6c5f57d1a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e5ecdb01952f230921aa8163d8d7f4c97c925ed8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe5b8ea5583b5c3f6f68e06acba50387edf3b5d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a25ed5f21f94f9ae4bcc8dd747e978668890c921",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f792a3629f4c4aa4c3703d66b43ce1edcc3ec09a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix memory leak in pm8001_chip_fw_flash_update_req()\n\nIn pm8001_chip_fw_flash_update_build(), if\npm8001_chip_fw_flash_update_build() fails, the struct fw_control_ex\nallocated must be freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:18.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d83574666bac4b1462e90df393fbed6c5f57d1a3"
},
{
"url": "https://git.kernel.org/stable/c/e5ecdb01952f230921aa8163d8d7f4c97c925ed8"
},
{
"url": "https://git.kernel.org/stable/c/fe5b8ea5583b5c3f6f68e06acba50387edf3b5d5"
},
{
"url": "https://git.kernel.org/stable/c/a25ed5f21f94f9ae4bcc8dd747e978668890c921"
},
{
"url": "https://git.kernel.org/stable/c/f792a3629f4c4aa4c3703d66b43ce1edcc3ec09a"
}
],
"title": "scsi: pm8001: Fix memory leak in pm8001_chip_fw_flash_update_req()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49119",
"datePublished": "2025-02-26T01:55:00.668Z",
"dateReserved": "2025-02-26T01:49:39.264Z",
"dateUpdated": "2025-10-01T19:57:03.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49443 (GCVE-0-2022-49443)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
list: fix a data-race around ep->rdllist
ep_poll() first calls ep_events_available() with no lock held and checks
if ep->rdllist is empty by list_empty_careful(), which reads
rdllist->prev. Thus all accesses to it need some protection to avoid
store/load-tearing.
Note INIT_LIST_HEAD_RCU() already has the annotation for both prev
and next.
Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket
fds.") added the first lockless ep_events_available(), and commit
c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()")
made some ep_events_available() calls lockless and added single call under
a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock
for zero timeout") made the last ep_events_available() lockless.
BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait
write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:
INIT_LIST_HEAD include/linux/list.h:38 [inline]
list_splice_init include/linux/list.h:492 [inline]
ep_start_scan fs/eventpoll.c:622 [inline]
ep_send_events fs/eventpoll.c:1656 [inline]
ep_poll fs/eventpoll.c:1806 [inline]
do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234
do_epoll_pwait fs/eventpoll.c:2268 [inline]
__do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
__se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
__x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:
list_empty_careful include/linux/list.h:329 [inline]
ep_events_available fs/eventpoll.c:381 [inline]
ep_poll fs/eventpoll.c:1797 [inline]
do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234
do_epoll_pwait fs/eventpoll.c:2268 [inline]
__do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
__se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
__x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0xffff88810480c7d0 -> 0xffff888103c15098
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:52.947192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:49.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/list.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d5d993f16be15d124be7b8ec71b28ef7b7dc3af",
"status": "affected",
"version": "bf3b9f6372c45b0fbf24d86b8794910d20170017",
"versionType": "git"
},
{
"lessThan": "cb3e48f7a35033deb9455abe3932e63cb500b9eb",
"status": "affected",
"version": "bf3b9f6372c45b0fbf24d86b8794910d20170017",
"versionType": "git"
},
{
"lessThan": "e039c0b5985999b150594126225e1ee51df7b4c9",
"status": "affected",
"version": "bf3b9f6372c45b0fbf24d86b8794910d20170017",
"versionType": "git"
},
{
"lessThan": "d679ae94fdd5d3ab00c35078f5af5f37e068b03d",
"status": "affected",
"version": "bf3b9f6372c45b0fbf24d86b8794910d20170017",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/list.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlist: fix a data-race around ep-\u003erdllist\n\nep_poll() first calls ep_events_available() with no lock held and checks\nif ep-\u003erdllist is empty by list_empty_careful(), which reads\nrdllist-\u003eprev. Thus all accesses to it need some protection to avoid\nstore/load-tearing.\n\nNote INIT_LIST_HEAD_RCU() already has the annotation for both prev\nand next.\n\nCommit bf3b9f6372c4 (\"epoll: Add busy poll support to epoll with socket\nfds.\") added the first lockless ep_events_available(), and commit\nc5a282e9635e (\"fs/epoll: reduce the scope of wq lock in epoll_wait()\")\nmade some ep_events_available() calls lockless and added single call under\na lock, finally commit e59d3c64cba6 (\"epoll: eliminate unnecessary lock\nfor zero timeout\") made the last ep_events_available() lockless.\n\nBUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait\n\nwrite to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:\n INIT_LIST_HEAD include/linux/list.h:38 [inline]\n list_splice_init include/linux/list.h:492 [inline]\n ep_start_scan fs/eventpoll.c:622 [inline]\n ep_send_events fs/eventpoll.c:1656 [inline]\n ep_poll fs/eventpoll.c:1806 [inline]\n do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234\n do_epoll_pwait fs/eventpoll.c:2268 [inline]\n __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]\n __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275\n __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nread to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:\n list_empty_careful include/linux/list.h:329 [inline]\n ep_events_available fs/eventpoll.c:381 [inline]\n ep_poll fs/eventpoll.c:1797 [inline]\n do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234\n do_epoll_pwait fs/eventpoll.c:2268 [inline]\n __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]\n __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275\n __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nvalue changed: 0xffff88810480c7d0 -\u003e 0xffff888103c15098\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:51.460Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d5d993f16be15d124be7b8ec71b28ef7b7dc3af"
},
{
"url": "https://git.kernel.org/stable/c/cb3e48f7a35033deb9455abe3932e63cb500b9eb"
},
{
"url": "https://git.kernel.org/stable/c/e039c0b5985999b150594126225e1ee51df7b4c9"
},
{
"url": "https://git.kernel.org/stable/c/d679ae94fdd5d3ab00c35078f5af5f37e068b03d"
}
],
"title": "list: fix a data-race around ep-\u003erdllist",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49443",
"datePublished": "2025-02-26T02:12:55.959Z",
"dateReserved": "2025-02-26T02:08:31.571Z",
"dateUpdated": "2025-10-01T19:46:49.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49104 (GCVE-0-2022-49104)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: vchiq_core: handle NULL result of find_service_by_handle
In case of an invalid handle the function find_servive_by_handle
returns NULL. So take care of this and avoid a NULL pointer dereference.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:16.064127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:05.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa0b7296785312a4bfa8fac0ba8ad78698fd9fcf",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
},
{
"lessThan": "42f2142a337ee372455574809fc924580a7e51b2",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
},
{
"lessThan": "04202f54dd8899e10f56a89c4c1ede0043fa22af",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
},
{
"lessThan": "3b424f6586a870b8d657c5e5419465bbe0e7b61f",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
},
{
"lessThan": "ca225857faf237234d2fffe5d1919467dfadd822",
"status": "affected",
"version": "71bad7f086419dc674244b91ca35a12bfa4cb597",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vchiq_core: handle NULL result of find_service_by_handle\n\nIn case of an invalid handle the function find_servive_by_handle\nreturns NULL. So take care of this and avoid a NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:56.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa0b7296785312a4bfa8fac0ba8ad78698fd9fcf"
},
{
"url": "https://git.kernel.org/stable/c/42f2142a337ee372455574809fc924580a7e51b2"
},
{
"url": "https://git.kernel.org/stable/c/04202f54dd8899e10f56a89c4c1ede0043fa22af"
},
{
"url": "https://git.kernel.org/stable/c/3b424f6586a870b8d657c5e5419465bbe0e7b61f"
},
{
"url": "https://git.kernel.org/stable/c/ca225857faf237234d2fffe5d1919467dfadd822"
}
],
"title": "staging: vchiq_core: handle NULL result of find_service_by_handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49104",
"datePublished": "2025-02-26T01:54:53.004Z",
"dateReserved": "2025-02-26T01:49:39.250Z",
"dateUpdated": "2025-10-01T19:57:05.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49300 (GCVE-0-2022-49300)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: fix race between nbd_alloc_config() and module removal
When nbd module is being removing, nbd_alloc_config() may be
called concurrently by nbd_genl_connect(), although try_module_get()
will return false, but nbd_alloc_config() doesn't handle it.
The race may lead to the leak of nbd_config and its related
resources (e.g, recv_workq) and oops in nbd_read_stat() due
to the unload of nbd module as shown below:
BUG: kernel NULL pointer dereference, address: 0000000000000040
Oops: 0000 [#1] SMP PTI
CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: knbd16-recv recv_work [nbd]
RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd]
Call Trace:
recv_work+0x3b/0xb0 [nbd]
process_one_work+0x1ed/0x390
worker_thread+0x4a/0x3d0
kthread+0x12a/0x150
ret_from_fork+0x22/0x30
Fixing it by checking the return value of try_module_get()
in nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV),
assign nbd->config only when nbd_alloc_config() succeeds to ensure
the value of nbd->config is binary (valid or NULL).
Also adding a debug message to check the reference counter
of nbd_config during module removal.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:48.211252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:59.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "165cf2e0019fa6cedc75b456490c41494c34abb4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2573f2375b64280be977431701ed5d33b75b9ad0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a7da4ced236ce6637fe70f14ca18e718d4bf9e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "122e4adaff2439f1cc18cc7e931980fa7560df5c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71c142f910da44421213ade601bcbd23ceae19fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2888fa41985f93ed0a6837cfbb06bcbfd7fa2314",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d09525720dd5201756f698bee1076de9aefd4602",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c55b2b983b0fa012942c3eb16384b2b722caa810",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between nbd_alloc_config() and module removal\n\nWhen nbd module is being removing, nbd_alloc_config() may be\ncalled concurrently by nbd_genl_connect(), although try_module_get()\nwill return false, but nbd_alloc_config() doesn\u0027t handle it.\n\nThe race may lead to the leak of nbd_config and its related\nresources (e.g, recv_workq) and oops in nbd_read_stat() due\nto the unload of nbd module as shown below:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000040\n Oops: 0000 [#1] SMP PTI\n CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: knbd16-recv recv_work [nbd]\n RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd]\n Call Trace:\n recv_work+0x3b/0xb0 [nbd]\n process_one_work+0x1ed/0x390\n worker_thread+0x4a/0x3d0\n kthread+0x12a/0x150\n ret_from_fork+0x22/0x30\n\nFixing it by checking the return value of try_module_get()\nin nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV),\nassign nbd-\u003econfig only when nbd_alloc_config() succeeds to ensure\nthe value of nbd-\u003econfig is binary (valid or NULL).\n\nAlso adding a debug message to check the reference counter\nof nbd_config during module removal."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:38.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/165cf2e0019fa6cedc75b456490c41494c34abb4"
},
{
"url": "https://git.kernel.org/stable/c/2573f2375b64280be977431701ed5d33b75b9ad0"
},
{
"url": "https://git.kernel.org/stable/c/8a7da4ced236ce6637fe70f14ca18e718d4bf9e9"
},
{
"url": "https://git.kernel.org/stable/c/122e4adaff2439f1cc18cc7e931980fa7560df5c"
},
{
"url": "https://git.kernel.org/stable/c/71c142f910da44421213ade601bcbd23ceae19fa"
},
{
"url": "https://git.kernel.org/stable/c/2888fa41985f93ed0a6837cfbb06bcbfd7fa2314"
},
{
"url": "https://git.kernel.org/stable/c/d09525720dd5201756f698bee1076de9aefd4602"
},
{
"url": "https://git.kernel.org/stable/c/c55b2b983b0fa012942c3eb16384b2b722caa810"
}
],
"title": "nbd: fix race between nbd_alloc_config() and module removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49300",
"datePublished": "2025-02-26T02:10:35.594Z",
"dateReserved": "2025-02-26T02:08:31.534Z",
"dateUpdated": "2025-10-01T19:46:59.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49546 (GCVE-0-2022-49546)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-11-03 19:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/kexec: fix memory leak of elf header buffer
This is reported by kmemleak detector:
unreferenced object 0xffffc900002a9000 (size 4096):
comm "kexec", pid 14950, jiffies 4295110793 (age 373.951s)
hex dump (first 32 bytes):
7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............
04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..>.............
backtrace:
[<0000000016a8ef9f>] __vmalloc_node_range+0x101/0x170
[<000000002b66b6c0>] __vmalloc_node+0xb4/0x160
[<00000000ad40107d>] crash_prepare_elf64_headers+0x8e/0xcd0
[<0000000019afff23>] crash_load_segments+0x260/0x470
[<0000000019ebe95c>] bzImage64_load+0x814/0xad0
[<0000000093e16b05>] arch_kexec_kernel_image_load+0x1be/0x2a0
[<000000009ef2fc88>] kimage_file_alloc_init+0x2ec/0x5a0
[<0000000038f5a97a>] __do_sys_kexec_file_load+0x28d/0x530
[<0000000087c19992>] do_syscall_64+0x3b/0x90
[<0000000066e063a4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
In crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to
store elf headers. While it's not freed back to system correctly when
kdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it
by introducing x86 specific function arch_kimage_file_post_load_cleanup(),
and freeing the buffer there.
And also remove the incorrect elf header buffer freeing code. Before
calling arch specific kexec_file loading function, the image instance has
been initialized. So 'image->elf_headers' must be NULL. It doesn't make
sense to free the elf header buffer in the place.
Three different people have reported three bugs about the memory leak on
x86_64 inside Redhat.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:27:52.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/machine_kexec_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23cf39dccf7653650701a6f39b119e9116a27f1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8765a423a87d74ef24ea02b43b2728fe4039f248",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "115ee42a4c2f26ba2b4ace2668a3f004621f6833",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f675e3a9189d84a9324ab45b0cb19906c2bc8fcb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b3e34a47f98974d0844444c5121aaff123004e57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/machine_kexec_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: fix memory leak of elf header buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xffffc900002a9000 (size 4096):\n comm \"kexec\", pid 14950, jiffies 4295110793 (age 373.951s)\n hex dump (first 32 bytes):\n 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............\n 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..\u003e.............\n backtrace:\n [\u003c0000000016a8ef9f\u003e] __vmalloc_node_range+0x101/0x170\n [\u003c000000002b66b6c0\u003e] __vmalloc_node+0xb4/0x160\n [\u003c00000000ad40107d\u003e] crash_prepare_elf64_headers+0x8e/0xcd0\n [\u003c0000000019afff23\u003e] crash_load_segments+0x260/0x470\n [\u003c0000000019ebe95c\u003e] bzImage64_load+0x814/0xad0\n [\u003c0000000093e16b05\u003e] arch_kexec_kernel_image_load+0x1be/0x2a0\n [\u003c000000009ef2fc88\u003e] kimage_file_alloc_init+0x2ec/0x5a0\n [\u003c0000000038f5a97a\u003e] __do_sys_kexec_file_load+0x28d/0x530\n [\u003c0000000087c19992\u003e] do_syscall_64+0x3b/0x90\n [\u003c0000000066e063a4\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to\nstore elf headers. While it\u0027s not freed back to system correctly when\nkdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it\nby introducing x86 specific function arch_kimage_file_post_load_cleanup(),\nand freeing the buffer there.\n\nAnd also remove the incorrect elf header buffer freeing code. Before\ncalling arch specific kexec_file loading function, the image instance has\nbeen initialized. So \u0027image-\u003eelf_headers\u0027 must be NULL. It doesn\u0027t make\nsense to free the elf header buffer in the place.\n\nThree different people have reported three bugs about the memory leak on\nx86_64 inside Redhat."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:15.810Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23cf39dccf7653650701a6f39b119e9116a27f1a"
},
{
"url": "https://git.kernel.org/stable/c/8765a423a87d74ef24ea02b43b2728fe4039f248"
},
{
"url": "https://git.kernel.org/stable/c/115ee42a4c2f26ba2b4ace2668a3f004621f6833"
},
{
"url": "https://git.kernel.org/stable/c/f675e3a9189d84a9324ab45b0cb19906c2bc8fcb"
},
{
"url": "https://git.kernel.org/stable/c/b3e34a47f98974d0844444c5121aaff123004e57"
}
],
"title": "x86/kexec: fix memory leak of elf header buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49546",
"datePublished": "2025-02-26T02:13:58.867Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-11-03T19:27:52.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49328 (GCVE-0-2022-49328)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: fix use-after-free by removing a non-RCU wcid pointer
Fixes an issue caught by KASAN about use-after-free in mt76_txq_schedule
by protecting mtxq->wcid with rcu_lock between mt76_txq_schedule and
sta_info_[alloc, free].
[18853.876689] ==================================================================
[18853.876751] BUG: KASAN: use-after-free in mt76_txq_schedule+0x204/0xaf8 [mt76]
[18853.876773] Read of size 8 at addr ffffffaf989a2138 by task mt76-tx phy0/883
[18853.876786]
[18853.876810] CPU: 5 PID: 883 Comm: mt76-tx phy0 Not tainted 5.10.100-fix-510-56778d365941-kasan #5 0b01fbbcf41a530f52043508fec2e31a4215
[18853.876840] Call trace:
[18853.876861] dump_backtrace+0x0/0x3ec
[18853.876878] show_stack+0x20/0x2c
[18853.876899] dump_stack+0x11c/0x1ac
[18853.876918] print_address_description+0x74/0x514
[18853.876934] kasan_report+0x134/0x174
[18853.876948] __asan_report_load8_noabort+0x44/0x50
[18853.876976] mt76_txq_schedule+0x204/0xaf8 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]
[18853.877002] mt76_txq_schedule_all+0x2c/0x48 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]
[18853.877030] mt7921_tx_worker+0xa0/0x1cc [mt7921_common f0875ebac9d7b4754e1010549e7db50fbd90a047]
[18853.877054] __mt76_worker_fn+0x190/0x22c [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]
[18853.877071] kthread+0x2f8/0x3b8
[18853.877087] ret_from_fork+0x10/0x30
[18853.877098]
[18853.877112] Allocated by task 941:
[18853.877131] kasan_save_stack+0x38/0x68
[18853.877147] __kasan_kmalloc+0xd4/0xfc
[18853.877163] kasan_kmalloc+0x10/0x1c
[18853.877177] __kmalloc+0x264/0x3c4
[18853.877294] sta_info_alloc+0x460/0xf88 [mac80211]
[18853.877410] ieee80211_prep_connection+0x204/0x1ee0 [mac80211]
[18853.877523] ieee80211_mgd_auth+0x6c4/0xa4c [mac80211]
[18853.877635] ieee80211_auth+0x20/0x2c [mac80211]
[18853.877733] rdev_auth+0x7c/0x438 [cfg80211]
[18853.877826] cfg80211_mlme_auth+0x26c/0x390 [cfg80211]
[18853.877919] nl80211_authenticate+0x6d4/0x904 [cfg80211]
[18853.877938] genl_rcv_msg+0x748/0x93c
[18853.877954] netlink_rcv_skb+0x160/0x2a8
[18853.877969] genl_rcv+0x3c/0x54
[18853.877985] netlink_unicast_kernel+0x104/0x1ec
[18853.877999] netlink_unicast+0x178/0x268
[18853.878015] netlink_sendmsg+0x3cc/0x5f0
[18853.878030] sock_sendmsg+0xb4/0xd8
[18853.878043] ____sys_sendmsg+0x2f8/0x53c
[18853.878058] ___sys_sendmsg+0xe8/0x150
[18853.878071] __sys_sendmsg+0xc4/0x1f4
[18853.878087] __arm64_compat_sys_sendmsg+0x88/0x9c
[18853.878101] el0_svc_common+0x1b4/0x390
[18853.878115] do_el0_svc_compat+0x8c/0xdc
[18853.878131] el0_svc_compat+0x10/0x1c
[18853.878146] el0_sync_compat_handler+0xa8/0xcc
[18853.878161] el0_sync_compat+0x188/0x1c0
[18853.878171]
[18853.878183] Freed by task 10927:
[18853.878200] kasan_save_stack+0x38/0x68
[18853.878215] kasan_set_track+0x28/0x3c
[18853.878228] kasan_set_free_info+0x24/0x48
[18853.878244] __kasan_slab_free+0x11c/0x154
[18853.878259] kasan_slab_free+0x14/0x24
[18853.878273] slab_free_freelist_hook+0xac/0x1b0
[18853.878287] kfree+0x104/0x390
[18853.878402] sta_info_free+0x198/0x210 [mac80211]
[18853.878515] __sta_info_destroy_part2+0x230/0x2d4 [mac80211]
[18853.878628] __sta_info_flush+0x300/0x37c [mac80211]
[18853.878740] ieee80211_set_disassoc+0x2cc/0xa7c [mac80211]
[18853.878851] ieee80211_mgd_deauth+0x4a4/0x10a0 [mac80211]
[18853.878962] ieee80211_deauth+0x20/0x2c [mac80211]
[18853.879057] rdev_deauth+0x7c/0x438 [cfg80211]
[18853.879150] cfg80211_mlme_deauth+0x274/0x414 [cfg80211]
[18853.879243] cfg80211_mlme_down+0xe4/0x118 [cfg80211]
[18853.879335] cfg80211_disconnect+0x218/0x2d8 [cfg80211]
[18853.879427] __cfg80211_leave+0x17c/0x240 [cfg80211]
[18853.879519] cfg80211_leave+0x3c/0x58 [cfg80211]
[18853.879611] wiphy_suspend+0xdc/0x200 [cfg80211]
[18853.879628] dpm_run_callback+0x58/0x408
[18853.879642] __device_suspend+0x4cc/0x864
[18853.879658] async_suspend+0x34/0xf4
[18
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:47.103514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:34.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mac80211.c",
"drivers/net/wireless/mediatek/mt76/mt76.h",
"drivers/net/wireless/mediatek/mt76/mt7603/main.c",
"drivers/net/wireless/mediatek/mt76/mt7615/main.c",
"drivers/net/wireless/mediatek/mt76/mt76x02_util.c",
"drivers/net/wireless/mediatek/mt76/mt7915/main.c",
"drivers/net/wireless/mediatek/mt76/mt7921/main.c",
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4448327b41738dbfcda680eb4935ff835568f468",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "e55bcdd0bf34a8b10d45ce80ebb3164c5292a17d",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "d5f77f1dbb59feae81f88e44551e8e1d8a802d9a",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
},
{
"lessThan": "51fb1278aa57ae0fc54adaa786e1965362bed4fb",
"status": "affected",
"version": "7bc04215a66b60e198aecaee8418f6d79fa19faa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mac80211.c",
"drivers/net/wireless/mediatek/mt76/mt76.h",
"drivers/net/wireless/mediatek/mt76/mt7603/main.c",
"drivers/net/wireless/mediatek/mt76/mt7615/main.c",
"drivers/net/wireless/mediatek/mt76/mt76x02_util.c",
"drivers/net/wireless/mediatek/mt76/mt7915/main.c",
"drivers/net/wireless/mediatek/mt76/mt7921/main.c",
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix use-after-free by removing a non-RCU wcid pointer\n\nFixes an issue caught by KASAN about use-after-free in mt76_txq_schedule\nby protecting mtxq-\u003ewcid with rcu_lock between mt76_txq_schedule and\nsta_info_[alloc, free].\n\n[18853.876689] ==================================================================\n[18853.876751] BUG: KASAN: use-after-free in mt76_txq_schedule+0x204/0xaf8 [mt76]\n[18853.876773] Read of size 8 at addr ffffffaf989a2138 by task mt76-tx phy0/883\n[18853.876786]\n[18853.876810] CPU: 5 PID: 883 Comm: mt76-tx phy0 Not tainted 5.10.100-fix-510-56778d365941-kasan #5 0b01fbbcf41a530f52043508fec2e31a4215\n\n[18853.876840] Call trace:\n[18853.876861] dump_backtrace+0x0/0x3ec\n[18853.876878] show_stack+0x20/0x2c\n[18853.876899] dump_stack+0x11c/0x1ac\n[18853.876918] print_address_description+0x74/0x514\n[18853.876934] kasan_report+0x134/0x174\n[18853.876948] __asan_report_load8_noabort+0x44/0x50\n[18853.876976] mt76_txq_schedule+0x204/0xaf8 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]\n[18853.877002] mt76_txq_schedule_all+0x2c/0x48 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]\n[18853.877030] mt7921_tx_worker+0xa0/0x1cc [mt7921_common f0875ebac9d7b4754e1010549e7db50fbd90a047]\n[18853.877054] __mt76_worker_fn+0x190/0x22c [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]\n[18853.877071] kthread+0x2f8/0x3b8\n[18853.877087] ret_from_fork+0x10/0x30\n[18853.877098]\n[18853.877112] Allocated by task 941:\n[18853.877131] kasan_save_stack+0x38/0x68\n[18853.877147] __kasan_kmalloc+0xd4/0xfc\n[18853.877163] kasan_kmalloc+0x10/0x1c\n[18853.877177] __kmalloc+0x264/0x3c4\n[18853.877294] sta_info_alloc+0x460/0xf88 [mac80211]\n[18853.877410] ieee80211_prep_connection+0x204/0x1ee0 [mac80211]\n[18853.877523] ieee80211_mgd_auth+0x6c4/0xa4c [mac80211]\n[18853.877635] ieee80211_auth+0x20/0x2c [mac80211]\n[18853.877733] rdev_auth+0x7c/0x438 [cfg80211]\n[18853.877826] cfg80211_mlme_auth+0x26c/0x390 [cfg80211]\n[18853.877919] nl80211_authenticate+0x6d4/0x904 [cfg80211]\n[18853.877938] genl_rcv_msg+0x748/0x93c\n[18853.877954] netlink_rcv_skb+0x160/0x2a8\n[18853.877969] genl_rcv+0x3c/0x54\n[18853.877985] netlink_unicast_kernel+0x104/0x1ec\n[18853.877999] netlink_unicast+0x178/0x268\n[18853.878015] netlink_sendmsg+0x3cc/0x5f0\n[18853.878030] sock_sendmsg+0xb4/0xd8\n[18853.878043] ____sys_sendmsg+0x2f8/0x53c\n[18853.878058] ___sys_sendmsg+0xe8/0x150\n[18853.878071] __sys_sendmsg+0xc4/0x1f4\n[18853.878087] __arm64_compat_sys_sendmsg+0x88/0x9c\n[18853.878101] el0_svc_common+0x1b4/0x390\n[18853.878115] do_el0_svc_compat+0x8c/0xdc\n[18853.878131] el0_svc_compat+0x10/0x1c\n[18853.878146] el0_sync_compat_handler+0xa8/0xcc\n[18853.878161] el0_sync_compat+0x188/0x1c0\n[18853.878171]\n[18853.878183] Freed by task 10927:\n[18853.878200] kasan_save_stack+0x38/0x68\n[18853.878215] kasan_set_track+0x28/0x3c\n[18853.878228] kasan_set_free_info+0x24/0x48\n[18853.878244] __kasan_slab_free+0x11c/0x154\n[18853.878259] kasan_slab_free+0x14/0x24\n[18853.878273] slab_free_freelist_hook+0xac/0x1b0\n[18853.878287] kfree+0x104/0x390\n[18853.878402] sta_info_free+0x198/0x210 [mac80211]\n[18853.878515] __sta_info_destroy_part2+0x230/0x2d4 [mac80211]\n[18853.878628] __sta_info_flush+0x300/0x37c [mac80211]\n[18853.878740] ieee80211_set_disassoc+0x2cc/0xa7c [mac80211]\n[18853.878851] ieee80211_mgd_deauth+0x4a4/0x10a0 [mac80211]\n[18853.878962] ieee80211_deauth+0x20/0x2c [mac80211]\n[18853.879057] rdev_deauth+0x7c/0x438 [cfg80211]\n[18853.879150] cfg80211_mlme_deauth+0x274/0x414 [cfg80211]\n[18853.879243] cfg80211_mlme_down+0xe4/0x118 [cfg80211]\n[18853.879335] cfg80211_disconnect+0x218/0x2d8 [cfg80211]\n[18853.879427] __cfg80211_leave+0x17c/0x240 [cfg80211]\n[18853.879519] cfg80211_leave+0x3c/0x58 [cfg80211]\n[18853.879611] wiphy_suspend+0xdc/0x200 [cfg80211]\n[18853.879628] dpm_run_callback+0x58/0x408\n[18853.879642] __device_suspend+0x4cc/0x864\n[18853.879658] async_suspend+0x34/0xf4\n[18\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:18.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4448327b41738dbfcda680eb4935ff835568f468"
},
{
"url": "https://git.kernel.org/stable/c/e55bcdd0bf34a8b10d45ce80ebb3164c5292a17d"
},
{
"url": "https://git.kernel.org/stable/c/d5f77f1dbb59feae81f88e44551e8e1d8a802d9a"
},
{
"url": "https://git.kernel.org/stable/c/51fb1278aa57ae0fc54adaa786e1965362bed4fb"
}
],
"title": "mt76: fix use-after-free by removing a non-RCU wcid pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49328",
"datePublished": "2025-02-26T02:10:49.590Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-05-04T08:35:18.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49759 (GCVE-0-2022-49759)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 17:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
VMCI: Use threaded irqs instead of tasklets
The vmci_dispatch_dgs() tasklet function calls vmci_read_data()
which uses wait_event() resulting in invalid sleep in an atomic
context (and therefore potentially in a deadlock).
Use threaded irqs to fix this issue and completely remove usage
of tasklets.
[ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145
[ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd
[ 20.264645] preempt_count: 101, expected: 0
[ 20.264646] RCU nest depth: 0, expected: 0
[ 20.264647] 1 lock held by vmtoolsd/762:
[ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock]
[ 20.264658] Preemption disabled at:
[ 20.264659] [<ffff80000151d7d8>] vmci_send_datagram+0x44/0xa0 [vmw_vmci]
[ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1
[ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020
[ 20.264668] Call trace:
[ 20.264669] dump_backtrace+0xc4/0x130
[ 20.264672] show_stack+0x24/0x80
[ 20.264673] dump_stack_lvl+0x88/0xb4
[ 20.264676] dump_stack+0x18/0x34
[ 20.264677] __might_resched+0x1a0/0x280
[ 20.264679] __might_sleep+0x58/0x90
[ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci]
[ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci]
[ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150
[ 20.264688] tasklet_action+0x40/0x50
[ 20.264689] __do_softirq+0x23c/0x6b4
[ 20.264690] __irq_exit_rcu+0x104/0x214
[ 20.264691] irq_exit_rcu+0x1c/0x50
[ 20.264693] el1_interrupt+0x38/0x6c
[ 20.264695] el1h_64_irq_handler+0x18/0x24
[ 20.264696] el1h_64_irq+0x68/0x6c
[ 20.264697] preempt_count_sub+0xa4/0xe0
[ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0
[ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci]
[ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci]
[ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci]
[ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport]
[ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport]
[ 20.264713] vsock_connect+0x278/0x330 [vsock]
[ 20.264715] __sys_connect_file+0x8c/0xc0
[ 20.264718] __sys_connect+0x84/0xb4
[ 20.264720] __arm64_sys_connect+0x2c/0x3c
[ 20.264721] invoke_syscall+0x78/0x100
[ 20.264723] el0_svc_common.constprop.0+0x68/0x124
[ 20.264724] do_el0_svc+0x38/0x4c
[ 20.264725] el0_svc+0x60/0x180
[ 20.264726] el0t_64_sync_handler+0x11c/0x150
[ 20.264728] el0t_64_sync+0x190/0x194
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:22:23.073608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:22:26.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_guest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "548ea9dd5e01b0ecf53d2563004c80abd636743d",
"status": "affected",
"version": "463713eb6164b6577f8e91447c7745628215531b",
"versionType": "git"
},
{
"lessThan": "3daed6345d5880464f46adab871d208e1baa2f3a",
"status": "affected",
"version": "463713eb6164b6577f8e91447c7745628215531b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_guest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Use threaded irqs instead of tasklets\n\nThe vmci_dispatch_dgs() tasklet function calls vmci_read_data()\nwhich uses wait_event() resulting in invalid sleep in an atomic\ncontext (and therefore potentially in a deadlock).\n\nUse threaded irqs to fix this issue and completely remove usage\nof tasklets.\n\n[ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145\n[ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd\n[ 20.264645] preempt_count: 101, expected: 0\n[ 20.264646] RCU nest depth: 0, expected: 0\n[ 20.264647] 1 lock held by vmtoolsd/762:\n[ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock]\n[ 20.264658] Preemption disabled at:\n[ 20.264659] [\u003cffff80000151d7d8\u003e] vmci_send_datagram+0x44/0xa0 [vmw_vmci]\n[ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1\n[ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020\n[ 20.264668] Call trace:\n[ 20.264669] dump_backtrace+0xc4/0x130\n[ 20.264672] show_stack+0x24/0x80\n[ 20.264673] dump_stack_lvl+0x88/0xb4\n[ 20.264676] dump_stack+0x18/0x34\n[ 20.264677] __might_resched+0x1a0/0x280\n[ 20.264679] __might_sleep+0x58/0x90\n[ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci]\n[ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci]\n[ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150\n[ 20.264688] tasklet_action+0x40/0x50\n[ 20.264689] __do_softirq+0x23c/0x6b4\n[ 20.264690] __irq_exit_rcu+0x104/0x214\n[ 20.264691] irq_exit_rcu+0x1c/0x50\n[ 20.264693] el1_interrupt+0x38/0x6c\n[ 20.264695] el1h_64_irq_handler+0x18/0x24\n[ 20.264696] el1h_64_irq+0x68/0x6c\n[ 20.264697] preempt_count_sub+0xa4/0xe0\n[ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0\n[ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci]\n[ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci]\n[ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci]\n[ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport]\n[ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport]\n[ 20.264713] vsock_connect+0x278/0x330 [vsock]\n[ 20.264715] __sys_connect_file+0x8c/0xc0\n[ 20.264718] __sys_connect+0x84/0xb4\n[ 20.264720] __arm64_sys_connect+0x2c/0x3c\n[ 20.264721] invoke_syscall+0x78/0x100\n[ 20.264723] el0_svc_common.constprop.0+0x68/0x124\n[ 20.264724] do_el0_svc+0x38/0x4c\n[ 20.264725] el0_svc+0x60/0x180\n[ 20.264726] el0t_64_sync_handler+0x11c/0x150\n[ 20.264728] el0t_64_sync+0x190/0x194"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:47.306Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/548ea9dd5e01b0ecf53d2563004c80abd636743d"
},
{
"url": "https://git.kernel.org/stable/c/3daed6345d5880464f46adab871d208e1baa2f3a"
}
],
"title": "VMCI: Use threaded irqs instead of tasklets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49759",
"datePublished": "2025-03-27T16:43:06.197Z",
"dateReserved": "2025-03-27T16:39:17.990Z",
"dateUpdated": "2025-10-01T17:22:26.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28410 (GCVE-0-2023-28410)
Vulnerability from cvelistv5
Published
2023-05-10 13:16
Modified
2025-03-18 19:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- escalation of privilege
- CWE-119 - Improper restriction of operations within the bounds of a memory buffer
Summary
Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Intel(R) i915 Graphics drivers for linux |
Version: before kernel version 6.2.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00886.html",
"tags": [
"x_transferred"
],
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00886.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230622-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:27:26.145778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T19:11:40.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Intel(R) i915 Graphics drivers for linux",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before kernel version 6.2.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "escalation of privilege",
"lang": "en"
},
{
"cweId": "CWE-119",
"description": "Improper restriction of operations within the bounds of a memory buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T14:06:51.241Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00886.html",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00886.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230622-0004/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2023-28410",
"datePublished": "2023-05-10T13:16:37.359Z",
"dateReserved": "2023-03-22T03:00:05.381Z",
"dateUpdated": "2025-03-18T19:11:40.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52941 (GCVE-0-2023-52941)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: split tx timer into transmission and timeout
The timer for the transmission of isotp PDUs formerly had two functions:
1. send two consecutive frames with a given time gap
2. monitor the timeouts for flow control frames and the echo frames
This led to larger txstate checks and potentially to a problem discovered
by syzbot which enabled the panic_on_warn feature while testing.
The former 'txtimer' function is split into 'txfrtimer' and 'txtimer'
to handle the two above functionalities with separate timer callbacks.
The two simplified timers now run in one-shot mode and make the state
transitions (especially with isotp_rcv_echo) better understandable.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/isotp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cae4c9bc35f72af5d4a079bb9d9fd62c4088a411",
"status": "affected",
"version": "866337865f3747c68a3e7bb837611e39cec1ecd6",
"versionType": "git"
},
{
"lessThan": "4f027cba8216f42a18b544842efab134f8b1f9f4",
"status": "affected",
"version": "866337865f3747c68a3e7bb837611e39cec1ecd6",
"versionType": "git"
},
{
"status": "affected",
"version": "3cb476cf834edca47f4470c276feb0f519401fb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/isotp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: split tx timer into transmission and timeout\n\nThe timer for the transmission of isotp PDUs formerly had two functions:\n1. send two consecutive frames with a given time gap\n2. monitor the timeouts for flow control frames and the echo frames\n\nThis led to larger txstate checks and potentially to a problem discovered\nby syzbot which enabled the panic_on_warn feature while testing.\n\nThe former \u0027txtimer\u0027 function is split into \u0027txfrtimer\u0027 and \u0027txtimer\u0027\nto handle the two above functionalities with separate timer callbacks.\n\nThe two simplified timers now run in one-shot mode and make the state\ntransitions (especially with isotp_rcv_echo) better understandable."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:55.905Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cae4c9bc35f72af5d4a079bb9d9fd62c4088a411"
},
{
"url": "https://git.kernel.org/stable/c/4f027cba8216f42a18b544842efab134f8b1f9f4"
}
],
"title": "can: isotp: split tx timer into transmission and timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52941",
"datePublished": "2025-03-27T16:37:19.469Z",
"dateReserved": "2024-08-21T06:07:11.022Z",
"dateUpdated": "2025-05-04T12:49:55.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53057 (GCVE-0-2024-53057)
Vulnerability from cvelistv5
Published
2024-11-19 17:19
Modified
2025-11-03 22:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
to be either root or ingress. This assumption is bogus since it's valid
to create egress qdiscs with major handle ffff:
Budimir Markovic found that for qdiscs like DRR that maintain an active
class list, it will cause a UAF with a dangling class pointer.
In 066a3b5b2346, the concern was to avoid iterating over the ingress
qdisc since its parent is itself. The proper fix is to stop when parent
TC_H_ROOT is reached because the only way to retrieve ingress is when a
hierarchy which does not contain a ffff: major handle call into
qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
In the scenario where major ffff: is an egress qdisc in any of the tree
levels, the updates will also propagate to TC_H_ROOT, which then the
iteration must stop.
net/sched/sch_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 Version: 066a3b5b2346febf9a655b444567b7138e3bb939 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:25:23.594430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:31.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:28:50.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7f9a6f97eb067599a74f3bcb6761976b0ed303e",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "ce691c814bc7a3c30c220ffb5b7422715458fd9b",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "05df1b1dff8f197f1c275b57ccb2ca33021df552",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "580b3189c1972aff0f993837567d36392e9d981b",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "597cf9748c3477bf61bc35f0634129f56764ad24",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "9995909615c3431a5304c1210face5f268d24dba",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
},
{
"lessThan": "2e95c4384438adeaa772caa560244b1a2efef816",
"status": "affected",
"version": "066a3b5b2346febf9a655b444567b7138e3bb939",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.229",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.171",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.116",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.60",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.7",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it\u0027s valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:51:52.422Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"
},
{
"url": "https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"
},
{
"url": "https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"
},
{
"url": "https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"
},
{
"url": "https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"
},
{
"url": "https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"
},
{
"url": "https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"
},
{
"url": "https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"
}
],
"title": "net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53057",
"datePublished": "2024-11-19T17:19:40.284Z",
"dateReserved": "2024-11-19T17:17:24.974Z",
"dateUpdated": "2025-11-03T22:28:50.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21886 (GCVE-0-2025-21886)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix implicit ODP hang on parent deregistration
Fix the destroy_unused_implicit_child_mr() to prevent hanging during
parent deregistration as of below [1].
Upon entering destroy_unused_implicit_child_mr(), the reference count
for the implicit MR parent is incremented using:
refcount_inc_not_zero().
A corresponding decrement must be performed if
free_implicit_child_mr_work() is not called.
The code has been updated to properly manage the reference count that
was incremented.
[1]
INFO: task python3:2157 blocked for more than 120 seconds.
Not tainted 6.12.0-rc7+ #1633
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000
Call Trace:
<TASK>
__schedule+0x420/0xd30
schedule+0x47/0x130
__mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib]
? __pfx_autoremove_wake_function+0x10/0x10
ib_dereg_mr_user+0x5f/0x120 [ib_core]
? lock_release+0xc6/0x280
destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]
uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]
uobj_destroy+0x3f/0x70 [ib_uverbs]
ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]
? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]
? lock_acquire+0xc1/0x2f0
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]
? lock_release+0xc6/0x280
ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
__x64_sys_ioctl+0x1b0/0xa70
? kmem_cache_free+0x221/0x400
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f20f21f017b
RSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b
RDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003
RBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60
R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890
R13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb96ae783e7249e8e5a50c22952c0bb2983133df",
"status": "affected",
"version": "7cc8f681f6d4ae4478ae0f60485fc768f2b450da",
"versionType": "git"
},
{
"lessThan": "a095ede2daca49d15e74d66d014883f2fa8bb924",
"status": "affected",
"version": "edfb65dbb9ffd3102f3ff4dd21316158e56f1976",
"versionType": "git"
},
{
"lessThan": "3d8c6f26893d55fab218ad086719de1fc9bb86ba",
"status": "affected",
"version": "d3d930411ce390e532470194296658a960887773",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.18",
"status": "affected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThan": "6.13.6",
"status": "affected",
"version": "6.13.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP hang on parent deregistration\n\nFix the destroy_unused_implicit_child_mr() to prevent hanging during\nparent deregistration as of below [1].\n\nUpon entering destroy_unused_implicit_child_mr(), the reference count\nfor the implicit MR parent is incremented using:\nrefcount_inc_not_zero().\n\nA corresponding decrement must be performed if\nfree_implicit_child_mr_work() is not called.\n\nThe code has been updated to properly manage the reference count that\nwas incremented.\n\n[1]\nINFO: task python3:2157 blocked for more than 120 seconds.\nNot tainted 6.12.0-rc7+ #1633\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000\nCall Trace:\n\u003cTASK\u003e\n__schedule+0x420/0xd30\nschedule+0x47/0x130\n__mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib]\n? __pfx_autoremove_wake_function+0x10/0x10\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n __x64_sys_ioctl+0x1b0/0xa70\n? kmem_cache_free+0x221/0x400\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f20f21f017b\nRSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b\nRDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60\nR10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890\nR13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:20.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb96ae783e7249e8e5a50c22952c0bb2983133df"
},
{
"url": "https://git.kernel.org/stable/c/a095ede2daca49d15e74d66d014883f2fa8bb924"
},
{
"url": "https://git.kernel.org/stable/c/3d8c6f26893d55fab218ad086719de1fc9bb86ba"
}
],
"title": "RDMA/mlx5: Fix implicit ODP hang on parent deregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21886",
"datePublished": "2025-03-27T14:57:13.923Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:20.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49489 (GCVE-0-2022-49489)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume
BUG: Unable to handle kernel paging request at virtual address 006b6b6b6b6b6be3
Call trace:
dpu_vbif_init_memtypes+0x40/0xb8
dpu_runtime_resume+0xcc/0x1c0
pm_generic_runtime_resume+0x30/0x44
__genpd_runtime_resume+0x68/0x7c
genpd_runtime_resume+0x134/0x258
__rpm_callback+0x98/0x138
rpm_callback+0x30/0x88
rpm_resume+0x36c/0x49c
__pm_runtime_resume+0x80/0xb0
dpu_core_irq_uninstall+0x30/0xb0
dpu_irq_uninstall+0x18/0x24
msm_drm_uninit+0xd8/0x16c
Patchwork: https://patchwork.freedesktop.org/patch/483255/
[DB: fixed Fixes tag]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef Version: 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef Version: 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef Version: 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef Version: 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef Version: 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef Version: 25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T21:14:26.064308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T21:21:43.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa4cb188988dc6f1b3f4917d4dbc452150a5d871",
"status": "affected",
"version": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef",
"versionType": "git"
},
{
"lessThan": "ef10d0c68e8608848cd58fca2589685718426607",
"status": "affected",
"version": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef",
"versionType": "git"
},
{
"lessThan": "134760263f6441741db0b2970e7face6b34b6d1c",
"status": "affected",
"version": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef",
"versionType": "git"
},
{
"lessThan": "ef4bdaac7cb5416f236613ed9337ff0ea8ee329b",
"status": "affected",
"version": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef",
"versionType": "git"
},
{
"lessThan": "97ac682b6f7d36be5d934f86c9911066540a68f1",
"status": "affected",
"version": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef",
"versionType": "git"
},
{
"lessThan": "5b0adf5cbf3b74721e4e4c4e0cadc91b8df8bcc2",
"status": "affected",
"version": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef",
"versionType": "git"
},
{
"lessThan": "fa5186b279ecf44b14fb435540d2065be91cb1ed",
"status": "affected",
"version": "25fdd5933e4c0f5fe2ea5cd59994f8ac5fbe90ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume\n\nBUG: Unable to handle kernel paging request at virtual address 006b6b6b6b6b6be3\n\nCall trace:\n dpu_vbif_init_memtypes+0x40/0xb8\n dpu_runtime_resume+0xcc/0x1c0\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x134/0x258\n __rpm_callback+0x98/0x138\n rpm_callback+0x30/0x88\n rpm_resume+0x36c/0x49c\n __pm_runtime_resume+0x80/0xb0\n dpu_core_irq_uninstall+0x30/0xb0\n dpu_irq_uninstall+0x18/0x24\n msm_drm_uninit+0xd8/0x16c\n\nPatchwork: https://patchwork.freedesktop.org/patch/483255/\n[DB: fixed Fixes tag]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:00.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa4cb188988dc6f1b3f4917d4dbc452150a5d871"
},
{
"url": "https://git.kernel.org/stable/c/ef10d0c68e8608848cd58fca2589685718426607"
},
{
"url": "https://git.kernel.org/stable/c/134760263f6441741db0b2970e7face6b34b6d1c"
},
{
"url": "https://git.kernel.org/stable/c/ef4bdaac7cb5416f236613ed9337ff0ea8ee329b"
},
{
"url": "https://git.kernel.org/stable/c/97ac682b6f7d36be5d934f86c9911066540a68f1"
},
{
"url": "https://git.kernel.org/stable/c/5b0adf5cbf3b74721e4e4c4e0cadc91b8df8bcc2"
},
{
"url": "https://git.kernel.org/stable/c/fa5186b279ecf44b14fb435540d2065be91cb1ed"
}
],
"title": "drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49489",
"datePublished": "2025-02-26T02:13:26.785Z",
"dateReserved": "2025-02-26T02:08:31.585Z",
"dateUpdated": "2025-05-04T08:39:00.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49642 (GCVE-0-2022-49642)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: dwc-qos: Disable split header for Tegra194
There is a long-standing issue with the Synopsys DWC Ethernet driver
for Tegra194 where random system crashes have been observed [0]. The
problem occurs when the split header feature is enabled in the stmmac
driver. In the bad case, a larger than expected buffer length is
received and causes the calculation of the total buffer length to
overflow. This results in a very large buffer length that causes the
kernel to crash. Why this larger buffer length is received is not clear,
however, the feedback from the NVIDIA design team is that the split
header feature is not supported for Tegra194. Therefore, disable split
header support for Tegra194 to prevent these random crashes from
occurring.
[0] https://lore.kernel.org/linux-tegra/b0b17697-f23e-8fa5-3757-604a86f3a095@nvidia.com/
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2968830c9b47ce093237483c6207c61065712386",
"status": "affected",
"version": "67afd6d1cfdf0d0461fe3c4c922447f3e9b1c6ee",
"versionType": "git"
},
{
"lessThan": "9cc8edc571b871d974b3289868553f9ce544aba6",
"status": "affected",
"version": "67afd6d1cfdf0d0461fe3c4c922447f3e9b1c6ee",
"versionType": "git"
},
{
"lessThan": "d5c315a787652c35045044877a249f7d5c8a4104",
"status": "affected",
"version": "67afd6d1cfdf0d0461fe3c4c922447f3e9b1c6ee",
"versionType": "git"
},
{
"lessThan": "cfa4caf3e881ad6dd366c903c34f1c7f21b857ab",
"status": "affected",
"version": "67afd6d1cfdf0d0461fe3c4c922447f3e9b1c6ee",
"versionType": "git"
},
{
"lessThan": "029c1c2059e9c4b38f97a06204cdecd10cfbeb8a",
"status": "affected",
"version": "67afd6d1cfdf0d0461fe3c4c922447f3e9b1c6ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: dwc-qos: Disable split header for Tegra194\n\nThere is a long-standing issue with the Synopsys DWC Ethernet driver\nfor Tegra194 where random system crashes have been observed [0]. The\nproblem occurs when the split header feature is enabled in the stmmac\ndriver. In the bad case, a larger than expected buffer length is\nreceived and causes the calculation of the total buffer length to\noverflow. This results in a very large buffer length that causes the\nkernel to crash. Why this larger buffer length is received is not clear,\nhowever, the feedback from the NVIDIA design team is that the split\nheader feature is not supported for Tegra194. Therefore, disable split\nheader support for Tegra194 to prevent these random crashes from\noccurring.\n\n[0] https://lore.kernel.org/linux-tegra/b0b17697-f23e-8fa5-3757-604a86f3a095@nvidia.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:25.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2968830c9b47ce093237483c6207c61065712386"
},
{
"url": "https://git.kernel.org/stable/c/9cc8edc571b871d974b3289868553f9ce544aba6"
},
{
"url": "https://git.kernel.org/stable/c/d5c315a787652c35045044877a249f7d5c8a4104"
},
{
"url": "https://git.kernel.org/stable/c/cfa4caf3e881ad6dd366c903c34f1c7f21b857ab"
},
{
"url": "https://git.kernel.org/stable/c/029c1c2059e9c4b38f97a06204cdecd10cfbeb8a"
}
],
"title": "net: stmmac: dwc-qos: Disable split header for Tegra194",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49642",
"datePublished": "2025-02-26T02:23:49.154Z",
"dateReserved": "2025-02-26T02:21:30.431Z",
"dateUpdated": "2025-05-04T08:42:25.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49725 (GCVE-0-2022-49725)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix call trace in setup_tx_descriptors
After PF reset and ethtool -t there was call trace in dmesg
sometimes leading to panic. When there was some time, around 5
seconds, between reset and test there were no errors.
Problem was that pf reset calls i40e_vsi_close in prep_for_reset
and ethtool -t calls i40e_vsi_close in diag_test. If there was not
enough time between those commands the second i40e_vsi_close starts
before previous i40e_vsi_close was done which leads to crash.
Add check to diag_test if pf is in reset and don't start offline
tests if it is true.
Add netif_info("testing failed") into unhappy path of i40e_diag_test()
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e17bc411aea8fbebc51857037f104ab09f765120 Version: e17bc411aea8fbebc51857037f104ab09f765120 Version: e17bc411aea8fbebc51857037f104ab09f765120 Version: e17bc411aea8fbebc51857037f104ab09f765120 Version: e17bc411aea8fbebc51857037f104ab09f765120 Version: e17bc411aea8fbebc51857037f104ab09f765120 Version: e17bc411aea8fbebc51857037f104ab09f765120 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ba9956ca57e361fb13ea369bb753eb33177acc7",
"status": "affected",
"version": "e17bc411aea8fbebc51857037f104ab09f765120",
"versionType": "git"
},
{
"lessThan": "15950157e2c24865b696db1c9ccc72743ae0e967",
"status": "affected",
"version": "e17bc411aea8fbebc51857037f104ab09f765120",
"versionType": "git"
},
{
"lessThan": "ff6e03fe84bc917bb0c907d02de668c2fe101712",
"status": "affected",
"version": "e17bc411aea8fbebc51857037f104ab09f765120",
"versionType": "git"
},
{
"lessThan": "814092927a215f5ca6c08249ec72a205e0b473cd",
"status": "affected",
"version": "e17bc411aea8fbebc51857037f104ab09f765120",
"versionType": "git"
},
{
"lessThan": "0a4e5a3dc5e41212870e6043895ae02455c93f63",
"status": "affected",
"version": "e17bc411aea8fbebc51857037f104ab09f765120",
"versionType": "git"
},
{
"lessThan": "322271351b0e41565171e4cce70ea41854fac115",
"status": "affected",
"version": "e17bc411aea8fbebc51857037f104ab09f765120",
"versionType": "git"
},
{
"lessThan": "fd5855e6b1358e816710afee68a1d2bc685176ca",
"status": "affected",
"version": "e17bc411aea8fbebc51857037f104ab09f765120",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix call trace in setup_tx_descriptors\n\nAfter PF reset and ethtool -t there was call trace in dmesg\nsometimes leading to panic. When there was some time, around 5\nseconds, between reset and test there were no errors.\n\nProblem was that pf reset calls i40e_vsi_close in prep_for_reset\nand ethtool -t calls i40e_vsi_close in diag_test. If there was not\nenough time between those commands the second i40e_vsi_close starts\nbefore previous i40e_vsi_close was done which leads to crash.\n\nAdd check to diag_test if pf is in reset and don\u0027t start offline\ntests if it is true.\nAdd netif_info(\"testing failed\") into unhappy path of i40e_diag_test()"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:08.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ba9956ca57e361fb13ea369bb753eb33177acc7"
},
{
"url": "https://git.kernel.org/stable/c/15950157e2c24865b696db1c9ccc72743ae0e967"
},
{
"url": "https://git.kernel.org/stable/c/ff6e03fe84bc917bb0c907d02de668c2fe101712"
},
{
"url": "https://git.kernel.org/stable/c/814092927a215f5ca6c08249ec72a205e0b473cd"
},
{
"url": "https://git.kernel.org/stable/c/0a4e5a3dc5e41212870e6043895ae02455c93f63"
},
{
"url": "https://git.kernel.org/stable/c/322271351b0e41565171e4cce70ea41854fac115"
},
{
"url": "https://git.kernel.org/stable/c/fd5855e6b1358e816710afee68a1d2bc685176ca"
}
],
"title": "i40e: Fix call trace in setup_tx_descriptors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49725",
"datePublished": "2025-02-26T02:24:37.349Z",
"dateReserved": "2025-02-26T02:21:30.447Z",
"dateUpdated": "2025-05-04T08:44:08.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41092 (GCVE-0-2024-41092)
Vulnerability from cvelistv5
Published
2024-07-29 15:48
Modified
2025-11-03 22:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: Fix potential UAF by revoke of fence registers
CI has been sporadically reporting the following issue triggered by
igt@i915_selftest@live@hangcheck on ADL-P and similar machines:
<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence
...
<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled
<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled
<3> [414.070354] Unable to pin Y-tiled fence; err:-4
<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))
...
<4>[ 609.603992] ------------[ cut here ]------------
<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!
<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1
<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]
<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]
...
<4>[ 609.604271] Call Trace:
<4>[ 609.604273] <TASK>
...
<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]
<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]
<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]
<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]
<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]
<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]
<4>[ 609.605440] process_scheduled_works+0x351/0x690
...
In the past, there were similar failures reported by CI from other IGT
tests, observed on other platforms.
Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity
before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for
idleness of vma->active via fence_update(). That commit introduced
vma->fence->active in order for the fence_update() to be able to wait
selectively on that one instead of vma->active since only idleness of
fence registers was needed. But then, another commit 0d86ee35097a
("drm/i915/gt: Make fence revocation unequivocal") replaced the call to
fence_update() in i915_vma_revoke_fence() with only fence_write(), and
also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.
No justification was provided on why we might then expect idleness of
vma->fence->active without first waiting on it.
The issue can be potentially caused by a race among revocation of fence
registers on one side and sequential execution of signal callbacks invoked
on completion of a request that was using them on the other, still
processed in parallel to revocation of those fence registers. Fix it by
waiting for idleness of vma->fence->active in i915_vma_revoke_fence().
(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 Version: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 Version: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 Version: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 Version: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 Version: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:00:49.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:20:35.535942Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:56.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f771b91f21c46ad1217328d05e72a2c7e3add535",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "29c0fdf49078ab161570d3d1c6e13d66f182717d",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "ca0fabd365a27a94a36e68a7a02df8ff3c13dac6",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "06dec31a0a5112a91f49085e8a8fa1a82296d5c7",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "414f4a31f7a811008fd9a33b06216b060bad18fc",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "996c3412a06578e9d779a16b9e79ace18125ab50",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n\u003c6\u003e [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n\u003c6\u003e [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n\u003c6\u003e [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n\u003c3\u003e [414.070354] Unable to pin Y-tiled fence; err:-4\n\u003c3\u003e [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(\u0026fence-\u003eactive))\n...\n\u003c4\u003e[ 609.603992] ------------[ cut here ]------------\n\u003c2\u003e[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n\u003c4\u003e[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n\u003c4\u003e[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n\u003c4\u003e[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n\u003c4\u003e[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n\u003c4\u003e[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n\u003c4\u003e[ 609.604271] Call Trace:\n\u003c4\u003e[ 609.604273] \u003cTASK\u003e\n...\n\u003c4\u003e[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n\u003c4\u003e[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n\u003c4\u003e[ 609.604977] force_unbind+0x24/0xa0 [i915]\n\u003c4\u003e[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n\u003c4\u003e[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n\u003c4\u003e[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n\u003c4\u003e[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma-\u003eactive via fence_update(). That commit introduced\nvma-\u003efence-\u003eactive in order for the fence_update() to be able to wait\nselectively on that one instead of vma-\u003eactive since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(\u0026fence-\u003eactive)) in front.\nNo justification was provided on why we might then expect idleness of\nvma-\u003efence-\u003eactive without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma-\u003efence-\u003eactive in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:21:54.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535"
},
{
"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d"
},
{
"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6"
},
{
"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7"
},
{
"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc"
},
{
"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50"
}
],
"title": "drm/i915/gt: Fix potential UAF by revoke of fence registers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41092",
"datePublished": "2024-07-29T15:48:05.853Z",
"dateReserved": "2024-07-12T12:17:45.636Z",
"dateUpdated": "2025-11-03T22:00:49.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49159 (GCVE-0-2022-49159)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Implement ref count for SRB
The timeout handler and the done function are racing. When
qla2x00_async_iocb_timeout() starts to run it can be preempted by the
normal response path (via the firmware?). qla24xx_async_gpsc_sp_done()
releases the SRB unconditionally. When scheduling back to
qla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed
sp->qpair pointer:
qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21.
qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21
qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400.
qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5
BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx]
Obvious solution to this is to introduce a reference counter. One reference
is taken for the normal code path (the 'good' case) and one for the timeout
path. As we always race between the normal good case and the timeout/abort
handler we need to serialize it. Also we cannot assume any order between
the handlers. Since this is slow path we can use proper synchronization via
locks.
When we are able to cancel a timer (del_timer returns 1) we know there
can't be any error handling in progress because the timeout handler hasn't
expired yet, thus we can safely decrement the refcounter by one.
If we are not able to cancel the timer, we know an abort handler is
running. We have to make sure we call sp->done() in the abort handlers
before calling kref_put().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c",
"drivers/scsi/qla2xxx/qla_def.h",
"drivers/scsi/qla2xxx/qla_edif.c",
"drivers/scsi/qla2xxx/qla_gbl.h",
"drivers/scsi/qla2xxx/qla_gs.c",
"drivers/scsi/qla2xxx/qla_init.c",
"drivers/scsi/qla2xxx/qla_inline.h",
"drivers/scsi/qla2xxx/qla_iocb.c",
"drivers/scsi/qla2xxx/qla_mbx.c",
"drivers/scsi/qla2xxx/qla_mid.c",
"drivers/scsi/qla2xxx/qla_mr.c",
"drivers/scsi/qla2xxx/qla_os.c",
"drivers/scsi/qla2xxx/qla_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e17111dd2fda81c35f309b1e5b6ab35809a375e7",
"status": "affected",
"version": "7ebb336e45ef1ce23462c3bbd03779929008901f",
"versionType": "git"
},
{
"lessThan": "e140723f78ff418c8df7d990e102e07b65c87d4a",
"status": "affected",
"version": "7ebb336e45ef1ce23462c3bbd03779929008901f",
"versionType": "git"
},
{
"lessThan": "ceda7f794f3dfe272491e93e3e93049f8be5f07b",
"status": "affected",
"version": "7ebb336e45ef1ce23462c3bbd03779929008901f",
"versionType": "git"
},
{
"lessThan": "31e6cdbe0eae37badceb5e0d4f06cf051432fd77",
"status": "affected",
"version": "7ebb336e45ef1ce23462c3bbd03779929008901f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c",
"drivers/scsi/qla2xxx/qla_def.h",
"drivers/scsi/qla2xxx/qla_edif.c",
"drivers/scsi/qla2xxx/qla_gbl.h",
"drivers/scsi/qla2xxx/qla_gs.c",
"drivers/scsi/qla2xxx/qla_init.c",
"drivers/scsi/qla2xxx/qla_inline.h",
"drivers/scsi/qla2xxx/qla_iocb.c",
"drivers/scsi/qla2xxx/qla_mbx.c",
"drivers/scsi/qla2xxx/qla_mid.c",
"drivers/scsi/qla2xxx/qla_mr.c",
"drivers/scsi/qla2xxx/qla_os.c",
"drivers/scsi/qla2xxx/qla_target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Implement ref count for SRB\n\nThe timeout handler and the done function are racing. When\nqla2x00_async_iocb_timeout() starts to run it can be preempted by the\nnormal response path (via the firmware?). qla24xx_async_gpsc_sp_done()\nreleases the SRB unconditionally. When scheduling back to\nqla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed\nsp-\u003eqpair pointer:\n\n qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21.\n qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21\n qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400.\n qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000004\n IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx]\n\nObvious solution to this is to introduce a reference counter. One reference\nis taken for the normal code path (the \u0027good\u0027 case) and one for the timeout\npath. As we always race between the normal good case and the timeout/abort\nhandler we need to serialize it. Also we cannot assume any order between\nthe handlers. Since this is slow path we can use proper synchronization via\nlocks.\n\nWhen we are able to cancel a timer (del_timer returns 1) we know there\ncan\u0027t be any error handling in progress because the timeout handler hasn\u0027t\nexpired yet, thus we can safely decrement the refcounter by one.\n\nIf we are not able to cancel the timer, we know an abort handler is\nrunning. We have to make sure we call sp-\u003edone() in the abort handlers\nbefore calling kref_put()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:15.436Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e17111dd2fda81c35f309b1e5b6ab35809a375e7"
},
{
"url": "https://git.kernel.org/stable/c/e140723f78ff418c8df7d990e102e07b65c87d4a"
},
{
"url": "https://git.kernel.org/stable/c/ceda7f794f3dfe272491e93e3e93049f8be5f07b"
},
{
"url": "https://git.kernel.org/stable/c/31e6cdbe0eae37badceb5e0d4f06cf051432fd77"
}
],
"title": "scsi: qla2xxx: Implement ref count for SRB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49159",
"datePublished": "2025-02-26T01:55:22.021Z",
"dateReserved": "2025-02-26T01:49:39.276Z",
"dateUpdated": "2025-05-04T08:31:15.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49680 (GCVE-0-2022-49680)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: exynos: Fix refcount leak in exynos_map_pmu
of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
of_node_put() checks null pointer.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fce9e5bb25264153f9f002eada41757118d25ba9 Version: fce9e5bb25264153f9f002eada41757118d25ba9 Version: fce9e5bb25264153f9f002eada41757118d25ba9 Version: fce9e5bb25264153f9f002eada41757118d25ba9 Version: fce9e5bb25264153f9f002eada41757118d25ba9 Version: fce9e5bb25264153f9f002eada41757118d25ba9 Version: fce9e5bb25264153f9f002eada41757118d25ba9 Version: fce9e5bb25264153f9f002eada41757118d25ba9 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:02.308011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:46.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-exynos/exynos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "545ae5cbae839ce39bfe09828e413f1c916082de",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
},
{
"lessThan": "31d09571bb071c20f6bdc0bb7ac1ef8dd2987c04",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
},
{
"lessThan": "7571bcecf01b69f0d3ec60ca41ce5d4c75411a4a",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
},
{
"lessThan": "f9b77a52937582a5b99a5a07e4ef1e2f48f87347",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
},
{
"lessThan": "68f28d52e6cbab8dcfa249cac4356d1d0573e868",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
},
{
"lessThan": "d23f76018e17618559da9eea179d137362023f95",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
},
{
"lessThan": "fc354856e9fad9cd36e2ad28f9da70716025055a",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
},
{
"lessThan": "c4c79525042a4a7df96b73477feaf232fe44ae81",
"status": "affected",
"version": "fce9e5bb25264153f9f002eada41757118d25ba9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-exynos/exynos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.321",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.321",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.286",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.250",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: exynos: Fix refcount leak in exynos_map_pmu\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\nof_node_put() checks null pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:11.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/545ae5cbae839ce39bfe09828e413f1c916082de"
},
{
"url": "https://git.kernel.org/stable/c/31d09571bb071c20f6bdc0bb7ac1ef8dd2987c04"
},
{
"url": "https://git.kernel.org/stable/c/7571bcecf01b69f0d3ec60ca41ce5d4c75411a4a"
},
{
"url": "https://git.kernel.org/stable/c/f9b77a52937582a5b99a5a07e4ef1e2f48f87347"
},
{
"url": "https://git.kernel.org/stable/c/68f28d52e6cbab8dcfa249cac4356d1d0573e868"
},
{
"url": "https://git.kernel.org/stable/c/d23f76018e17618559da9eea179d137362023f95"
},
{
"url": "https://git.kernel.org/stable/c/fc354856e9fad9cd36e2ad28f9da70716025055a"
},
{
"url": "https://git.kernel.org/stable/c/c4c79525042a4a7df96b73477feaf232fe44ae81"
}
],
"title": "ARM: exynos: Fix refcount leak in exynos_map_pmu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49680",
"datePublished": "2025-02-26T02:24:09.762Z",
"dateReserved": "2025-02-26T02:21:30.439Z",
"dateUpdated": "2025-10-01T19:36:46.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49296 (GCVE-0-2022-49296)
Vulnerability from cvelistv5
Published
2025-02-26 02:01
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix possible deadlock when holding Fwb to get inline_data
1, mount with wsync.
2, create a file with O_RDWR, and the request was sent to mds.0:
ceph_atomic_open()-->
ceph_mdsc_do_request(openc)
finish_open(file, dentry, ceph_open)-->
ceph_open()-->
ceph_init_file()-->
ceph_init_file_info()-->
ceph_uninline_data()-->
{
...
if (inline_version == 1 || /* initial version, no data */
inline_version == CEPH_INLINE_NONE)
goto out_unlock;
...
}
The inline_version will be 1, which is the initial version for the
new create file. And here the ci->i_inline_version will keep with 1,
it's buggy.
3, buffer write to the file immediately:
ceph_write_iter()-->
ceph_get_caps(file, need=Fw, want=Fb, ...);
generic_perform_write()-->
a_ops->write_begin()-->
ceph_write_begin()-->
netfs_write_begin()-->
netfs_begin_read()-->
netfs_rreq_submit_slice()-->
netfs_read_from_server()-->
rreq->netfs_ops->issue_read()-->
ceph_netfs_issue_read()-->
{
...
if (ci->i_inline_version != CEPH_INLINE_NONE &&
ceph_netfs_issue_op_inline(subreq))
return;
...
}
ceph_put_cap_refs(ci, Fwb);
The ceph_netfs_issue_op_inline() will send a getattr(Fsr) request to
mds.1.
4, then the mds.1 will request the rd lock for CInode::filelock from
the auth mds.0, the mds.0 will do the CInode::filelock state transation
from excl --> sync, but it need to revoke the Fxwb caps back from the
clients.
While the kernel client has aleady held the Fwb caps and waiting for
the getattr(Fsr).
It's deadlock!
URL: https://tracker.ceph.com/issues/55377
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:59.503744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:59.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "292b7a7275ce535a1abfa4dd0b2e586162aaae1e",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "825978fd6a0defc3c29d8a38b6cea76a0938d21e",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix possible deadlock when holding Fwb to get inline_data\n\n1, mount with wsync.\n2, create a file with O_RDWR, and the request was sent to mds.0:\n\n ceph_atomic_open()--\u003e\n ceph_mdsc_do_request(openc)\n finish_open(file, dentry, ceph_open)--\u003e\n ceph_open()--\u003e\n ceph_init_file()--\u003e\n ceph_init_file_info()--\u003e\n ceph_uninline_data()--\u003e\n {\n ...\n if (inline_version == 1 || /* initial version, no data */\n inline_version == CEPH_INLINE_NONE)\n goto out_unlock;\n ...\n }\n\nThe inline_version will be 1, which is the initial version for the\nnew create file. And here the ci-\u003ei_inline_version will keep with 1,\nit\u0027s buggy.\n\n3, buffer write to the file immediately:\n\n ceph_write_iter()--\u003e\n ceph_get_caps(file, need=Fw, want=Fb, ...);\n generic_perform_write()--\u003e\n a_ops-\u003ewrite_begin()--\u003e\n ceph_write_begin()--\u003e\n netfs_write_begin()--\u003e\n netfs_begin_read()--\u003e\n netfs_rreq_submit_slice()--\u003e\n netfs_read_from_server()--\u003e\n rreq-\u003enetfs_ops-\u003eissue_read()--\u003e\n ceph_netfs_issue_read()--\u003e\n {\n ...\n if (ci-\u003ei_inline_version != CEPH_INLINE_NONE \u0026\u0026\n ceph_netfs_issue_op_inline(subreq))\n return;\n ...\n }\n ceph_put_cap_refs(ci, Fwb);\n\nThe ceph_netfs_issue_op_inline() will send a getattr(Fsr) request to\nmds.1.\n\n4, then the mds.1 will request the rd lock for CInode::filelock from\nthe auth mds.0, the mds.0 will do the CInode::filelock state transation\nfrom excl --\u003e sync, but it need to revoke the Fxwb caps back from the\nclients.\n\nWhile the kernel client has aleady held the Fwb caps and waiting for\nthe getattr(Fsr).\n\nIt\u0027s deadlock!\n\nURL: https://tracker.ceph.com/issues/55377"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:33.603Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/292b7a7275ce535a1abfa4dd0b2e586162aaae1e"
},
{
"url": "https://git.kernel.org/stable/c/825978fd6a0defc3c29d8a38b6cea76a0938d21e"
}
],
"title": "ceph: fix possible deadlock when holding Fwb to get inline_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49296",
"datePublished": "2025-02-26T02:01:26.131Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-10-01T19:46:59.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21791 (GCVE-0-2025-21791)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vrf: use RCU protection in l3mdev_l3_out()
l3mdev_l3_out() can be called without RCU being held:
raw_sendmsg()
ip_push_pending_frames()
ip_send_skb()
ip_local_out()
__ip_local_out()
l3mdev_ip_out()
Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 Version: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:16.236835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:26.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:34.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/l3mdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "20a3489b396764cc9376e32a9172bee26a89dc3b",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "5bb4228c32261d06e4fbece37ec3828bcc005b6b",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "c7574740be8ce68a57d0aece24987b9be2114c3c",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "c40cb5c03e37552d6eff963187109e2c3f78ef6f",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "022cac1c693add610ae76ede03adf4d9d5a2cf21",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "7b81425b517accefd46bee854d94954f5c57e019",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
},
{
"lessThan": "6d0ce46a93135d96b7fa075a94a88fe0da8e8773",
"status": "affected",
"version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/l3mdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: use RCU protection in l3mdev_l3_out()\n\nl3mdev_l3_out() can be called without RCU being held:\n\nraw_sendmsg()\n ip_push_pending_frames()\n ip_send_skb()\n ip_local_out()\n __ip_local_out()\n l3mdev_ip_out()\n\nAdd rcu_read_lock() / rcu_read_unlock() pair to avoid\na potential UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:18.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e"
},
{
"url": "https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b"
},
{
"url": "https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b"
},
{
"url": "https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c"
},
{
"url": "https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f"
},
{
"url": "https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21"
},
{
"url": "https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019"
},
{
"url": "https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773"
}
],
"title": "vrf: use RCU protection in l3mdev_l3_out()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21791",
"datePublished": "2025-02-27T02:18:29.014Z",
"dateReserved": "2024-12-29T08:45:45.766Z",
"dateUpdated": "2025-11-03T20:59:34.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49714 (GCVE-0-2022-49714)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/realtek-rtl: Fix refcount leak in map_interrupts
of_find_node_by_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
This function doesn't call of_node_put() in error path.
Call of_node_put() directly after of_property_read_u32() to cover
both normal path and error path.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:40.370260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:05.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-realtek-rtl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e85b1b797de0e7a271b906291ce28245822820b8",
"status": "affected",
"version": "9f3a0f34b84ad1b9a8f2bdae44b66f16685b2143",
"versionType": "git"
},
{
"lessThan": "f6d6223df0666fbc054e3a8c6ac14eb0af37c286",
"status": "affected",
"version": "9f3a0f34b84ad1b9a8f2bdae44b66f16685b2143",
"versionType": "git"
},
{
"lessThan": "eff4780f83d0ae3e5b6c02ff5d999dc4c1c5c8ce",
"status": "affected",
"version": "9f3a0f34b84ad1b9a8f2bdae44b66f16685b2143",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-realtek-rtl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/realtek-rtl: Fix refcount leak in map_interrupts\n\nof_find_node_by_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nThis function doesn\u0027t call of_node_put() in error path.\nCall of_node_put() directly after of_property_read_u32() to cover\nboth normal path and error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:55.303Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e85b1b797de0e7a271b906291ce28245822820b8"
},
{
"url": "https://git.kernel.org/stable/c/f6d6223df0666fbc054e3a8c6ac14eb0af37c286"
},
{
"url": "https://git.kernel.org/stable/c/eff4780f83d0ae3e5b6c02ff5d999dc4c1c5c8ce"
}
],
"title": "irqchip/realtek-rtl: Fix refcount leak in map_interrupts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49714",
"datePublished": "2025-02-26T02:24:30.224Z",
"dateReserved": "2025-02-26T02:21:30.444Z",
"dateUpdated": "2025-10-01T20:17:05.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49713 (GCVE-0-2022-49713)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc2: Fix memory leak in dwc2_hcd_init
usb_create_hcd will alloc memory for hcd, and we should
call usb_put_hcd to free it when platform_get_resource()
fails to prevent memory leak.
goto error2 label instead error1 to fix this.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4b7f4a0eb92bf37bea4cd838c7f83ea42823ca8b Version: a7182993dd8e09f96839ddc3ac54f9b37370d282 Version: 8b9c1c33e51d0959f2aec573dfbac0ffd3f5c0b7 Version: 2754fa3b73df7d0ae042f3ed6cfd9df9042f6262 Version: 856e6e8e0f9300befa87dde09edb578555c99a82 Version: 856e6e8e0f9300befa87dde09edb578555c99a82 Version: 856e6e8e0f9300befa87dde09edb578555c99a82 Version: 337f00a0bc62d7cb7d10ec0b872c79009a1641df |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:22.966404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:44.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc2/hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "981ee40649e5fd9550f82db1fbb3bfab037da346",
"status": "affected",
"version": "4b7f4a0eb92bf37bea4cd838c7f83ea42823ca8b",
"versionType": "git"
},
{
"lessThan": "84e6d0af87e27bbc0db94f2e7323b34abe17b6e5",
"status": "affected",
"version": "a7182993dd8e09f96839ddc3ac54f9b37370d282",
"versionType": "git"
},
{
"lessThan": "6506aff2dc2f7059aa3d45ee2e8639b25e87090f",
"status": "affected",
"version": "8b9c1c33e51d0959f2aec573dfbac0ffd3f5c0b7",
"versionType": "git"
},
{
"lessThan": "a44a8a762f7fe9ad3c065813d058e835a6180cb2",
"status": "affected",
"version": "2754fa3b73df7d0ae042f3ed6cfd9df9042f6262",
"versionType": "git"
},
{
"lessThan": "701d8ec01e0f229d4db6f43d3d64ee479120cbeb",
"status": "affected",
"version": "856e6e8e0f9300befa87dde09edb578555c99a82",
"versionType": "git"
},
{
"lessThan": "52bfcedbfd5bf962dbdcb6e761f4d0dd3ba26dfd",
"status": "affected",
"version": "856e6e8e0f9300befa87dde09edb578555c99a82",
"versionType": "git"
},
{
"lessThan": "3755278f078460b021cd0384562977bf2039a57a",
"status": "affected",
"version": "856e6e8e0f9300befa87dde09edb578555c99a82",
"versionType": "git"
},
{
"status": "affected",
"version": "337f00a0bc62d7cb7d10ec0b872c79009a1641df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc2/hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"versionStartIncluding": "4.14.250",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "4.19.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "5.4.152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "5.10.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: Fix memory leak in dwc2_hcd_init\n\nusb_create_hcd will alloc memory for hcd, and we should\ncall usb_put_hcd to free it when platform_get_resource()\nfails to prevent memory leak.\ngoto error2 label instead error1 to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:11.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/981ee40649e5fd9550f82db1fbb3bfab037da346"
},
{
"url": "https://git.kernel.org/stable/c/84e6d0af87e27bbc0db94f2e7323b34abe17b6e5"
},
{
"url": "https://git.kernel.org/stable/c/6506aff2dc2f7059aa3d45ee2e8639b25e87090f"
},
{
"url": "https://git.kernel.org/stable/c/a44a8a762f7fe9ad3c065813d058e835a6180cb2"
},
{
"url": "https://git.kernel.org/stable/c/701d8ec01e0f229d4db6f43d3d64ee479120cbeb"
},
{
"url": "https://git.kernel.org/stable/c/52bfcedbfd5bf962dbdcb6e761f4d0dd3ba26dfd"
},
{
"url": "https://git.kernel.org/stable/c/3755278f078460b021cd0384562977bf2039a57a"
}
],
"title": "usb: dwc2: Fix memory leak in dwc2_hcd_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49713",
"datePublished": "2025-02-26T02:24:29.566Z",
"dateReserved": "2025-02-26T02:21:30.444Z",
"dateUpdated": "2025-10-01T19:36:44.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47653 (GCVE-0-2021-47653)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: davinci: vpif: fix use-after-free on driver unbind
The driver allocates and registers two platform device structures during
probe, but the devices were never deregistered on driver unbind.
This results in a use-after-free on driver unbind as the device
structures were allocated using devres and would be freed by driver
core when remove() returns.
Fix this by adding the missing deregistration calls to the remove()
callback and failing probe on registration errors.
Note that the platform device structures must be freed using a proper
release callback to avoid leaking associated resources like device
names.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47653",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:48.500799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:35.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/davinci/vpif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6512c3c39cb6b573b791ce45365818a38b76afbe",
"status": "affected",
"version": "479f7a1181058689435baddc16a6a42e1a8ff0e8",
"versionType": "git"
},
{
"lessThan": "b5a3bb7f6f164eb6ee74ef4898dcd019b2063448",
"status": "affected",
"version": "479f7a1181058689435baddc16a6a42e1a8ff0e8",
"versionType": "git"
},
{
"lessThan": "9ffc602e14d7b9f7e7cb2f67e18dfef9ef8af676",
"status": "affected",
"version": "479f7a1181058689435baddc16a6a42e1a8ff0e8",
"versionType": "git"
},
{
"lessThan": "43acb728bbc40169d2e2425e84a80068270974be",
"status": "affected",
"version": "479f7a1181058689435baddc16a6a42e1a8ff0e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/davinci/vpif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: davinci: vpif: fix use-after-free on driver unbind\n\nThe driver allocates and registers two platform device structures during\nprobe, but the devices were never deregistered on driver unbind.\n\nThis results in a use-after-free on driver unbind as the device\nstructures were allocated using devres and would be freed by driver\ncore when remove() returns.\n\nFix this by adding the missing deregistration calls to the remove()\ncallback and failing probe on registration errors.\n\nNote that the platform device structures must be freed using a proper\nrelease callback to avoid leaking associated resources like device\nnames."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:34.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6512c3c39cb6b573b791ce45365818a38b76afbe"
},
{
"url": "https://git.kernel.org/stable/c/b5a3bb7f6f164eb6ee74ef4898dcd019b2063448"
},
{
"url": "https://git.kernel.org/stable/c/9ffc602e14d7b9f7e7cb2f67e18dfef9ef8af676"
},
{
"url": "https://git.kernel.org/stable/c/43acb728bbc40169d2e2425e84a80068270974be"
}
],
"title": "media: davinci: vpif: fix use-after-free on driver unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47653",
"datePublished": "2025-02-26T01:54:18.596Z",
"dateReserved": "2025-02-26T01:48:21.520Z",
"dateUpdated": "2025-05-04T07:15:34.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49564 (GCVE-0-2022-49564)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - add param check for DH
Reject requests with a source buffer that is bigger than the size of the
key. This is to prevent a possible integer underflow that might happen
when copying the source scatterlist into a linear buffer.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:06.730762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:38.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7f979ed51f96495328157df663c835b17db1e30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76c9216833e7c20a67c987cf89719a3f01666aaa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2acbb8771f6ac82422886e63832ee7a0f4b1635b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_asym_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for DH\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:44.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7f979ed51f96495328157df663c835b17db1e30"
},
{
"url": "https://git.kernel.org/stable/c/76c9216833e7c20a67c987cf89719a3f01666aaa"
},
{
"url": "https://git.kernel.org/stable/c/2acbb8771f6ac82422886e63832ee7a0f4b1635b"
}
],
"title": "crypto: qat - add param check for DH",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49564",
"datePublished": "2025-02-26T02:23:10.733Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-10-01T19:46:38.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49273 (GCVE-0-2022-49273)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtc: pl031: fix rtc features null pointer dereference
When there is no interrupt line, rtc alarm feature is disabled.
The clearing of the alarm feature bit was being done prior to allocations
of ldata->rtc device, resulting in a null pointer dereference.
Clear RTC_FEATURE_ALARM after the rtc device is allocated.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:38.229436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:02.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-pl031.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd2722e411e8ab7e5ae41102f6925fa13dffdac5",
"status": "affected",
"version": "d9b0dd54a1943f47a381a474f8ea2c94466110c0",
"versionType": "git"
},
{
"lessThan": "d274ce4a3dfd0b9a292667535578359b865765cb",
"status": "affected",
"version": "d9b0dd54a1943f47a381a474f8ea2c94466110c0",
"versionType": "git"
},
{
"lessThan": "1b915703964f7e636961df04c540261dc55c6c70",
"status": "affected",
"version": "d9b0dd54a1943f47a381a474f8ea2c94466110c0",
"versionType": "git"
},
{
"lessThan": "ea6af39f3da50c86367a71eb3cc674ade3ed244c",
"status": "affected",
"version": "d9b0dd54a1943f47a381a474f8ea2c94466110c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-pl031.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: pl031: fix rtc features null pointer dereference\n\nWhen there is no interrupt line, rtc alarm feature is disabled.\n\nThe clearing of the alarm feature bit was being done prior to allocations\nof ldata-\u003ertc device, resulting in a null pointer dereference.\n\nClear RTC_FEATURE_ALARM after the rtc device is allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:55.937Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd2722e411e8ab7e5ae41102f6925fa13dffdac5"
},
{
"url": "https://git.kernel.org/stable/c/d274ce4a3dfd0b9a292667535578359b865765cb"
},
{
"url": "https://git.kernel.org/stable/c/1b915703964f7e636961df04c540261dc55c6c70"
},
{
"url": "https://git.kernel.org/stable/c/ea6af39f3da50c86367a71eb3cc674ade3ed244c"
}
],
"title": "rtc: pl031: fix rtc features null pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49273",
"datePublished": "2025-02-26T01:56:19.110Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-10-01T19:47:02.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49646 (GCVE-0-2022-49646)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-06-19 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix queue selection for mesh/OCB interfaces
When using iTXQ, the code assumes that there is only one vif queue for
broadcast packets, using the BE queue. Allowing non-BE queue marking
violates that assumption and txq->ac == skb_queue_mapping is no longer
guaranteed. This can cause issues with queue handling in the driver and
also causes issues with the recent ATF change, resulting in an AQL
underflow warning.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/wme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "444be5a02b77f3b7a8ac9c1a0b074fbb3bd89cd0",
"status": "affected",
"version": "1974da8b31e6ea9c96c21505ffcb546fa59add23",
"versionType": "git"
},
{
"lessThan": "e013ea2a51a94b903b396a8dff531a07d470335d",
"status": "affected",
"version": "1974da8b31e6ea9c96c21505ffcb546fa59add23",
"versionType": "git"
},
{
"lessThan": "5a9df31017999197b6e60535940f2f2fe1bd3b0d",
"status": "affected",
"version": "1974da8b31e6ea9c96c21505ffcb546fa59add23",
"versionType": "git"
},
{
"lessThan": "41ecab279a70dced9005f4d55fa0fcde8938603f",
"status": "affected",
"version": "1974da8b31e6ea9c96c21505ffcb546fa59add23",
"versionType": "git"
},
{
"lessThan": "50e2ab39291947b6c6c7025cf01707c270fcde59",
"status": "affected",
"version": "1974da8b31e6ea9c96c21505ffcb546fa59add23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/wme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix queue selection for mesh/OCB interfaces\n\nWhen using iTXQ, the code assumes that there is only one vif queue for\nbroadcast packets, using the BE queue. Allowing non-BE queue marking\nviolates that assumption and txq-\u003eac == skb_queue_mapping is no longer\nguaranteed. This can cause issues with queue handling in the driver and\nalso causes issues with the recent ATF change, resulting in an AQL\nunderflow warning."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:22.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/444be5a02b77f3b7a8ac9c1a0b074fbb3bd89cd0"
},
{
"url": "https://git.kernel.org/stable/c/e013ea2a51a94b903b396a8dff531a07d470335d"
},
{
"url": "https://git.kernel.org/stable/c/5a9df31017999197b6e60535940f2f2fe1bd3b0d"
},
{
"url": "https://git.kernel.org/stable/c/41ecab279a70dced9005f4d55fa0fcde8938603f"
},
{
"url": "https://git.kernel.org/stable/c/50e2ab39291947b6c6c7025cf01707c270fcde59"
}
],
"title": "wifi: mac80211: fix queue selection for mesh/OCB interfaces",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49646",
"datePublished": "2025-02-26T02:23:51.083Z",
"dateReserved": "2025-02-26T02:21:30.432Z",
"dateUpdated": "2025-06-19T12:56:22.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57993 (GCVE-0-2024-57993)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check
syzbot has found a type mismatch between a USB pipe and the transfer
endpoint, which is triggered by the hid-thrustmaster driver[1].
There is a number of similar, already fixed issues [2].
In this case as in others, implementing check for endpoint type fixes the issue.
[1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470
[2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:06.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-thrustmaster.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "220883fba32549a34f0734e4859d07f4dcd56992",
"status": "affected",
"version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
"versionType": "git"
},
{
"lessThan": "ae730deded66150204c494282969bfa98dc3ae67",
"status": "affected",
"version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
"versionType": "git"
},
{
"lessThan": "e5bcae4212a6a4b4204f46a1b8bcba08909d2007",
"status": "affected",
"version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
"versionType": "git"
},
{
"lessThan": "816e84602900f7f951458d743fa12769635ebfd5",
"status": "affected",
"version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
"versionType": "git"
},
{
"lessThan": "50420d7c79c37a3efe4010ff9b1bb14bc61ebccf",
"status": "affected",
"version": "c49c33637802a2c6957a78119eb8be3b055dd9e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-thrustmaster.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check\n\nsyzbot has found a type mismatch between a USB pipe and the transfer\nendpoint, which is triggered by the hid-thrustmaster driver[1].\nThere is a number of similar, already fixed issues [2].\nIn this case as in others, implementing check for endpoint type fixes the issue.\n\n[1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470\n[2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:55.416Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/220883fba32549a34f0734e4859d07f4dcd56992"
},
{
"url": "https://git.kernel.org/stable/c/ae730deded66150204c494282969bfa98dc3ae67"
},
{
"url": "https://git.kernel.org/stable/c/e5bcae4212a6a4b4204f46a1b8bcba08909d2007"
},
{
"url": "https://git.kernel.org/stable/c/816e84602900f7f951458d743fa12769635ebfd5"
},
{
"url": "https://git.kernel.org/stable/c/50420d7c79c37a3efe4010ff9b1bb14bc61ebccf"
}
],
"title": "HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57993",
"datePublished": "2025-02-27T02:07:14.953Z",
"dateReserved": "2025-02-27T02:04:28.914Z",
"dateUpdated": "2025-11-03T19:33:06.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21861 (GCVE-0-2025-21861)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-10-02 13:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
If migration succeeded, we called
folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the
old to the new folio. This will set memcg_data of the old folio to 0.
Similarly, if migration failed, memcg_data of the dst folio is left unset.
If we call folio_putback_lru() on such folios (memcg_data == 0), we will
add the folio to be freed to the LRU, making memcg code unhappy. Running
the hmm selftests:
# ./hmm-tests
...
# RUN hmm.hmm_device_private.migrate ...
[ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00
[ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)
[ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9
[ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000
[ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())
[ 102.087230][T14893] ------------[ cut here ]------------
[ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.090478][T14893] Modules linked in:
[ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151
[ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
[ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.096104][T14893] Code: ...
[ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293
[ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426
[ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880
[ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
[ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8
[ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000
[ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
[ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0
[ 102.113478][T14893] PKRU: 55555554
[ 102.114172][T14893] Call Trace:
[ 102.114805][T14893] <TASK>
[ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.116547][T14893] ? __warn.cold+0x110/0x210
[ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.118667][T14893] ? report_bug+0x1b9/0x320
[ 102.119571][T14893] ? handle_bug+0x54/0x90
[ 102.120494][T14893] ? exc_invalid_op+0x17/0x50
[ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20
[ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0
[ 102.123506][T14893] ? dump_page+0x4f/0x60
[ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200
[ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10
[ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720
[ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10
[ 102.129550][T14893] folio_putback_lru+0x16/0x80
[ 102.130564][T14893] migrate_device_finalize+0x9b/0x530
[ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0
[ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80
Likely, nothing else goes wrong: putting the last folio reference will
remove the folio from the LRU again. So besides memcg complaining, adding
the folio to be freed to the LRU is just an unnecessary step.
The new flow resembles what we have in migrate_folio_move(): add the dst
to the lru, rem
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 Version: 8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:46.861929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:37.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/migrate_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61fa824e304ed162fe965f64999068e6fcff2059",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "64397b0cb7c09e3ef3f9f5c7c17299c4eebd3875",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "4f52f7c50f5b6f5eeb06823e21fe546d90f9c595",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "20fb6fc51863fbff7868de8b5f6d249d2094df1f",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "78f579cb7d825134e071a1714d8d0c4fd0ffe459",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "3f9240d59e9a95d19f06120bfd1d0e681c6c0ac7",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "069dd21ea8262204f94737878389c2815a054a9e",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
},
{
"lessThan": "41cddf83d8b00f29fd105e7a0777366edc69a5cf",
"status": "affected",
"version": "8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/migrate_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate_device: don\u0027t add folio to be freed to LRU in migrate_device_finalize()\n\nIf migration succeeded, we called\nfolio_migrate_flags()-\u003emem_cgroup_migrate() to migrate the memcg from the\nold to the new folio. This will set memcg_data of the old folio to 0.\n\nSimilarly, if migration failed, memcg_data of the dst folio is left unset.\n\nIf we call folio_putback_lru() on such folios (memcg_data == 0), we will\nadd the folio to be freed to the LRU, making memcg code unhappy. Running\nthe hmm selftests:\n\n # ./hmm-tests\n ...\n # RUN hmm.hmm_device_private.migrate ...\n [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00\n [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)\n [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9\n [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000\n [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg \u0026\u0026 !mem_cgroup_disabled())\n [ 102.087230][T14893] ------------[ cut here ]------------\n [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.090478][T14893] Modules linked in:\n [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151\n [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.096104][T14893] Code: ...\n [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293\n [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426\n [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880\n [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\n [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8\n [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000\n [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000\n [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0\n [ 102.113478][T14893] PKRU: 55555554\n [ 102.114172][T14893] Call Trace:\n [ 102.114805][T14893] \u003cTASK\u003e\n [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.116547][T14893] ? __warn.cold+0x110/0x210\n [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.118667][T14893] ? report_bug+0x1b9/0x320\n [ 102.119571][T14893] ? handle_bug+0x54/0x90\n [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50\n [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20\n [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0\n [ 102.123506][T14893] ? dump_page+0x4f/0x60\n [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200\n [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720\n [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.129550][T14893] folio_putback_lru+0x16/0x80\n [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530\n [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0\n [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80\n\nLikely, nothing else goes wrong: putting the last folio reference will\nremove the folio from the LRU again. So besides memcg complaining, adding\nthe folio to be freed to the LRU is just an unnecessary step.\n\nThe new flow resembles what we have in migrate_folio_move(): add the dst\nto the lru, rem\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:25:41.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61fa824e304ed162fe965f64999068e6fcff2059"
},
{
"url": "https://git.kernel.org/stable/c/64397b0cb7c09e3ef3f9f5c7c17299c4eebd3875"
},
{
"url": "https://git.kernel.org/stable/c/4f52f7c50f5b6f5eeb06823e21fe546d90f9c595"
},
{
"url": "https://git.kernel.org/stable/c/20fb6fc51863fbff7868de8b5f6d249d2094df1f"
},
{
"url": "https://git.kernel.org/stable/c/78f579cb7d825134e071a1714d8d0c4fd0ffe459"
},
{
"url": "https://git.kernel.org/stable/c/3f9240d59e9a95d19f06120bfd1d0e681c6c0ac7"
},
{
"url": "https://git.kernel.org/stable/c/069dd21ea8262204f94737878389c2815a054a9e"
},
{
"url": "https://git.kernel.org/stable/c/41cddf83d8b00f29fd105e7a0777366edc69a5cf"
}
],
"title": "mm/migrate_device: don\u0027t add folio to be freed to LRU in migrate_device_finalize()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21861",
"datePublished": "2025-03-12T09:42:19.199Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-10-02T13:25:41.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21706 (GCVE-0-2025-21706)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: only set fullmesh for subflow endp
With the in-kernel path-manager, it is possible to change the 'fullmesh'
flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on
'subflow' endpoints, to recreate more or less subflows using the linked
address.
Unfortunately, the set_flags() hook was a bit more permissive, and
allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not
allowed before.
That's what syzbot found, triggering the following warning:
WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064
Modules linked in:
CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064
Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48
RSP: 0018:ffffc9000d307240 EFLAGS: 00010293
RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e
R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0
R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d
FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
___sys_sendmsg net/socket.c:2637 [inline]
__sys_sendmsg+0x269/0x350 net/socket.c:2669
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5fe8785d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29
RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007
RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:57.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22b0734c9401a74ed4ebd9e8ef0da33e493852eb",
"status": "affected",
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"versionType": "git"
},
{
"lessThan": "de3b8d41d2547452c4cafb146d003fa4689fbaf2",
"status": "affected",
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"versionType": "git"
},
{
"lessThan": "8ac344cbd84fda75e05e1f445f7f8fb24dc175e1",
"status": "affected",
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"versionType": "git"
},
{
"lessThan": "9e3d61620a3cd033319553b980ff3a350adbe1bc",
"status": "affected",
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"versionType": "git"
},
{
"lessThan": "1bb0d1348546ad059f55c93def34e67cb2a034a6",
"status": "affected",
"version": "73c762c1f07dacba4fd1cefd15e24b419d42320d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the \u0027fullmesh\u0027\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n\u0027subflow\u0027 endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed \u0027implicit\u0027 endpoints to get the \u0027fullmesh\u0027 flag while it is not\nallowed before.\n\nThat\u0027s what syzbot found, triggering the following warning:\n\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Modules linked in:\n CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 \u003c0f\u003e 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n ___sys_sendmsg net/socket.c:2637 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f5fe8785d29\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:23.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb"
},
{
"url": "https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2"
},
{
"url": "https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1"
},
{
"url": "https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc"
},
{
"url": "https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6"
}
],
"title": "mptcp: pm: only set fullmesh for subflow endp",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21706",
"datePublished": "2025-02-27T02:07:20.458Z",
"dateReserved": "2024-12-29T08:45:45.751Z",
"dateUpdated": "2025-11-03T19:35:57.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58006 (GCVE-0-2024-58006)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 10:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()
In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update
inbound map address") set_bar() was modified to support dynamically
changing the backing physical address of a BAR that was already configured.
This means that set_bar() can be called twice, without ever calling
clear_bar() (as calling clear_bar() would clear the BAR's PCI address
assigned by the host).
This can only be done if the new BAR size/flags does not differ from the
existing BAR configuration. Add these missing checks.
If we allow set_bar() to set e.g. a new BAR size that differs from the
existing BAR size, the new address translation range will be smaller than
the BAR size already determined by the host, which would mean that a read
past the new BAR size would pass the iATU untranslated, which could allow
the host to read memory not belonging to the new struct pci_epf_bar.
While at it, add comments which clarifies the support for dynamically
changing the physical address of a BAR. (Which was also missing.)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/dwc/pcie-designware-ep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5cacfd067060c75088363ed3e19779078be2755",
"status": "affected",
"version": "4284c88fff0efc4e418abb53d78e02dc4f099d6c",
"versionType": "git"
},
{
"lessThan": "3229c15d6267de8e704b4085df8a82a5af2d63eb",
"status": "affected",
"version": "4284c88fff0efc4e418abb53d78e02dc4f099d6c",
"versionType": "git"
},
{
"lessThan": "3708acbd5f169ebafe1faa519cb28adc56295546",
"status": "affected",
"version": "4284c88fff0efc4e418abb53d78e02dc4f099d6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/dwc/pcie-designware-ep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()\n\nIn commit 4284c88fff0e (\"PCI: designware-ep: Allow pci_epc_set_bar() update\ninbound map address\") set_bar() was modified to support dynamically\nchanging the backing physical address of a BAR that was already configured.\n\nThis means that set_bar() can be called twice, without ever calling\nclear_bar() (as calling clear_bar() would clear the BAR\u0027s PCI address\nassigned by the host).\n\nThis can only be done if the new BAR size/flags does not differ from the\nexisting BAR configuration. Add these missing checks.\n\nIf we allow set_bar() to set e.g. a new BAR size that differs from the\nexisting BAR size, the new address translation range will be smaller than\nthe BAR size already determined by the host, which would mean that a read\npast the new BAR size would pass the iATU untranslated, which could allow\nthe host to read memory not belonging to the new struct pci_epf_bar.\n\nWhile at it, add comments which clarifies the support for dynamically\nchanging the physical address of a BAR. (Which was also missing.)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:15.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5cacfd067060c75088363ed3e19779078be2755"
},
{
"url": "https://git.kernel.org/stable/c/3229c15d6267de8e704b4085df8a82a5af2d63eb"
},
{
"url": "https://git.kernel.org/stable/c/3708acbd5f169ebafe1faa519cb28adc56295546"
}
],
"title": "PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58006",
"datePublished": "2025-02-27T02:12:02.932Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-05-04T10:08:15.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49421 (GCVE-0-2022-49421)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup
of_parse_phandle() returns a node pointer with refcount incremented, we should
use of_node_put() on it when not need anymore. Add missing of_node_put() to
avoid refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b Version: d10715be03bd8bad59ddc50236cb140c3bd73c7b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/amba-clcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c92711db7c90f78e0b67ac2a8944d0fe7e12d83",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "2e2e2c71b2642289438392edbf5d08cdbc0b138b",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "51eb1bb6baeb478538dd4ec6459fd68c44a855b1",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "8db59df7f5826e104db82cfddbf22a33a151193e",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "c1c4405222b6fc98c16e8c2aa679c14e41d81465",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "f2dfb4ab887d67be7d0892ba041d3c8d738d3356",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "bbb2a24e863b6a10129546a0a4ceea2f07deec39",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "38d245cebf545338a6bc1c7762023de3fbecd7b7",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
},
{
"lessThan": "b23789a59fa6f00e98a319291819f91fbba0deb8",
"status": "affected",
"version": "d10715be03bd8bad59ddc50236cb140c3bd73c7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/amba-clcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup\n\nof_parse_phandle() returns a node pointer with refcount incremented, we should\nuse of_node_put() on it when not need anymore. Add missing of_node_put() to\navoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:19.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c92711db7c90f78e0b67ac2a8944d0fe7e12d83"
},
{
"url": "https://git.kernel.org/stable/c/2e2e2c71b2642289438392edbf5d08cdbc0b138b"
},
{
"url": "https://git.kernel.org/stable/c/51eb1bb6baeb478538dd4ec6459fd68c44a855b1"
},
{
"url": "https://git.kernel.org/stable/c/8db59df7f5826e104db82cfddbf22a33a151193e"
},
{
"url": "https://git.kernel.org/stable/c/c1c4405222b6fc98c16e8c2aa679c14e41d81465"
},
{
"url": "https://git.kernel.org/stable/c/f2dfb4ab887d67be7d0892ba041d3c8d738d3356"
},
{
"url": "https://git.kernel.org/stable/c/bbb2a24e863b6a10129546a0a4ceea2f07deec39"
},
{
"url": "https://git.kernel.org/stable/c/38d245cebf545338a6bc1c7762023de3fbecd7b7"
},
{
"url": "https://git.kernel.org/stable/c/b23789a59fa6f00e98a319291819f91fbba0deb8"
}
],
"title": "video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49421",
"datePublished": "2025-02-26T02:12:44.790Z",
"dateReserved": "2025-02-26T02:08:31.568Z",
"dateUpdated": "2025-05-04T08:37:19.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50152 (GCVE-0-2024-50152)
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2025-05-04 09:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix possible double free in smb2_set_ea()
Clang static checker(scan-build) warning:
fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.
1304 | kfree(ea);
| ^~~~~~~~~
There is a double free in such case:
'ea is initialized to NULL' -> 'first successful memory allocation for
ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea'
-> 'goto replay_again' -> 'second goto sea_exit before allocate memory
for ea' -> 'second memory release for ea resulted in double free'.
Re-initialie 'ea' to NULL near to the replay_again label, it can fix this
double free problem.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1813c220b76f60b1727984794377c4aa849d4c1",
"status": "affected",
"version": "433042a91f9373241307725b52de573933ffedbf",
"versionType": "git"
},
{
"lessThan": "c9f758ecf2562dfdd4adf12c22921b5de8366123",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
},
{
"lessThan": "19ebc1e6cab334a8193398d4152deb76019b5d34",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix possible double free in smb2_set_ea()\n\nClang static checker(scan-build) warning\uff1a\nfs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.\n 1304 | kfree(ea);\n | ^~~~~~~~~\n\nThere is a double free in such case:\n\u0027ea is initialized to NULL\u0027 -\u003e \u0027first successful memory allocation for\nea\u0027 -\u003e \u0027something failed, goto sea_exit\u0027 -\u003e \u0027first memory release for ea\u0027\n-\u003e \u0027goto replay_again\u0027 -\u003e \u0027second goto sea_exit before allocate memory\nfor ea\u0027 -\u003e \u0027second memory release for ea resulted in double free\u0027.\n\nRe-initialie \u0027ea\u0027 to NULL near to the replay_again label, it can fix this\ndouble free problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:47:22.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1813c220b76f60b1727984794377c4aa849d4c1"
},
{
"url": "https://git.kernel.org/stable/c/c9f758ecf2562dfdd4adf12c22921b5de8366123"
},
{
"url": "https://git.kernel.org/stable/c/19ebc1e6cab334a8193398d4152deb76019b5d34"
}
],
"title": "smb: client: fix possible double free in smb2_set_ea()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50152",
"datePublished": "2024-11-07T09:31:28.733Z",
"dateReserved": "2024-10-21T19:36:19.959Z",
"dateUpdated": "2025-05-04T09:47:22.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49064 (GCVE-0-2022-49064)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: unmark inode in use in error path
Unmark inode in use if error encountered. If the in-use flag leakage
occurs in cachefiles_open_file(), Cachefiles will complain "Inode
already in use" when later another cookie with the same index key is
looked up.
If the in-use flag leakage occurs in cachefiles_create_tmpfile(), though
the "Inode already in use" warning won't be triggered, fix the leakage
anyway.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cachefiles/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2055abafd3d4ee0376fb3eed5cae866316995a1",
"status": "affected",
"version": "1f08c925e7a38002bde509e66f6f891468848511",
"versionType": "git"
},
{
"lessThan": "ea5dc046127e857a7873ae55fd57c866e9e86fb2",
"status": "affected",
"version": "1f08c925e7a38002bde509e66f6f891468848511",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cachefiles/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: unmark inode in use in error path\n\nUnmark inode in use if error encountered. If the in-use flag leakage\noccurs in cachefiles_open_file(), Cachefiles will complain \"Inode\nalready in use\" when later another cookie with the same index key is\nlooked up.\n\nIf the in-use flag leakage occurs in cachefiles_create_tmpfile(), though\nthe \"Inode already in use\" warning won\u0027t be triggered, fix the leakage\nanyway."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:57.648Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2055abafd3d4ee0376fb3eed5cae866316995a1"
},
{
"url": "https://git.kernel.org/stable/c/ea5dc046127e857a7873ae55fd57c866e9e86fb2"
}
],
"title": "cachefiles: unmark inode in use in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49064",
"datePublished": "2025-02-26T01:54:33.164Z",
"dateReserved": "2025-02-26T01:49:39.244Z",
"dateUpdated": "2025-05-04T08:28:57.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49733 (GCVE-0-2022-49733)
Vulnerability from cvelistv5
Published
2025-03-02 14:30
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
There is a small race window at snd_pcm_oss_sync() that is called from
OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls
snd_pcm_oss_make_ready() at first, then takes the params_lock mutex
for the rest. When the stream is set up again by another thread
between them, it leads to inconsistency, and may result in unexpected
results such as NULL dereference of OSS buffer as a fuzzer spotted
recently.
The fix is simply to cover snd_pcm_oss_make_ready() call into the same
params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:28:32.574856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:38.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4051324a6dafd7053c74c475e80b3ba10ae672b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fce793a056c604b41a298317cf704dae255f1b36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8015ef9e8a0ee5cecfd0cb6805834d007ab26f86",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "723ac5ab2891b6c10dd6cc78ef5456af593490eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8423f0b6d513b259fdab9c9bf4aaa6188d054c2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.215",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC\n\nThere is a small race window at snd_pcm_oss_sync() that is called from\nOSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls\nsnd_pcm_oss_make_ready() at first, then takes the params_lock mutex\nfor the rest. When the stream is set up again by another thread\nbetween them, it leads to inconsistency, and may result in unexpected\nresults such as NULL dereference of OSS buffer as a fuzzer spotted\nrecently.\n\nThe fix is simply to cover snd_pcm_oss_make_ready() call into the same\nparams_lock mutex with snd_pcm_oss_make_ready_locked() variant."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:18.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4051324a6dafd7053c74c475e80b3ba10ae672b0"
},
{
"url": "https://git.kernel.org/stable/c/fce793a056c604b41a298317cf704dae255f1b36"
},
{
"url": "https://git.kernel.org/stable/c/8015ef9e8a0ee5cecfd0cb6805834d007ab26f86"
},
{
"url": "https://git.kernel.org/stable/c/723ac5ab2891b6c10dd6cc78ef5456af593490eb"
},
{
"url": "https://git.kernel.org/stable/c/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d"
}
],
"title": "ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49733",
"datePublished": "2025-03-02T14:30:02.838Z",
"dateReserved": "2025-02-26T02:21:30.449Z",
"dateUpdated": "2025-10-01T19:36:38.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21763 (GCVE-0-2025-21763)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
neighbour: use RCU protection in __neigh_notify()
__neigh_notify() can be called without RTNL or RCU protection.
Use RCU protection to avoid potential UAF.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 426b5303eb435d98b9bee37a807be386bc2b3320 Version: 426b5303eb435d98b9bee37a807be386bc2b3320 Version: 426b5303eb435d98b9bee37a807be386bc2b3320 Version: 426b5303eb435d98b9bee37a807be386bc2b3320 Version: 426b5303eb435d98b9bee37a807be386bc2b3320 Version: 426b5303eb435d98b9bee37a807be386bc2b3320 Version: 426b5303eb435d98b9bee37a807be386bc2b3320 Version: 426b5303eb435d98b9bee37a807be386bc2b3320 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:24.552153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:26.961Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:14.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/neighbour.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1aed6be381bcd7f46d4ca9d7ef0f5f3d6a1be32",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
},
{
"lessThan": "8666e9aab801328c1408a19fbf4070609dc0695a",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
},
{
"lessThan": "40d8f2f2a373b6c294ffac394d2bb814b572ead1",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
},
{
"lessThan": "784eb2376270e086f7db136d154b8404edacf97b",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
},
{
"lessThan": "1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
},
{
"lessThan": "cdd5c2a12ddad8a77ce1838ff9f29aa587de82df",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
},
{
"lessThan": "559307d25235e24b5424778c7332451b6c741159",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
},
{
"lessThan": "becbd5850c03ed33b232083dd66c6e38c0c0e569",
"status": "affected",
"version": "426b5303eb435d98b9bee37a807be386bc2b3320",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/neighbour.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: use RCU protection in __neigh_notify()\n\n__neigh_notify() can be called without RTNL or RCU protection.\n\nUse RCU protection to avoid potential UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:35.809Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1aed6be381bcd7f46d4ca9d7ef0f5f3d6a1be32"
},
{
"url": "https://git.kernel.org/stable/c/8666e9aab801328c1408a19fbf4070609dc0695a"
},
{
"url": "https://git.kernel.org/stable/c/40d8f2f2a373b6c294ffac394d2bb814b572ead1"
},
{
"url": "https://git.kernel.org/stable/c/784eb2376270e086f7db136d154b8404edacf97b"
},
{
"url": "https://git.kernel.org/stable/c/1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379"
},
{
"url": "https://git.kernel.org/stable/c/cdd5c2a12ddad8a77ce1838ff9f29aa587de82df"
},
{
"url": "https://git.kernel.org/stable/c/559307d25235e24b5424778c7332451b6c741159"
},
{
"url": "https://git.kernel.org/stable/c/becbd5850c03ed33b232083dd66c6e38c0c0e569"
}
],
"title": "neighbour: use RCU protection in __neigh_notify()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21763",
"datePublished": "2025-02-27T02:18:15.078Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:14.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21741 (GCVE-0-2025-21741)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: ipheth: fix DPE OoB read
Fix an out-of-bounds DPE read, limit the number of processed DPEs to
the amount that fits into the fixed-size NDP16 header.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:31:10.721034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:41.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/ipheth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22475242ddb70e35c9148234be9a3aa9fb8efff9",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "5835bf66c50ac2b85ed28b282c2456c3516ef0a6",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "971b8c572559e52d32a2b82f2d9e0685439a0117",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "ee591f2b281721171896117f9946fced31441418",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/ipheth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: fix DPE OoB read\n\nFix an out-of-bounds DPE read, limit the number of processed DPEs to\nthe amount that fits into the fixed-size NDP16 header."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:08.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22475242ddb70e35c9148234be9a3aa9fb8efff9"
},
{
"url": "https://git.kernel.org/stable/c/5835bf66c50ac2b85ed28b282c2456c3516ef0a6"
},
{
"url": "https://git.kernel.org/stable/c/971b8c572559e52d32a2b82f2d9e0685439a0117"
},
{
"url": "https://git.kernel.org/stable/c/ee591f2b281721171896117f9946fced31441418"
}
],
"title": "usbnet: ipheth: fix DPE OoB read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21741",
"datePublished": "2025-02-27T02:12:15.715Z",
"dateReserved": "2024-12-29T08:45:45.757Z",
"dateUpdated": "2025-10-01T19:36:41.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53019 (GCVE-0-2023-53019)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mdio: validate parameter addr in mdiobus_get_phy()
The caller may pass any value as addr, what may result in an out-of-bounds
access to array mdio_map. One existing case is stmmac_init_phy() that
may pass -1 as addr. Therefore validate addr before using it.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d80c259dfbadefa61b7ea334dfce5cb57f8c72f",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "c431a3d642593bbdb99e8a9e3eed608b730db6f8",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "8a7b9560a3a8eb8724888c426e05926752f73aa0",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "4bc5f1f6bc94e695dfd912122af96e7115a0ddb8",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "ad67de330d83e8078372b52af18ffe8d39e26c85",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "7879626296e6ffd838ae0f2af1ab49ee46354973",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "867dbe784c5010a466f00a7d1467c1c5ea569c75",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: validate parameter addr in mdiobus_get_phy()\n\nThe caller may pass any value as addr, what may result in an out-of-bounds\naccess to array mdio_map. One existing case is stmmac_init_phy() that\nmay pass -1 as addr. Therefore validate addr before using it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:48.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d80c259dfbadefa61b7ea334dfce5cb57f8c72f"
},
{
"url": "https://git.kernel.org/stable/c/c431a3d642593bbdb99e8a9e3eed608b730db6f8"
},
{
"url": "https://git.kernel.org/stable/c/8a7b9560a3a8eb8724888c426e05926752f73aa0"
},
{
"url": "https://git.kernel.org/stable/c/4bc5f1f6bc94e695dfd912122af96e7115a0ddb8"
},
{
"url": "https://git.kernel.org/stable/c/ad67de330d83e8078372b52af18ffe8d39e26c85"
},
{
"url": "https://git.kernel.org/stable/c/7879626296e6ffd838ae0f2af1ab49ee46354973"
},
{
"url": "https://git.kernel.org/stable/c/867dbe784c5010a466f00a7d1467c1c5ea569c75"
}
],
"title": "net: mdio: validate parameter addr in mdiobus_get_phy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53019",
"datePublished": "2025-03-27T16:43:46.493Z",
"dateReserved": "2025-03-27T16:40:15.751Z",
"dateUpdated": "2025-05-04T07:47:48.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49278 (GCVE-0-2022-49278)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: Fix count check in rproc_coredump_write()
Check count for 0, to avoid a potential underflow. Make the check the
same as the one in rproc_recovery_write().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/remoteproc_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b97b305656a7013690e7b6e310f0e827e0bbff90",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "34afac3c75fa08d6fabbab4c93f0a90618afaaa6",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "a8c3e53517985d69040a1b36a269e85f99cf0cea",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "11572dad9fbadbd9269a2550f7e236b5b8c2d80c",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
},
{
"lessThan": "f89672cc3681952f2d06314981a6b45f8b0045d1",
"status": "affected",
"version": "3afdc59e4390487f04f2435b7e8a6289984e0a1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/remoteproc_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: Fix count check in rproc_coredump_write()\n\nCheck count for 0, to avoid a potential underflow. Make the check the\nsame as the one in rproc_recovery_write()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:02.129Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b97b305656a7013690e7b6e310f0e827e0bbff90"
},
{
"url": "https://git.kernel.org/stable/c/34afac3c75fa08d6fabbab4c93f0a90618afaaa6"
},
{
"url": "https://git.kernel.org/stable/c/a8c3e53517985d69040a1b36a269e85f99cf0cea"
},
{
"url": "https://git.kernel.org/stable/c/11572dad9fbadbd9269a2550f7e236b5b8c2d80c"
},
{
"url": "https://git.kernel.org/stable/c/f89672cc3681952f2d06314981a6b45f8b0045d1"
}
],
"title": "remoteproc: Fix count check in rproc_coredump_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49278",
"datePublished": "2025-02-26T01:56:21.546Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-05-04T08:34:02.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49486 (GCVE-0-2022-49486)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: fsl: Fix refcount leak in imx_sgtl5000_probe
of_find_i2c_device_by_node() takes a reference,
In error paths, we should call put_device() to drop
the reference to aviod refount leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 81e8e4926167ab32593bbb915b45a42024ca1020 Version: 81e8e4926167ab32593bbb915b45a42024ca1020 Version: 81e8e4926167ab32593bbb915b45a42024ca1020 Version: 81e8e4926167ab32593bbb915b45a42024ca1020 Version: 81e8e4926167ab32593bbb915b45a42024ca1020 Version: 81e8e4926167ab32593bbb915b45a42024ca1020 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:06.570417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:44.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/imx-sgtl5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96fc3da6184af5687e153d420cd7dcdeefdd2f9a",
"status": "affected",
"version": "81e8e4926167ab32593bbb915b45a42024ca1020",
"versionType": "git"
},
{
"lessThan": "e84aaf23ca82753d765bf84d05295d9d9c5fed29",
"status": "affected",
"version": "81e8e4926167ab32593bbb915b45a42024ca1020",
"versionType": "git"
},
{
"lessThan": "922bccdb1796a9e7b989f2bc6d9ada7b499a4329",
"status": "affected",
"version": "81e8e4926167ab32593bbb915b45a42024ca1020",
"versionType": "git"
},
{
"lessThan": "4bfbbfdb3d761323127a67d7d765abe2f77d7b21",
"status": "affected",
"version": "81e8e4926167ab32593bbb915b45a42024ca1020",
"versionType": "git"
},
{
"lessThan": "7f75e9f629ef54a0845b43889d8ab9dd6e280dd5",
"status": "affected",
"version": "81e8e4926167ab32593bbb915b45a42024ca1020",
"versionType": "git"
},
{
"lessThan": "41cd312dfe980af869c3503b4d38e62ed20dd3b7",
"status": "affected",
"version": "81e8e4926167ab32593bbb915b45a42024ca1020",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/imx-sgtl5000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl: Fix refcount leak in imx_sgtl5000_probe\n\nof_find_i2c_device_by_node() takes a reference,\nIn error paths, we should call put_device() to drop\nthe reference to aviod refount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:56.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96fc3da6184af5687e153d420cd7dcdeefdd2f9a"
},
{
"url": "https://git.kernel.org/stable/c/e84aaf23ca82753d765bf84d05295d9d9c5fed29"
},
{
"url": "https://git.kernel.org/stable/c/922bccdb1796a9e7b989f2bc6d9ada7b499a4329"
},
{
"url": "https://git.kernel.org/stable/c/4bfbbfdb3d761323127a67d7d765abe2f77d7b21"
},
{
"url": "https://git.kernel.org/stable/c/7f75e9f629ef54a0845b43889d8ab9dd6e280dd5"
},
{
"url": "https://git.kernel.org/stable/c/41cd312dfe980af869c3503b4d38e62ed20dd3b7"
}
],
"title": "ASoC: fsl: Fix refcount leak in imx_sgtl5000_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49486",
"datePublished": "2025-02-26T02:13:24.815Z",
"dateReserved": "2025-02-26T02:08:31.582Z",
"dateUpdated": "2025-10-01T19:46:44.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49493 (GCVE-0-2022-49493)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-09-03 16:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: rt5645: Fix errorenous cleanup order
There is a logic error when removing rt5645 device as the function
rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and
delete the &rt5645->btn_check_timer latter. However, since the timer
handler rt5645_btn_check_callback() will re-queue the jack_detect_work,
this cleanup order is buggy.
That is, once the del_timer_sync in rt5645_i2c_remove is concurrently
run with the rt5645_btn_check_callback, the canceled jack_detect_work
will be rescheduled again, leading to possible use-after-free.
This patch fix the issue by placing the del_timer_sync function before
the cancel_delayed_work_sync.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 Version: a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:46.025138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt5645.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "236d29c5857f02e0a53fdf15d3dce1536c4322ce",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
},
{
"lessThan": "0941150100173d4eaf3fe08ff4b16740e7c3026f",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
},
{
"lessThan": "abe7554da62cb489712a54de69ef5665c250e564",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
},
{
"lessThan": "1a5a3dfd9f172dcb115072f0aea5e27d3083c20e",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
},
{
"lessThan": "061a6159cea583f1155f67d1915917a6b9282662",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
},
{
"lessThan": "88c09e4812d72c3153afc8e5a45ecac2d0eae3ff",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
},
{
"lessThan": "453f0920ffc1a28e28ddb9c3cd5562472b2895b0",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
},
{
"lessThan": "2def44d3aec59e38d2701c568d65540783f90f2f",
"status": "affected",
"version": "a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt5645.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix errorenous cleanup order\n\nThere is a logic error when removing rt5645 device as the function\nrt5645_i2c_remove() first cancel the \u0026rt5645-\u003ejack_detect_work and\ndelete the \u0026rt5645-\u003ebtn_check_timer latter. However, since the timer\nhandler rt5645_btn_check_callback() will re-queue the jack_detect_work,\nthis cleanup order is buggy.\n\nThat is, once the del_timer_sync in rt5645_i2c_remove is concurrently\nrun with the rt5645_btn_check_callback, the canceled jack_detect_work\nwill be rescheduled again, leading to possible use-after-free.\n\nThis patch fix the issue by placing the del_timer_sync function before\nthe cancel_delayed_work_sync."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T16:35:17.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/236d29c5857f02e0a53fdf15d3dce1536c4322ce"
},
{
"url": "https://git.kernel.org/stable/c/0941150100173d4eaf3fe08ff4b16740e7c3026f"
},
{
"url": "https://git.kernel.org/stable/c/abe7554da62cb489712a54de69ef5665c250e564"
},
{
"url": "https://git.kernel.org/stable/c/1a5a3dfd9f172dcb115072f0aea5e27d3083c20e"
},
{
"url": "https://git.kernel.org/stable/c/061a6159cea583f1155f67d1915917a6b9282662"
},
{
"url": "https://git.kernel.org/stable/c/88c09e4812d72c3153afc8e5a45ecac2d0eae3ff"
},
{
"url": "https://git.kernel.org/stable/c/453f0920ffc1a28e28ddb9c3cd5562472b2895b0"
},
{
"url": "https://git.kernel.org/stable/c/2def44d3aec59e38d2701c568d65540783f90f2f"
}
],
"title": "ASoC: rt5645: Fix errorenous cleanup order",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49493",
"datePublished": "2025-02-26T02:13:29.518Z",
"dateReserved": "2025-02-26T02:08:31.585Z",
"dateUpdated": "2025-09-03T16:35:17.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21742 (GCVE-0-2025-21742)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: ipheth: use static NDP16 location in URB
Original code allowed for the start of NDP16 to be anywhere within the
URB based on the `wNdpIndex` value in NTH16. Only the start position of
NDP16 was checked, so it was possible for even the fixed-length part
of NDP16 to extend past the end of URB, leading to an out-of-bounds
read.
On iOS devices, the NDP16 header always directly follows NTH16. Rely on
and check for this specific format.
This, along with NCM-specific minimal URB length check that already
exists, will ensure that the fixed-length part of NDP16 plus a set
amount of DPEs fit within the URB.
Note that this commit alone does not fully address the OoB read.
The limit on the amount of DPEs needs to be enforced separately.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:31:07.424616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:41.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/ipheth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fb062178e1ce180e2cfdc9abc83a1b9fea381ca",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "cf1ac7f7cf601ac31d1580559c002b5e37b733b7",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "2b619445dcb6dab97d8ed033fb57225aca1288c4",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
},
{
"lessThan": "86586dcb75cb8fd062a518aca8ee667938b91efb",
"status": "affected",
"version": "a2d274c62e44b1995c170595db3865c6fe701226",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/ipheth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: use static NDP16 location in URB\n\nOriginal code allowed for the start of NDP16 to be anywhere within the\nURB based on the `wNdpIndex` value in NTH16. Only the start position of\nNDP16 was checked, so it was possible for even the fixed-length part\nof NDP16 to extend past the end of URB, leading to an out-of-bounds\nread.\n\nOn iOS devices, the NDP16 header always directly follows NTH16. Rely on\nand check for this specific format.\n\nThis, along with NCM-specific minimal URB length check that already\nexists, will ensure that the fixed-length part of NDP16 plus a set\namount of DPEs fit within the URB.\n\nNote that this commit alone does not fully address the OoB read.\nThe limit on the amount of DPEs needs to be enforced separately."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:09.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fb062178e1ce180e2cfdc9abc83a1b9fea381ca"
},
{
"url": "https://git.kernel.org/stable/c/cf1ac7f7cf601ac31d1580559c002b5e37b733b7"
},
{
"url": "https://git.kernel.org/stable/c/2b619445dcb6dab97d8ed033fb57225aca1288c4"
},
{
"url": "https://git.kernel.org/stable/c/86586dcb75cb8fd062a518aca8ee667938b91efb"
}
],
"title": "usbnet: ipheth: use static NDP16 location in URB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21742",
"datePublished": "2025-02-27T02:12:16.207Z",
"dateReserved": "2024-12-29T08:45:45.757Z",
"dateUpdated": "2025-10-01T19:36:41.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49549 (GCVE-0-2022-49549)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails
In mce_threshold_create_device(), if threshold_create_bank() fails, the
previously allocated threshold banks array @bp will be leaked because
the call to mce_threshold_remove_device() will not free it.
This happens because mce_threshold_remove_device() fetches the pointer
through the threshold_banks per-CPU variable but bp is written there
only after the bank creation is successful, and not before, when
threshold_create_bank() fails.
Add a helper which unwinds all the bank creation work previously done
and pass into it the previously allocated threshold banks array for
freeing.
[ bp: Massage. ]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49549",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:22.894160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:39.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4acb8e7f1594607bc9017ef0aacb40b24a003d6",
"status": "affected",
"version": "6458de97fc15530b54477c4e2b70af653e8ac3d9",
"versionType": "git"
},
{
"lessThan": "cc0dd4456f9573bf8af9b4d8754433918e809e1e",
"status": "affected",
"version": "6458de97fc15530b54477c4e2b70af653e8ac3d9",
"versionType": "git"
},
{
"lessThan": "9708f1956eeb70c86943e0bc62fa3b0101b59616",
"status": "affected",
"version": "6458de97fc15530b54477c4e2b70af653e8ac3d9",
"versionType": "git"
},
{
"lessThan": "396b8e7ab2a99ddac57d3522b3da5e58cb608d37",
"status": "affected",
"version": "6458de97fc15530b54477c4e2b70af653e8ac3d9",
"versionType": "git"
},
{
"lessThan": "e5f28623ceb103e13fc3d7bd45edf9818b227fd0",
"status": "affected",
"version": "6458de97fc15530b54477c4e2b70af653e8ac3d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/mce/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/MCE/AMD: Fix memory leak when threshold_create_bank() fails\n\nIn mce_threshold_create_device(), if threshold_create_bank() fails, the\npreviously allocated threshold banks array @bp will be leaked because\nthe call to mce_threshold_remove_device() will not free it.\n\nThis happens because mce_threshold_remove_device() fetches the pointer\nthrough the threshold_banks per-CPU variable but bp is written there\nonly after the bank creation is successful, and not before, when\nthreshold_create_bank() fails.\n\nAdd a helper which unwinds all the bank creation work previously done\nand pass into it the previously allocated threshold banks array for\nfreeing.\n\n [ bp: Massage. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:19.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4acb8e7f1594607bc9017ef0aacb40b24a003d6"
},
{
"url": "https://git.kernel.org/stable/c/cc0dd4456f9573bf8af9b4d8754433918e809e1e"
},
{
"url": "https://git.kernel.org/stable/c/9708f1956eeb70c86943e0bc62fa3b0101b59616"
},
{
"url": "https://git.kernel.org/stable/c/396b8e7ab2a99ddac57d3522b3da5e58cb608d37"
},
{
"url": "https://git.kernel.org/stable/c/e5f28623ceb103e13fc3d7bd45edf9818b227fd0"
}
],
"title": "x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49549",
"datePublished": "2025-02-26T02:14:00.256Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-10-01T19:46:39.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56638 (GCVE-0-2024-56638)
Vulnerability from cvelistv5
Published
2024-12-27 15:02
Modified
2025-05-04 10:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_inner: incorrect percpu area handling under softirq
Softirq can interrupt ongoing packet from process context that is
walking over the percpu area that contains inner header offsets.
Disable bh and perform three checks before restoring the percpu inner
header offsets to validate that the percpu area is valid for this
skbuff:
1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff
has already been parsed before for inner header fetching to
register.
2) Validate that the percpu area refers to this skbuff using the
skbuff pointer as a cookie. If there is a cookie mismatch, then
this skbuff needs to be parsed again.
3) Finally, validate if the percpu area refers to this tunnel type.
Only after these three checks the percpu area is restored to a on-stack
copy and bh is enabled again.
After inner header fetching, the on-stack copy is stored back to the
percpu area.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables_core.h",
"net/netfilter/nft_inner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53c7314208c865086d78b4e88da53bc33da0b603",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "da5cc778e7bf78fe525bc90ec2043f41415c31d9",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "7b1d83da254be3bf054965c8f3b1ad976f460ae5",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables_core.h",
"net/netfilter/nft_inner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: incorrect percpu area handling under softirq\n\nSoftirq can interrupt ongoing packet from process context that is\nwalking over the percpu area that contains inner header offsets.\n\nDisable bh and perform three checks before restoring the percpu inner\nheader offsets to validate that the percpu area is valid for this\nskbuff:\n\n1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff\n has already been parsed before for inner header fetching to\n register.\n\n2) Validate that the percpu area refers to this skbuff using the\n skbuff pointer as a cookie. If there is a cookie mismatch, then\n this skbuff needs to be parsed again.\n\n3) Finally, validate if the percpu area refers to this tunnel type.\n\nOnly after these three checks the percpu area is restored to a on-stack\ncopy and bh is enabled again.\n\nAfter inner header fetching, the on-stack copy is stored back to the\npercpu area."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:00:44.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53c7314208c865086d78b4e88da53bc33da0b603"
},
{
"url": "https://git.kernel.org/stable/c/da5cc778e7bf78fe525bc90ec2043f41415c31d9"
},
{
"url": "https://git.kernel.org/stable/c/7b1d83da254be3bf054965c8f3b1ad976f460ae5"
}
],
"title": "netfilter: nft_inner: incorrect percpu area handling under softirq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56638",
"datePublished": "2024-12-27T15:02:40.796Z",
"dateReserved": "2024-12-27T15:00:39.839Z",
"dateUpdated": "2025-05-04T10:00:44.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49485 (GCVE-0-2022-49485)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Fix null pointer dereference of pointer perfmon
In the unlikely event that pointer perfmon is null the WARN_ON return path
occurs after the pointer has already been deferenced. Fix this by only
dereferencing perfmon after it has been null checked.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:10.314542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:44.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_perfmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4be045434923e549a50846a066a04b7b6c1d6d33",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "1df8f8901babcc8c8eea2c067179e455b5c828fd",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "3b72deb784a7d4ae8519a5c584cd87c4b57aa6c8",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
},
{
"lessThan": "ce7a1ecf3f9f1fccaf67295307614511d8e11b13",
"status": "affected",
"version": "26a4dc29b74a137f45665089f6d3d633fcc9b662",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_perfmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Fix null pointer dereference of pointer perfmon\n\nIn the unlikely event that pointer perfmon is null the WARN_ON return path\noccurs after the pointer has already been deferenced. Fix this by only\ndereferencing perfmon after it has been null checked."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:55.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4be045434923e549a50846a066a04b7b6c1d6d33"
},
{
"url": "https://git.kernel.org/stable/c/1df8f8901babcc8c8eea2c067179e455b5c828fd"
},
{
"url": "https://git.kernel.org/stable/c/3b72deb784a7d4ae8519a5c584cd87c4b57aa6c8"
},
{
"url": "https://git.kernel.org/stable/c/ce7a1ecf3f9f1fccaf67295307614511d8e11b13"
}
],
"title": "drm/v3d: Fix null pointer dereference of pointer perfmon",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49485",
"datePublished": "2025-02-26T02:13:24.154Z",
"dateReserved": "2025-02-26T02:08:31.582Z",
"dateUpdated": "2025-10-01T19:46:44.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49335 (GCVE-0-2022-49335)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.
Submitting a cs with 0 chunks, causes an oops later, found trying
to execute the wrong userspace driver.
MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo
[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8
[172536.665188] #PF: supervisor read access in kernel mode
[172536.665189] #PF: error_code(0x0000) - not-present page
[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0
[172536.665195] Oops: 0000 [#1] SMP NOPTI
[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS
[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015
[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]
[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10
[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246
[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68
[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38
[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40
[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28
[172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000
[172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0
[172536.665287] Call Trace:
[172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
[172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm]
[172536.665338] drm_ioctl+0x201/0x3b0 [drm]
[172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
[172536.665372] ? selinux_file_ioctl+0x135/0x230
[172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu]
[172536.665403] __x64_sys_ioctl+0x83/0xb0
[172536.665406] do_syscall_64+0x33/0x40
[172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:07.709316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:55.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8189f44270db1be78169e11eec51a3eeb980bc63",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "aa25acbe96692e4bf8482311c293f72d8c6034c0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "15c3bcc9b5349d40207e5f8d4d799b8b4b7d13b8",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "c12984cdb077b9042d2dc20ca18cb16a87bcc774",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "be585921f29df5422a39c952d188b418ad48ffab",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "70276460e914d560e96bfc208695a872fe9469c9",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "20b947e5a3c74c5084d661c097517a554989d462",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "7086a23890d255bb5761604e39174b20d06231a4",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "31ab27b14daaa75541a415c6794d6f3567fea44a",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/cs: make commands with 0 chunks illegal behaviour.\n\nSubmitting a cs with 0 chunks, causes an oops later, found trying\nto execute the wrong userspace driver.\n\nMESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo\n\n[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8\n[172536.665188] #PF: supervisor read access in kernel mode\n[172536.665189] #PF: error_code(0x0000) - not-present page\n[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0\n[172536.665195] Oops: 0000 [#1] SMP NOPTI\n[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS\n[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015\n[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]\n[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 \u003c48\u003e 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10\n[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246\n[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68\n[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38\n[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40\n[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28\n[172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000\n[172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0\n[172536.665287] Call Trace:\n[172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]\n[172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm]\n[172536.665338] drm_ioctl+0x201/0x3b0 [drm]\n[172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]\n[172536.665372] ? selinux_file_ioctl+0x135/0x230\n[172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu]\n[172536.665403] __x64_sys_ioctl+0x83/0xb0\n[172536.665406] do_syscall_64+0x33/0x40\n[172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:01:59.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8189f44270db1be78169e11eec51a3eeb980bc63"
},
{
"url": "https://git.kernel.org/stable/c/aa25acbe96692e4bf8482311c293f72d8c6034c0"
},
{
"url": "https://git.kernel.org/stable/c/15c3bcc9b5349d40207e5f8d4d799b8b4b7d13b8"
},
{
"url": "https://git.kernel.org/stable/c/c12984cdb077b9042d2dc20ca18cb16a87bcc774"
},
{
"url": "https://git.kernel.org/stable/c/be585921f29df5422a39c952d188b418ad48ffab"
},
{
"url": "https://git.kernel.org/stable/c/70276460e914d560e96bfc208695a872fe9469c9"
},
{
"url": "https://git.kernel.org/stable/c/20b947e5a3c74c5084d661c097517a554989d462"
},
{
"url": "https://git.kernel.org/stable/c/7086a23890d255bb5761604e39174b20d06231a4"
},
{
"url": "https://git.kernel.org/stable/c/31ab27b14daaa75541a415c6794d6f3567fea44a"
}
],
"title": "drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49335",
"datePublished": "2025-02-26T02:10:54.763Z",
"dateReserved": "2025-02-26T02:08:31.539Z",
"dateUpdated": "2025-10-01T19:46:55.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49304 (GCVE-0-2022-49304)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: tty: serial: Fix deadlock in sa1100_set_termios()
There is a deadlock in sa1100_set_termios(), which is shown
below:
(Thread 1) | (Thread 2)
| sa1100_enable_ms()
sa1100_set_termios() | mod_timer()
spin_lock_irqsave() //(1) | (wait a time)
... | sa1100_timeout()
del_timer_sync() | spin_lock_irqsave() //(2)
(wait timer to stop) | ...
We hold sport->port.lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need sport->port.lock in position (2) of thread 2. As a result,
sa1100_set_termios() will block forever.
This patch moves del_timer_sync() before spin_lock_irqsave()
in order to prevent the deadlock.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:33.088615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:58.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sa1100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0976808d0d171ec837d4bd3e9f4ad4a00ab703b8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "85e20f8bd31a46d8c60103d0274a8ebe8f47f2b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "920f0ae7a129ffee98a106e3bbdfd61a2a59e939",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "09a5958a2452ad22d0cb638711ef34ea1863a829",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e2273eefab54a521d9c59efb6e1114e742bdf41",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cbfc38df580bff5b2fe19f21c1a7520efcc4b3b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "553213432ef0c295becdc08c0207d2094468f673",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34d91e555e5582cffdbcbb75517bc9217866823e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "62b2caef400c1738b6d22f636c628d9f85cd4c4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sa1100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: tty: serial: Fix deadlock in sa1100_set_termios()\n\nThere is a deadlock in sa1100_set_termios(), which is shown\nbelow:\n\n (Thread 1) | (Thread 2)\n | sa1100_enable_ms()\nsa1100_set_termios() | mod_timer()\n spin_lock_irqsave() //(1) | (wait a time)\n ... | sa1100_timeout()\n del_timer_sync() | spin_lock_irqsave() //(2)\n (wait timer to stop) | ...\n\nWe hold sport-\u003eport.lock in position (1) of thread 1 and\nuse del_timer_sync() to wait timer to stop, but timer handler\nalso need sport-\u003eport.lock in position (2) of thread 2. As a result,\nsa1100_set_termios() will block forever.\n\nThis patch moves del_timer_sync() before spin_lock_irqsave()\nin order to prevent the deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:42.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0976808d0d171ec837d4bd3e9f4ad4a00ab703b8"
},
{
"url": "https://git.kernel.org/stable/c/85e20f8bd31a46d8c60103d0274a8ebe8f47f2b2"
},
{
"url": "https://git.kernel.org/stable/c/920f0ae7a129ffee98a106e3bbdfd61a2a59e939"
},
{
"url": "https://git.kernel.org/stable/c/09a5958a2452ad22d0cb638711ef34ea1863a829"
},
{
"url": "https://git.kernel.org/stable/c/6e2273eefab54a521d9c59efb6e1114e742bdf41"
},
{
"url": "https://git.kernel.org/stable/c/2cbfc38df580bff5b2fe19f21c1a7520efcc4b3b"
},
{
"url": "https://git.kernel.org/stable/c/553213432ef0c295becdc08c0207d2094468f673"
},
{
"url": "https://git.kernel.org/stable/c/34d91e555e5582cffdbcbb75517bc9217866823e"
},
{
"url": "https://git.kernel.org/stable/c/62b2caef400c1738b6d22f636c628d9f85cd4c4c"
}
],
"title": "drivers: tty: serial: Fix deadlock in sa1100_set_termios()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49304",
"datePublished": "2025-02-26T02:10:37.726Z",
"dateReserved": "2025-02-26T02:08:31.535Z",
"dateUpdated": "2025-10-01T19:46:58.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21804 (GCVE-0-2025-21804)
Vulnerability from cvelistv5
Published
2025-02-27 20:00
Modified
2025-11-03 20:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()
The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region()
macro to request a needed resource. A string variable that lives on the
stack is then used to store a dynamically computed resource name, which
is then passed on as one of the macro arguments. This can lead to
undefined behavior.
Depending on the current contents of the memory, the manifestations of
errors may vary. One possible output may be as follows:
$ cat /proc/iomem
30000000-37ffffff :
38000000-3fffffff :
Sometimes, garbage may appear after the colon.
In very rare cases, if no NULL-terminator is found in memory, the system
might crash because the string iterator will overrun which can lead to
access of unmapped memory above the stack.
Thus, fix this by replacing outbound_name with the name of the previously
requested resource. With the changes applied, the output will be as
follows:
$ cat /proc/iomem
30000000-37ffffff : memory2
38000000-3fffffff : memory3
[kwilczynski: commit log]
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2a6d0d63d99956a66f6605832f11755d74a41951 Version: 2a6d0d63d99956a66f6605832f11755d74a41951 Version: 2a6d0d63d99956a66f6605832f11755d74a41951 Version: 2a6d0d63d99956a66f6605832f11755d74a41951 Version: 2a6d0d63d99956a66f6605832f11755d74a41951 Version: 2a6d0d63d99956a66f6605832f11755d74a41951 Version: 2a6d0d63d99956a66f6605832f11755d74a41951 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:44.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/pcie-rcar-ep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a47e14c5fb0b6dba7073be7b0119fb8fe864e01",
"status": "affected",
"version": "2a6d0d63d99956a66f6605832f11755d74a41951",
"versionType": "git"
},
{
"lessThan": "6987e021b64cbb49981d140bb72d9d1466f191c4",
"status": "affected",
"version": "2a6d0d63d99956a66f6605832f11755d74a41951",
"versionType": "git"
},
{
"lessThan": "24576899c49509c0d533bcf569139f691d8f7af7",
"status": "affected",
"version": "2a6d0d63d99956a66f6605832f11755d74a41951",
"versionType": "git"
},
{
"lessThan": "2c54b9fca1755e80a343ccfde0652dc5ea4744b2",
"status": "affected",
"version": "2a6d0d63d99956a66f6605832f11755d74a41951",
"versionType": "git"
},
{
"lessThan": "9ff46b0bfeb6e0724a4ace015aa7a0b887cdb7c1",
"status": "affected",
"version": "2a6d0d63d99956a66f6605832f11755d74a41951",
"versionType": "git"
},
{
"lessThan": "44708208c2a4b828a57a2abe7799c9d3962e7eaa",
"status": "affected",
"version": "2a6d0d63d99956a66f6605832f11755d74a41951",
"versionType": "git"
},
{
"lessThan": "2d2da5a4c1b4509f6f7e5a8db015cd420144beb4",
"status": "affected",
"version": "2a6d0d63d99956a66f6605832f11755d74a41951",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/pcie-rcar-ep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()\n\nThe rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region()\nmacro to request a needed resource. A string variable that lives on the\nstack is then used to store a dynamically computed resource name, which\nis then passed on as one of the macro arguments. This can lead to\nundefined behavior.\n\nDepending on the current contents of the memory, the manifestations of\nerrors may vary. One possible output may be as follows:\n\n $ cat /proc/iomem\n 30000000-37ffffff :\n 38000000-3fffffff :\n\nSometimes, garbage may appear after the colon.\n\nIn very rare cases, if no NULL-terminator is found in memory, the system\nmight crash because the string iterator will overrun which can lead to\naccess of unmapped memory above the stack.\n\nThus, fix this by replacing outbound_name with the name of the previously\nrequested resource. With the changes applied, the output will be as\nfollows:\n\n $ cat /proc/iomem\n 30000000-37ffffff : memory2\n 38000000-3fffffff : memory3\n\n[kwilczynski: commit log]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:34.136Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a47e14c5fb0b6dba7073be7b0119fb8fe864e01"
},
{
"url": "https://git.kernel.org/stable/c/6987e021b64cbb49981d140bb72d9d1466f191c4"
},
{
"url": "https://git.kernel.org/stable/c/24576899c49509c0d533bcf569139f691d8f7af7"
},
{
"url": "https://git.kernel.org/stable/c/2c54b9fca1755e80a343ccfde0652dc5ea4744b2"
},
{
"url": "https://git.kernel.org/stable/c/9ff46b0bfeb6e0724a4ace015aa7a0b887cdb7c1"
},
{
"url": "https://git.kernel.org/stable/c/44708208c2a4b828a57a2abe7799c9d3962e7eaa"
},
{
"url": "https://git.kernel.org/stable/c/2d2da5a4c1b4509f6f7e5a8db015cd420144beb4"
}
],
"title": "PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21804",
"datePublished": "2025-02-27T20:00:57.639Z",
"dateReserved": "2024-12-29T08:45:45.771Z",
"dateUpdated": "2025-11-03T20:59:44.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49132 (GCVE-0-2022-49132)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: pci: fix crash on suspend if board file is not found
Mario reported that the kernel was crashing on suspend if ath11k was not able
to find a board file:
[ 473.693286] PM: Suspending system (s2idle)
[ 473.693291] printk: Suspending console(s) (use no_console_suspend to debug)
[ 474.407787] BUG: unable to handle page fault for address: 0000000000002070
[ 474.407791] #PF: supervisor read access in kernel mode
[ 474.407794] #PF: error_code(0x0000) - not-present page
[ 474.407798] PGD 0 P4D 0
[ 474.407801] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 474.407805] CPU: 2 PID: 2350 Comm: kworker/u32:14 Tainted: G W 5.16.0 #248
[...]
[ 474.407868] Call Trace:
[ 474.407870] <TASK>
[ 474.407874] ? _raw_spin_lock_irqsave+0x2a/0x60
[ 474.407882] ? lock_timer_base+0x72/0xa0
[ 474.407889] ? _raw_spin_unlock_irqrestore+0x29/0x3d
[ 474.407892] ? try_to_del_timer_sync+0x54/0x80
[ 474.407896] ath11k_dp_rx_pktlog_stop+0x49/0xc0 [ath11k]
[ 474.407912] ath11k_core_suspend+0x34/0x130 [ath11k]
[ 474.407923] ath11k_pci_pm_suspend+0x1b/0x50 [ath11k_pci]
[ 474.407928] pci_pm_suspend+0x7e/0x170
[ 474.407935] ? pci_pm_freeze+0xc0/0xc0
[ 474.407939] dpm_run_callback+0x4e/0x150
[ 474.407947] __device_suspend+0x148/0x4c0
[ 474.407951] async_suspend+0x20/0x90
dmesg-efi-164255130401001:
Oops#1 Part1
[ 474.407955] async_run_entry_fn+0x33/0x120
[ 474.407959] process_one_work+0x220/0x3f0
[ 474.407966] worker_thread+0x4a/0x3d0
[ 474.407971] kthread+0x17a/0x1a0
[ 474.407975] ? process_one_work+0x3f0/0x3f0
[ 474.407979] ? set_kthread_struct+0x40/0x40
[ 474.407983] ret_from_fork+0x22/0x30
[ 474.407991] </TASK>
The issue here is that board file loading happens after ath11k_pci_probe()
succesfully returns (ath11k initialisation happends asynchronously) and the
suspend handler is still enabled, of course failing as ath11k is not properly
initialised. Fix this by checking ATH11K_FLAG_QMI_FAIL during both suspend and
resume.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fed4cef115ab21a18faf499b3fa9b9a4b544f941",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "f3c5ef433da82d257337424b3647ce9dcb37d4b5",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "aeed776c00e804a0f7896db39c7c661cea34ee1f",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "b4f4c56459a5c744f7f066b9fc2b54ea995030c5",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: pci: fix crash on suspend if board file is not found\n\nMario reported that the kernel was crashing on suspend if ath11k was not able\nto find a board file:\n\n[ 473.693286] PM: Suspending system (s2idle)\n[ 473.693291] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 474.407787] BUG: unable to handle page fault for address: 0000000000002070\n[ 474.407791] #PF: supervisor read access in kernel mode\n[ 474.407794] #PF: error_code(0x0000) - not-present page\n[ 474.407798] PGD 0 P4D 0\n[ 474.407801] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 474.407805] CPU: 2 PID: 2350 Comm: kworker/u32:14 Tainted: G W 5.16.0 #248\n[...]\n[ 474.407868] Call Trace:\n[ 474.407870] \u003cTASK\u003e\n[ 474.407874] ? _raw_spin_lock_irqsave+0x2a/0x60\n[ 474.407882] ? lock_timer_base+0x72/0xa0\n[ 474.407889] ? _raw_spin_unlock_irqrestore+0x29/0x3d\n[ 474.407892] ? try_to_del_timer_sync+0x54/0x80\n[ 474.407896] ath11k_dp_rx_pktlog_stop+0x49/0xc0 [ath11k]\n[ 474.407912] ath11k_core_suspend+0x34/0x130 [ath11k]\n[ 474.407923] ath11k_pci_pm_suspend+0x1b/0x50 [ath11k_pci]\n[ 474.407928] pci_pm_suspend+0x7e/0x170\n[ 474.407935] ? pci_pm_freeze+0xc0/0xc0\n[ 474.407939] dpm_run_callback+0x4e/0x150\n[ 474.407947] __device_suspend+0x148/0x4c0\n[ 474.407951] async_suspend+0x20/0x90\ndmesg-efi-164255130401001:\nOops#1 Part1\n[ 474.407955] async_run_entry_fn+0x33/0x120\n[ 474.407959] process_one_work+0x220/0x3f0\n[ 474.407966] worker_thread+0x4a/0x3d0\n[ 474.407971] kthread+0x17a/0x1a0\n[ 474.407975] ? process_one_work+0x3f0/0x3f0\n[ 474.407979] ? set_kthread_struct+0x40/0x40\n[ 474.407983] ret_from_fork+0x22/0x30\n[ 474.407991] \u003c/TASK\u003e\n\nThe issue here is that board file loading happens after ath11k_pci_probe()\nsuccesfully returns (ath11k initialisation happends asynchronously) and the\nsuspend handler is still enabled, of course failing as ath11k is not properly\ninitialised. Fix this by checking ATH11K_FLAG_QMI_FAIL during both suspend and\nresume.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:40.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fed4cef115ab21a18faf499b3fa9b9a4b544f941"
},
{
"url": "https://git.kernel.org/stable/c/f3c5ef433da82d257337424b3647ce9dcb37d4b5"
},
{
"url": "https://git.kernel.org/stable/c/aeed776c00e804a0f7896db39c7c661cea34ee1f"
},
{
"url": "https://git.kernel.org/stable/c/b4f4c56459a5c744f7f066b9fc2b54ea995030c5"
}
],
"title": "ath11k: pci: fix crash on suspend if board file is not found",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49132",
"datePublished": "2025-02-26T01:55:07.144Z",
"dateReserved": "2025-02-26T01:49:39.267Z",
"dateUpdated": "2025-05-04T08:30:40.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58009 (GCVE-0-2024-58009)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc
A NULL sock pointer is passed into l2cap_sock_alloc() when it is called
from l2cap_sock_new_connection_cb() and the error handling paths should
also be aware of it.
Seemingly a more elegant solution would be to swap bt_sock_alloc() and
l2cap_chan_create() calls since they are not interdependent to that moment
but then l2cap_chan_create() adds the soon to be deallocated and still
dummy-initialized channel to the global list accessible by many L2CAP
paths. The channel would be removed from the list in short period of time
but be a bit more straight-forward here and just check for NULL instead of
changing the order of function calls.
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f6ad641646b67f29c7578dcd6c25813c7dcbf51e Version: daa13175a6dea312a76099066cb4cbd4fc959a84 Version: a8677028dd5123e5e525b8195483994d87123de4 Version: bb2f2342a6ddf7c04f9aefbbfe86104cd138e629 Version: 8ad09ddc63ace3950ac43db6fbfe25b40f589dd6 Version: 61686abc2f3c2c67822aa23ce6f160467ec83d35 Version: 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 Version: 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:22.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9a7672fc1a0fe18502493936ccb06413ab89ea6",
"status": "affected",
"version": "f6ad641646b67f29c7578dcd6c25813c7dcbf51e",
"versionType": "git"
},
{
"lessThan": "8e605f580a97530e5a3583beea458a3fa4cbefbd",
"status": "affected",
"version": "daa13175a6dea312a76099066cb4cbd4fc959a84",
"versionType": "git"
},
{
"lessThan": "cf601a24120c674cd7c907ea695f92617af6abd0",
"status": "affected",
"version": "a8677028dd5123e5e525b8195483994d87123de4",
"versionType": "git"
},
{
"lessThan": "297ce7f544aa675b0d136d788cad0710cdfb0785",
"status": "affected",
"version": "bb2f2342a6ddf7c04f9aefbbfe86104cd138e629",
"versionType": "git"
},
{
"lessThan": "245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22",
"status": "affected",
"version": "8ad09ddc63ace3950ac43db6fbfe25b40f589dd6",
"versionType": "git"
},
{
"lessThan": "691218a50c3139f7f57ffa79fb89d932eda9571e",
"status": "affected",
"version": "61686abc2f3c2c67822aa23ce6f160467ec83d35",
"versionType": "git"
},
{
"lessThan": "49c0d55d59662430f1829ae85b969619573d0fa1",
"status": "affected",
"version": "7c4f78cdb8e7501e9f92d291a7d956591bf73be9",
"versionType": "git"
},
{
"lessThan": "5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1",
"status": "affected",
"version": "7c4f78cdb8e7501e9f92d291a7d956591bf73be9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.6.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc\n\nA NULL sock pointer is passed into l2cap_sock_alloc() when it is called\nfrom l2cap_sock_new_connection_cb() and the error handling paths should\nalso be aware of it.\n\nSeemingly a more elegant solution would be to swap bt_sock_alloc() and\nl2cap_chan_create() calls since they are not interdependent to that moment\nbut then l2cap_chan_create() adds the soon to be deallocated and still\ndummy-initialized channel to the global list accessible by many L2CAP\npaths. The channel would be removed from the list in short period of time\nbut be a bit more straight-forward here and just check for NULL instead of\nchanging the order of function calls.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:19.816Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9a7672fc1a0fe18502493936ccb06413ab89ea6"
},
{
"url": "https://git.kernel.org/stable/c/8e605f580a97530e5a3583beea458a3fa4cbefbd"
},
{
"url": "https://git.kernel.org/stable/c/cf601a24120c674cd7c907ea695f92617af6abd0"
},
{
"url": "https://git.kernel.org/stable/c/297ce7f544aa675b0d136d788cad0710cdfb0785"
},
{
"url": "https://git.kernel.org/stable/c/245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22"
},
{
"url": "https://git.kernel.org/stable/c/691218a50c3139f7f57ffa79fb89d932eda9571e"
},
{
"url": "https://git.kernel.org/stable/c/49c0d55d59662430f1829ae85b969619573d0fa1"
},
{
"url": "https://git.kernel.org/stable/c/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1"
}
],
"title": "Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58009",
"datePublished": "2025-02-27T02:12:04.637Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-11-03T19:33:22.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21775 (GCVE-0-2025-21775)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: ctucanfd: handle skb allocation failure
If skb allocation fails, the pointer to struct can_frame is NULL. This
is actually handled everywhere inside ctucan_err_interrupt() except for
the only place.
Add the missed NULL check.
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:30:28.979689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:40.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:28.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/ctucanfd/ctucanfd_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84b9ac59978a6a4e0812d1c938fad97306272cef",
"status": "affected",
"version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
"versionType": "git"
},
{
"lessThan": "e505b83b9ee6aa0ae2f4395f573a66579ae403fb",
"status": "affected",
"version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
"versionType": "git"
},
{
"lessThan": "b0e592dd46a0a952b41c3bf6c963afdd6a42b526",
"status": "affected",
"version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
"versionType": "git"
},
{
"lessThan": "e7e2e2318b1f085044126ba553a4e619842fc36d",
"status": "affected",
"version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
"versionType": "git"
},
{
"lessThan": "9bd24927e3eeb85642c7baa3b28be8bea6c2a078",
"status": "affected",
"version": "2dcb8e8782d8e4c38903bf37b1a24d3ffd193da7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/ctucanfd/ctucanfd_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ctucanfd: handle skb allocation failure\n\nIf skb allocation fails, the pointer to struct can_frame is NULL. This\nis actually handled everywhere inside ctucan_err_interrupt() except for\nthe only place.\n\nAdd the missed NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:55.375Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84b9ac59978a6a4e0812d1c938fad97306272cef"
},
{
"url": "https://git.kernel.org/stable/c/e505b83b9ee6aa0ae2f4395f573a66579ae403fb"
},
{
"url": "https://git.kernel.org/stable/c/b0e592dd46a0a952b41c3bf6c963afdd6a42b526"
},
{
"url": "https://git.kernel.org/stable/c/e7e2e2318b1f085044126ba553a4e619842fc36d"
},
{
"url": "https://git.kernel.org/stable/c/9bd24927e3eeb85642c7baa3b28be8bea6c2a078"
}
],
"title": "can: ctucanfd: handle skb allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21775",
"datePublished": "2025-02-27T02:18:21.019Z",
"dateReserved": "2024-12-29T08:45:45.763Z",
"dateUpdated": "2025-11-03T19:37:28.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49535 (GCVE-0-2022-49535)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI
If lpfc_issue_els_flogi() fails and returns non-zero status, the node
reference count is decremented to trigger the release of the nodelist
structure. However, if there is a prior registration or dev-loss-evt work
pending, the node may be released prematurely. When dev-loss-evt
completes, the released node is referenced causing a use-after-free null
pointer dereference.
Similarly, when processing non-zero ELS PLOGI completion status in
lpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport
registration before triggering node removal. If dev-loss-evt work is
pending, the node may be released prematurely and a subsequent call to
lpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.
Add test for pending dev-loss before decrementing the node reference count
for FLOGI, PLOGI, PRLI, and ADISC handling.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:34.195435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:31.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_els.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7dc74ab7975c9b96284abfe4cca756d75fa4604",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "577a942df3de2666f6947bdd3a5c9e8d30073424",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_els.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI\n\nIf lpfc_issue_els_flogi() fails and returns non-zero status, the node\nreference count is decremented to trigger the release of the nodelist\nstructure. However, if there is a prior registration or dev-loss-evt work\npending, the node may be released prematurely. When dev-loss-evt\ncompletes, the released node is referenced causing a use-after-free null\npointer dereference.\n\nSimilarly, when processing non-zero ELS PLOGI completion status in\nlpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport\nregistration before triggering node removal. If dev-loss-evt work is\npending, the node may be released prematurely and a subsequent call to\nlpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.\n\nAdd test for pending dev-loss before decrementing the node reference count\nfor FLOGI, PLOGI, PRLI, and ADISC handling."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:01.596Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7dc74ab7975c9b96284abfe4cca756d75fa4604"
},
{
"url": "https://git.kernel.org/stable/c/10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df"
},
{
"url": "https://git.kernel.org/stable/c/577a942df3de2666f6947bdd3a5c9e8d30073424"
}
],
"title": "scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49535",
"datePublished": "2025-02-26T02:13:53.482Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-05-04T08:40:01.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49347 (GCVE-0-2022-49347)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in ext4_writepages
we got issue as follows:
EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2708!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155
RIP: 0010:ext4_writepages+0x1977/0x1c10
RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000
RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002
RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000
R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001
R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028
FS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_writepages+0x130/0x3a0
filemap_fdatawrite_wbc+0x83/0xa0
filemap_flush+0xab/0xe0
ext4_alloc_da_blocks+0x51/0x120
__ext4_ioctl+0x1534/0x3210
__x64_sys_ioctl+0x12c/0x170
do_syscall_64+0x3b/0x90
It may happen as follows:
1. write inline_data inode
vfs_write
new_sync_write
ext4_file_write_iter
ext4_buffered_write_iter
generic_perform_write
ext4_da_write_begin
ext4_da_write_inline_data_begin -> If inline data size too
small will allocate block to write, then mapping will has
dirty page
ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA
2. fallocate
do_vfs_ioctl
ioctl_preallocate
vfs_fallocate
ext4_fallocate
ext4_convert_inline_data
ext4_convert_inline_data_nolock
ext4_map_blocks -> fail will goto restore data
ext4_restore_inline_data
ext4_create_inline_data
ext4_write_inline_data
ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA
3. writepages
__ext4_ioctl
ext4_alloc_da_blocks
filemap_flush
filemap_fdatawrite_wbc
do_writepages
ext4_writepages
if (ext4_has_inline_data(inode))
BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
The root cause of this issue is we destory inline data until call
ext4_writepages under delay allocation mode. But there maybe already
convert from inline to extent. To solve this issue, we call
filemap_flush first..
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19918ec7717d87d5ab825884a46b26b21375d7ce",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2b78f5bf2d453dda3903955efee059260787a42",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de1732b5c1693ad489c5d254f124f67cb775f37d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73fd5b19285197078ee8a2e651d75d5b094a4de9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b061af037646c9cdb0afd8a8d2f1e1c06285866",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18a759f7f99f0b65a08ff5b7e745fc405a42bde4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cde35417edc0370fb0179a4e38b78a15350a8d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "013f12bdedb96816aaa27ee04349f4433d361f52",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef09ed5d37b84d18562b30cf7253e57062d0db05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in ext4_writepages\n\nwe got issue as follows:\nEXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls\n------------[ cut here ]------------\nkernel BUG at fs/ext4/inode.c:2708!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155\nRIP: 0010:ext4_writepages+0x1977/0x1c10\nRSP: 0018:ffff88811d3e7880 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000\nRDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002\nRBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000\nR10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001\nR13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028\nFS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n do_writepages+0x130/0x3a0\n filemap_fdatawrite_wbc+0x83/0xa0\n filemap_flush+0xab/0xe0\n ext4_alloc_da_blocks+0x51/0x120\n __ext4_ioctl+0x1534/0x3210\n __x64_sys_ioctl+0x12c/0x170\n do_syscall_64+0x3b/0x90\n\nIt may happen as follows:\n1. write inline_data inode\nvfs_write\n new_sync_write\n ext4_file_write_iter\n ext4_buffered_write_iter\n generic_perform_write\n ext4_da_write_begin\n ext4_da_write_inline_data_begin -\u003e If inline data size too\n small will allocate block to write, then mapping will has\n dirty page\n ext4_da_convert_inline_data_to_extent -\u003eclear EXT4_STATE_MAY_INLINE_DATA\n2. fallocate\ndo_vfs_ioctl\n ioctl_preallocate\n vfs_fallocate\n ext4_fallocate\n ext4_convert_inline_data\n ext4_convert_inline_data_nolock\n ext4_map_blocks -\u003e fail will goto restore data\n ext4_restore_inline_data\n ext4_create_inline_data\n ext4_write_inline_data\n ext4_set_inode_state -\u003e set inode EXT4_STATE_MAY_INLINE_DATA\n3. writepages\n__ext4_ioctl\n ext4_alloc_da_blocks\n filemap_flush\n filemap_fdatawrite_wbc\n do_writepages\n ext4_writepages\n if (ext4_has_inline_data(inode))\n BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))\n\nThe root cause of this issue is we destory inline data until call\next4_writepages under delay allocation mode. But there maybe already\nconvert from inline to extent. To solve this issue, we call\nfilemap_flush first.."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:47.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19918ec7717d87d5ab825884a46b26b21375d7ce"
},
{
"url": "https://git.kernel.org/stable/c/b2b78f5bf2d453dda3903955efee059260787a42"
},
{
"url": "https://git.kernel.org/stable/c/de1732b5c1693ad489c5d254f124f67cb775f37d"
},
{
"url": "https://git.kernel.org/stable/c/73fd5b19285197078ee8a2e651d75d5b094a4de9"
},
{
"url": "https://git.kernel.org/stable/c/1b061af037646c9cdb0afd8a8d2f1e1c06285866"
},
{
"url": "https://git.kernel.org/stable/c/18a759f7f99f0b65a08ff5b7e745fc405a42bde4"
},
{
"url": "https://git.kernel.org/stable/c/1cde35417edc0370fb0179a4e38b78a15350a8d0"
},
{
"url": "https://git.kernel.org/stable/c/013f12bdedb96816aaa27ee04349f4433d361f52"
},
{
"url": "https://git.kernel.org/stable/c/ef09ed5d37b84d18562b30cf7253e57062d0db05"
}
],
"title": "ext4: fix bug_on in ext4_writepages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49347",
"datePublished": "2025-02-26T02:11:01.983Z",
"dateReserved": "2025-02-26T02:08:31.543Z",
"dateUpdated": "2025-05-04T08:35:47.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49751 (GCVE-0-2022-49751)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-10-01 19:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
w1: fix WARNING after calling w1_process()
I got the following WARNING message while removing driver(ds2482):
------------[ cut here ]------------
do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire]
WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0
CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307
RIP: 0010:__might_sleep+0x98/0xa0
Call Trace:
exit_signals+0x6c/0x550
do_exit+0x2b4/0x17e0
kthread_exit+0x52/0x60
kthread+0x16d/0x1e0
ret_from_fork+0x1f/0x30
The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),
set it to TASK_RUNNING when it breaks out of the loop to avoid the
warning.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:24:55.150824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:35.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/w1/w1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "190b5c3bbd5df685bb1063bda048831d72b8f1d4",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "bccd6df4c177b1ad766f16565ccc298653d027d0",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "276052159ba94d4d9f5b453fb4707d6798c6b845",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "216f35db6ec6a667cd9db4838d657c1d2f4684da",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "89c62cee5d4d65ac75d99b5f986f7f94290e888f",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "cfc7462ff824ed6718ed0272ee9aae88e20d469a",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/w1/w1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: fix WARNING after calling w1_process()\n\nI got the following WARNING message while removing driver(ds2482):\n\n------------[ cut here ]------------\ndo not call blocking ops when !TASK_RUNNING; state=1 set at [\u003c000000002d50bfb6\u003e] w1_process+0x9e/0x1d0 [wire]\nWARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0\nCPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307\nRIP: 0010:__might_sleep+0x98/0xa0\nCall Trace:\n exit_signals+0x6c/0x550\n do_exit+0x2b4/0x17e0\n kthread_exit+0x52/0x60\n kthread+0x16d/0x1e0\n ret_from_fork+0x1f/0x30\n\nThe state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),\nset it to TASK_RUNNING when it breaks out of the loop to avoid the\nwarning."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:36.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/190b5c3bbd5df685bb1063bda048831d72b8f1d4"
},
{
"url": "https://git.kernel.org/stable/c/bccd6df4c177b1ad766f16565ccc298653d027d0"
},
{
"url": "https://git.kernel.org/stable/c/276052159ba94d4d9f5b453fb4707d6798c6b845"
},
{
"url": "https://git.kernel.org/stable/c/216f35db6ec6a667cd9db4838d657c1d2f4684da"
},
{
"url": "https://git.kernel.org/stable/c/89c62cee5d4d65ac75d99b5f986f7f94290e888f"
},
{
"url": "https://git.kernel.org/stable/c/cfc7462ff824ed6718ed0272ee9aae88e20d469a"
},
{
"url": "https://git.kernel.org/stable/c/36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b"
}
],
"title": "w1: fix WARNING after calling w1_process()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49751",
"datePublished": "2025-03-27T16:42:59.669Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-10-01T19:26:35.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42240 (GCVE-0-2024-42240)
Vulnerability from cvelistv5
Published
2024-08-07 15:14
Modified
2025-11-03 22:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/bhi: Avoid warning in #DB handler due to BHI mitigation
When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
(exc_debug_kernel()) to issue a warning because single-step is used outside the
entry_SYSENTER_compat() function.
To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
after making sure the TF flag is cleared.
The problem can be reproduced with the following sequence:
$ cat sysenter_step.c
int main()
{ asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }
$ gcc -o sysenter_step sysenter_step.c
$ ./sysenter_step
Segmentation fault (core dumped)
The program is expected to crash, and the #DB handler will issue a warning.
Kernel log:
WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
...
RIP: 0010:exc_debug_kernel+0xd2/0x160
...
Call Trace:
<#DB>
? show_regs+0x68/0x80
? __warn+0x8c/0x140
? exc_debug_kernel+0xd2/0x160
? report_bug+0x175/0x1a0
? handle_bug+0x44/0x90
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? exc_debug_kernel+0xd2/0x160
exc_debug+0x43/0x50
asm_exc_debug+0x1e/0x40
RIP: 0010:clear_bhb_loop+0x0/0xb0
...
</#DB>
<TASK>
? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
</TASK>
[ bp: Massage commit message. ]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bd53ec80f21839cfd4d852a6088279d602d67e5b Version: 07dbb10f153f483e8249acebdffedf922e2ec2e1 Version: eb36b0dce2138581bc6b5e39d0273cb4c96ded81 Version: 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 Version: 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 Version: 8f51637712e4da5be410a1666f8aee0d86eef898 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:13:51.001454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:31.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:02:42.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/entry/entry_64_compat.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db56615e96c439e13783d7715330e824b4fd4b84",
"status": "affected",
"version": "bd53ec80f21839cfd4d852a6088279d602d67e5b",
"versionType": "git"
},
{
"lessThan": "a765679defe1dc1b8fa01928a6ad6361e72a1364",
"status": "affected",
"version": "07dbb10f153f483e8249acebdffedf922e2ec2e1",
"versionType": "git"
},
{
"lessThan": "dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf",
"status": "affected",
"version": "eb36b0dce2138581bc6b5e39d0273cb4c96ded81",
"versionType": "git"
},
{
"lessThan": "08518d48e5b744620524f0acd7c26c19bda7f513",
"status": "affected",
"version": "7390db8aea0d64e9deb28b8e1ce716f5020c7ee5",
"versionType": "git"
},
{
"lessThan": "ac8b270b61d48fcc61f052097777e3b5e11591e0",
"status": "affected",
"version": "7390db8aea0d64e9deb28b8e1ce716f5020c7ee5",
"versionType": "git"
},
{
"status": "affected",
"version": "8f51637712e4da5be410a1666f8aee0d86eef898",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/entry/entry_64_compat.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.163",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "6.1.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "6.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n \u003c#DB\u003e\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \u003c/#DB\u003e\n \u003cTASK\u003e\n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \u003c/TASK\u003e\n\n [ bp: Massage commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:57:48.564Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84"
},
{
"url": "https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364"
},
{
"url": "https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf"
},
{
"url": "https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513"
},
{
"url": "https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0"
}
],
"title": "x86/bhi: Avoid warning in #DB handler due to BHI mitigation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42240",
"datePublished": "2024-08-07T15:14:27.977Z",
"dateReserved": "2024-07-30T07:40:12.253Z",
"dateUpdated": "2025-11-03T22:02:42.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49449 (GCVE-0-2022-49449)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: renesas: rzn1: Fix possible null-ptr-deref in sh_pfc_map_resources()
It will cause null-ptr-deref when using 'res', if platform_get_resource()
returns NULL, so move using 'res' after devm_ioremap_resource() that
will check it to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49449",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:36.057043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:48.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/renesas/pinctrl-rzn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b646e0cfeb38bf5f1944fd548f1dfa9b129fa00c",
"status": "affected",
"version": "4e53b5004745ef26a37bca4933b2d3ea71313f2a",
"versionType": "git"
},
{
"lessThan": "c16b59d445135c8026a04e388d8b2762feaa3b3b",
"status": "affected",
"version": "4e53b5004745ef26a37bca4933b2d3ea71313f2a",
"versionType": "git"
},
{
"lessThan": "34c719b8fdfbd0c7c54cae56e6b0f16e9f8bf03e",
"status": "affected",
"version": "4e53b5004745ef26a37bca4933b2d3ea71313f2a",
"versionType": "git"
},
{
"lessThan": "01f9e02e0f13df3fd291676dc80054e977be1601",
"status": "affected",
"version": "4e53b5004745ef26a37bca4933b2d3ea71313f2a",
"versionType": "git"
},
{
"lessThan": "2f661477c2bb8068194dbba9738d05219f111c6e",
"status": "affected",
"version": "4e53b5004745ef26a37bca4933b2d3ea71313f2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/renesas/pinctrl-rzn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: renesas: rzn1: Fix possible null-ptr-deref in sh_pfc_map_resources()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:59.146Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b646e0cfeb38bf5f1944fd548f1dfa9b129fa00c"
},
{
"url": "https://git.kernel.org/stable/c/c16b59d445135c8026a04e388d8b2762feaa3b3b"
},
{
"url": "https://git.kernel.org/stable/c/34c719b8fdfbd0c7c54cae56e6b0f16e9f8bf03e"
},
{
"url": "https://git.kernel.org/stable/c/01f9e02e0f13df3fd291676dc80054e977be1601"
},
{
"url": "https://git.kernel.org/stable/c/2f661477c2bb8068194dbba9738d05219f111c6e"
}
],
"title": "pinctrl: renesas: rzn1: Fix possible null-ptr-deref in sh_pfc_map_resources()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49449",
"datePublished": "2025-02-26T02:12:59.709Z",
"dateReserved": "2025-02-26T02:08:31.572Z",
"dateUpdated": "2025-10-01T19:46:48.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58034 (GCVE-0-2024-58034)
Vulnerability from cvelistv5
Published
2025-02-27 20:00
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
As of_find_node_by_name() release the reference of the argument device
node, tegra_emc_find_node_by_ram_code() releases some device nodes while
still in use, resulting in possible UAFs. According to the bindings and
the in-tree DTS files, the "emc-tables" node is always device's child
node with the property "nvidia,use-ram-code", and the "lpddr2" node is a
child of the "emc-tables" node. Thus utilize the
for_each_child_of_node() macro and of_get_child_by_name() instead of
of_find_node_by_name() to simplify the code.
This bug was found by an experimental verification tool that I am
developing.
[krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 96e5da7c842424bcf64afe1082b960b42b96190b Version: 96e5da7c842424bcf64afe1082b960b42b96190b Version: 96e5da7c842424bcf64afe1082b960b42b96190b Version: 96e5da7c842424bcf64afe1082b960b42b96190b Version: 96e5da7c842424bcf64afe1082b960b42b96190b Version: 96e5da7c842424bcf64afe1082b960b42b96190b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58034",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T17:59:56.831079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T18:07:17.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:40.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/memory/tegra/tegra20-emc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3def10c610ae046aaa61d00528e7bd15e4ad8d3",
"status": "affected",
"version": "96e5da7c842424bcf64afe1082b960b42b96190b",
"versionType": "git"
},
{
"lessThan": "e9d07e91de140679eeaf275f47ad154467cb9e05",
"status": "affected",
"version": "96e5da7c842424bcf64afe1082b960b42b96190b",
"versionType": "git"
},
{
"lessThan": "c144423cb07e4e227a8572d5742ca2b36ada770d",
"status": "affected",
"version": "96e5da7c842424bcf64afe1082b960b42b96190b",
"versionType": "git"
},
{
"lessThan": "3b02273446e23961d910b50cc12528faec649fb2",
"status": "affected",
"version": "96e5da7c842424bcf64afe1082b960b42b96190b",
"versionType": "git"
},
{
"lessThan": "755e44538c190c31de9090d8e8821d228fcfd416",
"status": "affected",
"version": "96e5da7c842424bcf64afe1082b960b42b96190b",
"versionType": "git"
},
{
"lessThan": "b9784e5cde1f9fb83661a70e580e381ae1264d12",
"status": "affected",
"version": "96e5da7c842424bcf64afe1082b960b42b96190b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/memory/tegra/tegra20-emc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()\n\nAs of_find_node_by_name() release the reference of the argument device\nnode, tegra_emc_find_node_by_ram_code() releases some device nodes while\nstill in use, resulting in possible UAFs. According to the bindings and\nthe in-tree DTS files, the \"emc-tables\" node is always device\u0027s child\nnode with the property \"nvidia,use-ram-code\", and the \"lpddr2\" node is a\nchild of the \"emc-tables\" node. Thus utilize the\nfor_each_child_of_node() macro and of_get_child_by_name() instead of\nof_find_node_by_name() to simplify the code.\n\nThis bug was found by an experimental verification tool that I am\ndeveloping.\n\n[krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:41.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3def10c610ae046aaa61d00528e7bd15e4ad8d3"
},
{
"url": "https://git.kernel.org/stable/c/e9d07e91de140679eeaf275f47ad154467cb9e05"
},
{
"url": "https://git.kernel.org/stable/c/c144423cb07e4e227a8572d5742ca2b36ada770d"
},
{
"url": "https://git.kernel.org/stable/c/3b02273446e23961d910b50cc12528faec649fb2"
},
{
"url": "https://git.kernel.org/stable/c/755e44538c190c31de9090d8e8821d228fcfd416"
},
{
"url": "https://git.kernel.org/stable/c/b9784e5cde1f9fb83661a70e580e381ae1264d12"
}
],
"title": "memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58034",
"datePublished": "2025-02-27T20:00:52.226Z",
"dateReserved": "2025-02-27T02:16:34.052Z",
"dateUpdated": "2025-11-03T19:33:40.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57978 (GCVE-0-2024-57978)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: imx-jpeg: Fix potential error pointer dereference in detach_pm()
The proble is on the first line:
if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i]))
If jpeg->pd_dev[i] is an error pointer, then passing it to
pm_runtime_suspended() will lead to an Oops. The other conditions
check for both error pointers and NULL, but it would be more clear to
use the IS_ERR_OR_NULL() check for that.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5 Version: 12914fd765ba4f9d6a9a50439e8dd2e9f91423f2 Version: b7a830bbc25da0f641e3ef2bac3b1766b2777a8b Version: 2f86d104539fab9181ea7b5721f40e7b92a8bf67 Version: fd0af4cd35da0eb550ef682b71cda70a4e36f6b9 Version: fd0af4cd35da0eb550ef682b71cda70a4e36f6b9 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:53.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a32ba399a030853f2db45a90ba5474fdd3494aad",
"status": "affected",
"version": "f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5",
"versionType": "git"
},
{
"lessThan": "fde89fe11b44500bfcb2d405825b69a5df805d19",
"status": "affected",
"version": "12914fd765ba4f9d6a9a50439e8dd2e9f91423f2",
"versionType": "git"
},
{
"lessThan": "1b2af918bb714937a8be6cb637f528585461cd98",
"status": "affected",
"version": "b7a830bbc25da0f641e3ef2bac3b1766b2777a8b",
"versionType": "git"
},
{
"lessThan": "6e601a64f7777e2f78c02db1a8b5ba3b7c5e9e31",
"status": "affected",
"version": "2f86d104539fab9181ea7b5721f40e7b92a8bf67",
"versionType": "git"
},
{
"lessThan": "f0b8535a7885ed4fd0b11625addb5476cae0f845",
"status": "affected",
"version": "fd0af4cd35da0eb550ef682b71cda70a4e36f6b9",
"versionType": "git"
},
{
"lessThan": "1378ffec30367233152b7dbf4fa6a25ee98585d1",
"status": "affected",
"version": "fd0af4cd35da0eb550ef682b71cda70a4e36f6b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "6.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Fix potential error pointer dereference in detach_pm()\n\nThe proble is on the first line:\n\n\tif (jpeg-\u003epd_dev[i] \u0026\u0026 !pm_runtime_suspended(jpeg-\u003epd_dev[i]))\n\nIf jpeg-\u003epd_dev[i] is an error pointer, then passing it to\npm_runtime_suspended() will lead to an Oops. The other conditions\ncheck for both error pointers and NULL, but it would be more clear to\nuse the IS_ERR_OR_NULL() check for that."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:34.839Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a32ba399a030853f2db45a90ba5474fdd3494aad"
},
{
"url": "https://git.kernel.org/stable/c/fde89fe11b44500bfcb2d405825b69a5df805d19"
},
{
"url": "https://git.kernel.org/stable/c/1b2af918bb714937a8be6cb637f528585461cd98"
},
{
"url": "https://git.kernel.org/stable/c/6e601a64f7777e2f78c02db1a8b5ba3b7c5e9e31"
},
{
"url": "https://git.kernel.org/stable/c/f0b8535a7885ed4fd0b11625addb5476cae0f845"
},
{
"url": "https://git.kernel.org/stable/c/1378ffec30367233152b7dbf4fa6a25ee98585d1"
}
],
"title": "media: imx-jpeg: Fix potential error pointer dereference in detach_pm()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57978",
"datePublished": "2025-02-27T02:07:05.593Z",
"dateReserved": "2025-02-27T02:04:28.912Z",
"dateUpdated": "2025-11-03T19:32:53.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49260 (GCVE-0-2022-49260)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/sec - fix the aead software fallback for engine
Due to the subreq pointer misuse the private context memory. The aead
soft crypto occasionally casues the OS panic as setting the 64K page.
Here is fix it.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/sec2/sec_crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40dba7c26e897c637e91312b35f664f1d4d0073c",
"status": "affected",
"version": "6c46a3297beae4ae2d22b26da5e091f058381c7c",
"versionType": "git"
},
{
"lessThan": "ef7b10f3cac7810ddcfd976304fd125aca33d144",
"status": "affected",
"version": "6c46a3297beae4ae2d22b26da5e091f058381c7c",
"versionType": "git"
},
{
"lessThan": "5c1149e2abe0b7489300736b8277b45b113de67f",
"status": "affected",
"version": "6c46a3297beae4ae2d22b26da5e091f058381c7c",
"versionType": "git"
},
{
"lessThan": "0a2a464f863187f97e96ebc6384c052cafd4a54c",
"status": "affected",
"version": "6c46a3297beae4ae2d22b26da5e091f058381c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/sec2/sec_crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - fix the aead software fallback for engine\n\nDue to the subreq pointer misuse the private context memory. The aead\nsoft crypto occasionally casues the OS panic as setting the 64K page.\nHere is fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:34.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40dba7c26e897c637e91312b35f664f1d4d0073c"
},
{
"url": "https://git.kernel.org/stable/c/ef7b10f3cac7810ddcfd976304fd125aca33d144"
},
{
"url": "https://git.kernel.org/stable/c/5c1149e2abe0b7489300736b8277b45b113de67f"
},
{
"url": "https://git.kernel.org/stable/c/0a2a464f863187f97e96ebc6384c052cafd4a54c"
}
],
"title": "crypto: hisilicon/sec - fix the aead software fallback for engine",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49260",
"datePublished": "2025-02-26T01:56:12.548Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:34.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21704 (GCVE-0-2025-21704)
Vulnerability from cvelistv5
Published
2025-02-22 09:43
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdc-acm: Check control transfer buffer size before access
If the first fragment is shorter than struct usb_cdc_notification, we can't
calculate an expected_size. Log an error and discard the notification
instead of reading lengths from memory outside the received data, which can
lead to memory corruption when the expected_size decreases between
fragments, causing `expected_size - acm->nb_index` to wrap.
This issue has been present since the beginning of git history; however,
it only leads to memory corruption since commit ea2583529cd1
("cdc-acm: reassemble fragmented notifications").
A mitigating factor is that acm_ctrl_irq() can only execute after userspace
has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will
do that automatically depending on the USB device's vendor/product IDs and
its other interfaces.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:54.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/cdc-acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90dd2f1b7342b9a671a5ea4160f408037b92b118",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "871619c2b78fdfe05afb4e8ba548678687beb812",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7828e9363ac4d23b02419bf2a45b9f1d9fb35646",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6abb510251e75f875797d8983a830e6731fa281c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f64079bef6a8a7823358c3f352ea29a617844636",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "383d516a0ebc8641372b521c8cb717f0f1834831",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e563b01208f4d1f609bcab13333b6c0e24ce6a01",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/cdc-acm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can\u0027t\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm-\u003enb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device\u0027s vendor/product IDs and\nits other interfaces."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:21.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2"
},
{
"url": "https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118"
},
{
"url": "https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812"
},
{
"url": "https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646"
},
{
"url": "https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c"
},
{
"url": "https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636"
},
{
"url": "https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831"
},
{
"url": "https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01"
},
{
"url": "https://project-zero.issues.chromium.org/issues/395107243"
}
],
"title": "usb: cdc-acm: Check control transfer buffer size before access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21704",
"datePublished": "2025-02-22T09:43:37.377Z",
"dateReserved": "2024-12-29T08:45:45.751Z",
"dateUpdated": "2025-11-03T19:35:54.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49641 (GCVE-0-2022-49641)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sysctl: Fix data races in proc_douintvec().
A sysctl variable is accessed concurrently, and there is always a chance
of data-race. So, all readers and writers need some basic protection to
avoid load/store-tearing.
This patch changes proc_douintvec() to use READ_ONCE() and WRITE_ONCE()
internally to fix data-races on the sysctl side. For now, proc_douintvec()
itself is tolerant to a data-race, but we still need to add annotations on
the other subsystem's side.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e7d316a02f683864a12389f8808570e37fb90aa3 Version: e7d316a02f683864a12389f8808570e37fb90aa3 Version: e7d316a02f683864a12389f8808570e37fb90aa3 Version: e7d316a02f683864a12389f8808570e37fb90aa3 Version: 70cd763eb1574cac07138be91f474a661e02d694 Version: f4cea51e9a3d536e2ca2b74a958f7c0b4ea733c3 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:58.576694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.974Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5d54714e329f646bd7af4994fc427d88ee68936",
"status": "affected",
"version": "e7d316a02f683864a12389f8808570e37fb90aa3",
"versionType": "git"
},
{
"lessThan": "d335db59f7fb3353f56e52371f1ee796ae9c8f09",
"status": "affected",
"version": "e7d316a02f683864a12389f8808570e37fb90aa3",
"versionType": "git"
},
{
"lessThan": "630c76850d554d7140232e71b5d1663e88cffb54",
"status": "affected",
"version": "e7d316a02f683864a12389f8808570e37fb90aa3",
"versionType": "git"
},
{
"lessThan": "4762b532ec9539755aab61445d5da6e1926ccb99",
"status": "affected",
"version": "e7d316a02f683864a12389f8808570e37fb90aa3",
"versionType": "git"
},
{
"status": "affected",
"version": "70cd763eb1574cac07138be91f474a661e02d694",
"versionType": "git"
},
{
"status": "affected",
"version": "f4cea51e9a3d536e2ca2b74a958f7c0b4ea733c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.7.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix data races in proc_douintvec().\n\nA sysctl variable is accessed concurrently, and there is always a chance\nof data-race. So, all readers and writers need some basic protection to\navoid load/store-tearing.\n\nThis patch changes proc_douintvec() to use READ_ONCE() and WRITE_ONCE()\ninternally to fix data-races on the sysctl side. For now, proc_douintvec()\nitself is tolerant to a data-race, but we still need to add annotations on\nthe other subsystem\u0027s side."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:01.026Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5d54714e329f646bd7af4994fc427d88ee68936"
},
{
"url": "https://git.kernel.org/stable/c/d335db59f7fb3353f56e52371f1ee796ae9c8f09"
},
{
"url": "https://git.kernel.org/stable/c/630c76850d554d7140232e71b5d1663e88cffb54"
},
{
"url": "https://git.kernel.org/stable/c/4762b532ec9539755aab61445d5da6e1926ccb99"
}
],
"title": "sysctl: Fix data races in proc_douintvec().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49641",
"datePublished": "2025-02-26T02:23:48.675Z",
"dateReserved": "2025-02-26T02:21:30.430Z",
"dateUpdated": "2025-10-01T19:36:48.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53007 (GCVE-0-2023-53007)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Make sure trace_printk() can output as soon as it can be used
Currently trace_printk() can be used as soon as early_trace_init() is
called from start_kernel(). But if a crash happens, and
"ftrace_dump_on_oops" is set on the kernel command line, all you get will
be:
[ 0.456075] <idle>-0 0dN.2. 347519us : Unknown type 6
[ 0.456075] <idle>-0 0dN.2. 353141us : Unknown type 6
[ 0.456075] <idle>-0 0dN.2. 358684us : Unknown type 6
This is because the trace_printk() event (type 6) hasn't been registered
yet. That gets done via an early_initcall(), which may be early, but not
early enough.
Instead of registering the trace_printk() event (and other ftrace events,
which are not trace events) via an early_initcall(), have them registered at
the same time that trace_printk() can be used. This way, if there is a
crash before early_initcall(), then the trace_printk()s will actually be
useful.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c",
"kernel/trace/trace.h",
"kernel/trace/trace_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f97eb0ab066133483a65c93eb894748de2f6b598",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "b94d7c7654356860dd7719120c7d15ba38b6162a",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "76b2390fdc80c0a8300e5da5b6b62d201b6fe9ce",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "de3930a4883ddad2244efd6d349013294c62c75c",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "b0af180514edea6c83dc9a299d9f383009c99f25",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "198c83963f6335ca6d690cff067679560f2a3a22",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "3bb06eb6e9acf7c4a3e1b5bc87aed398ff8e2253",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c",
"kernel/trace/trace.h",
"kernel/trace/trace_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Make sure trace_printk() can output as soon as it can be used\n\nCurrently trace_printk() can be used as soon as early_trace_init() is\ncalled from start_kernel(). But if a crash happens, and\n\"ftrace_dump_on_oops\" is set on the kernel command line, all you get will\nbe:\n\n [ 0.456075] \u003cidle\u003e-0 0dN.2. 347519us : Unknown type 6\n [ 0.456075] \u003cidle\u003e-0 0dN.2. 353141us : Unknown type 6\n [ 0.456075] \u003cidle\u003e-0 0dN.2. 358684us : Unknown type 6\n\nThis is because the trace_printk() event (type 6) hasn\u0027t been registered\nyet. That gets done via an early_initcall(), which may be early, but not\nearly enough.\n\nInstead of registering the trace_printk() event (and other ftrace events,\nwhich are not trace events) via an early_initcall(), have them registered at\nthe same time that trace_printk() can be used. This way, if there is a\ncrash before early_initcall(), then the trace_printk()s will actually be\nuseful."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:23.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f97eb0ab066133483a65c93eb894748de2f6b598"
},
{
"url": "https://git.kernel.org/stable/c/b94d7c7654356860dd7719120c7d15ba38b6162a"
},
{
"url": "https://git.kernel.org/stable/c/76b2390fdc80c0a8300e5da5b6b62d201b6fe9ce"
},
{
"url": "https://git.kernel.org/stable/c/de3930a4883ddad2244efd6d349013294c62c75c"
},
{
"url": "https://git.kernel.org/stable/c/b0af180514edea6c83dc9a299d9f383009c99f25"
},
{
"url": "https://git.kernel.org/stable/c/198c83963f6335ca6d690cff067679560f2a3a22"
},
{
"url": "https://git.kernel.org/stable/c/3bb06eb6e9acf7c4a3e1b5bc87aed398ff8e2253"
}
],
"title": "tracing: Make sure trace_printk() can output as soon as it can be used",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53007",
"datePublished": "2025-03-27T16:43:38.102Z",
"dateReserved": "2025-03-27T16:40:15.745Z",
"dateUpdated": "2025-05-04T07:47:23.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21766 (GCVE-0-2025-21766)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: use RCU protection in __ip_rt_update_pmtu()
__ip_rt_update_pmtu() must use RCU protection to make
sure the net structure it reads does not disappear.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 Version: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 Version: f415c264176e6095e9dee823e09c5bdd0ee0d337 Version: 98776a365da509ad923083ae54b38ee521c52742 Version: 860e2cc78c697c95bc749abb20047239fa1722ea Version: 2b1be6c925cdf4638811765a9160796291494b89 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:21.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce3c6165fce0f06305c806696882a3ad4b90e33f",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "ea07480b23225942208f1b754fea1e7ec486d37e",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "4583748b65dee4d61bd50a2214715b4237bc152a",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "a39f61d212d822b3062d7f70fa0588e50e55664e",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "139512191bd06f1b496117c76372b2ce372c9a41",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"status": "affected",
"version": "f415c264176e6095e9dee823e09c5bdd0ee0d337",
"versionType": "git"
},
{
"status": "affected",
"version": "98776a365da509ad923083ae54b38ee521c52742",
"versionType": "git"
},
{
"status": "affected",
"version": "860e2cc78c697c95bc749abb20047239fa1722ea",
"versionType": "git"
},
{
"status": "affected",
"version": "2b1be6c925cdf4638811765a9160796291494b89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: use RCU protection in __ip_rt_update_pmtu()\n\n__ip_rt_update_pmtu() must use RCU protection to make\nsure the net structure it reads does not disappear."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:29.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce3c6165fce0f06305c806696882a3ad4b90e33f"
},
{
"url": "https://git.kernel.org/stable/c/ea07480b23225942208f1b754fea1e7ec486d37e"
},
{
"url": "https://git.kernel.org/stable/c/9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4"
},
{
"url": "https://git.kernel.org/stable/c/4583748b65dee4d61bd50a2214715b4237bc152a"
},
{
"url": "https://git.kernel.org/stable/c/a39f61d212d822b3062d7f70fa0588e50e55664e"
},
{
"url": "https://git.kernel.org/stable/c/139512191bd06f1b496117c76372b2ce372c9a41"
}
],
"title": "ipv4: use RCU protection in __ip_rt_update_pmtu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21766",
"datePublished": "2025-02-27T02:18:16.570Z",
"dateReserved": "2024-12-29T08:45:45.762Z",
"dateUpdated": "2025-11-03T19:37:21.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49397 (GCVE-0-2022-49397)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: qcom-qmp: fix struct clk leak on probe errors
Make sure to release the pipe clock reference in case of a late probe
error (e.g. probe deferral).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b Version: e78f3d15e115e8e764d4b1562b4fa538f2e22f6b |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b999d48b0869b8599de532ff6081575a7ab5358a",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "621a4bcfb7aa031e7760d7b156bad7a45df58387",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "1668ad103679306ba2ef37f758d704e58a3ef1a0",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "6f3673c8d8eff0c4ab5a5ee0d3ca9717d85419b4",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "b246695636a861a09f0e2cde92bb2dd8f114f024",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "f8d23895a41243c6a8dbf392e531fff9497bb023",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "ad9b0fad02f9b3a06ad5ac7df11f244e316a6254",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
},
{
"lessThan": "f0a4bc38a12f5a0cc5ad68670d9480e91e6a94df",
"status": "affected",
"version": "e78f3d15e115e8e764d4b1562b4fa538f2e22f6b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/qualcomm/phy-qcom-qmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp: fix struct clk leak on probe errors\n\nMake sure to release the pipe clock reference in case of a late probe\nerror (e.g. probe deferral)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:49.119Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b999d48b0869b8599de532ff6081575a7ab5358a"
},
{
"url": "https://git.kernel.org/stable/c/621a4bcfb7aa031e7760d7b156bad7a45df58387"
},
{
"url": "https://git.kernel.org/stable/c/1668ad103679306ba2ef37f758d704e58a3ef1a0"
},
{
"url": "https://git.kernel.org/stable/c/6f3673c8d8eff0c4ab5a5ee0d3ca9717d85419b4"
},
{
"url": "https://git.kernel.org/stable/c/b246695636a861a09f0e2cde92bb2dd8f114f024"
},
{
"url": "https://git.kernel.org/stable/c/f8d23895a41243c6a8dbf392e531fff9497bb023"
},
{
"url": "https://git.kernel.org/stable/c/ad9b0fad02f9b3a06ad5ac7df11f244e316a6254"
},
{
"url": "https://git.kernel.org/stable/c/f0a4bc38a12f5a0cc5ad68670d9480e91e6a94df"
}
],
"title": "phy: qcom-qmp: fix struct clk leak on probe errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49397",
"datePublished": "2025-02-26T02:11:26.612Z",
"dateReserved": "2025-02-26T02:08:31.563Z",
"dateUpdated": "2025-05-04T08:36:49.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49658 (GCVE-0-2022-49658)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals
Kuee reported a corner case where the tnum becomes constant after the call
to __reg_bound_offset(), but the register's bounds are not, that is, its
min bounds are still not equal to the register's max bounds.
This in turn allows to leak pointers through turning a pointer register as
is into an unknown scalar via adjust_ptr_min_max_vals().
Before:
func#0 @0
0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))
1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))
2: (87) r3 = -r3 ; R3_w=scalar()
3: (87) r3 = -r3 ; R3_w=scalar()
4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)
5: (75) if r3 s>= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
6: (95) exit
from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
8: (95) exit
from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
9: (07) r3 += -32767 ; R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)) <--- [*]
10: (95) exit
What can be seen here is that R3=scalar(umin=32767,umax=32768,var_off=(0x7fff;
0x8000)) after the operation R3 += -32767 results in a 'malformed' constant, that
is, R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)). Intersecting with var_off has
not been done at that point via __update_reg_bounds(), which would have improved
the umax to be equal to umin.
Refactor the tnum <> min/max bounds information flow into a reg_bounds_sync()
helper and use it consistently everywhere. After the fix, bounds have been
corrected to R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) and thus the register
is regarded as a 'proper' constant scalar of 0.
After:
func#0 @0
0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))
1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))
2: (87) r3 = -r3 ; R3_w=scalar()
3: (87) r3 = -r3 ; R3_w=scalar()
4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)
5: (75) if r3 s>= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
6: (95) exit
from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
8: (95) exit
from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e917be1f83ea14a68b3cf64d3da9968eaf991dae",
"status": "affected",
"version": "b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2",
"versionType": "git"
},
{
"lessThan": "a7de8d436db92bab8b1f44624297c2554a6ac36b",
"status": "affected",
"version": "b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2",
"versionType": "git"
},
{
"lessThan": "b2a28bb36664c94375926cbbb91976242847699d",
"status": "affected",
"version": "b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2",
"versionType": "git"
},
{
"lessThan": "3844d153a41adea718202c10ae91dc96b37453b5",
"status": "affected",
"version": "b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.130",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals\n\nKuee reported a corner case where the tnum becomes constant after the call\nto __reg_bound_offset(), but the register\u0027s bounds are not, that is, its\nmin bounds are still not equal to the register\u0027s max bounds.\n\nThis in turn allows to leak pointers through turning a pointer register as\nis into an unknown scalar via adjust_ptr_min_max_vals().\n\nBefore:\n\n func#0 @0\n 0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))\n 1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))\n 2: (87) r3 = -r3 ; R3_w=scalar()\n 3: (87) r3 = -r3 ; R3_w=scalar()\n 4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)\n 5: (75) if r3 s\u003e= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 6: (95) exit\n\n from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 7: (d5) if r3 s\u003c= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 8: (95) exit\n\n from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 9: (07) r3 += -32767 ; R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)) \u003c--- [*]\n 10: (95) exit\n\nWhat can be seen here is that R3=scalar(umin=32767,umax=32768,var_off=(0x7fff;\n0x8000)) after the operation R3 += -32767 results in a \u0027malformed\u0027 constant, that\nis, R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)). Intersecting with var_off has\nnot been done at that point via __update_reg_bounds(), which would have improved\nthe umax to be equal to umin.\n\nRefactor the tnum \u003c\u003e min/max bounds information flow into a reg_bounds_sync()\nhelper and use it consistently everywhere. After the fix, bounds have been\ncorrected to R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) and thus the register\nis regarded as a \u0027proper\u0027 constant scalar of 0.\n\nAfter:\n\n func#0 @0\n 0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))\n 1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))\n 2: (87) r3 = -r3 ; R3_w=scalar()\n 3: (87) r3 = -r3 ; R3_w=scalar()\n 4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)\n 5: (75) if r3 s\u003e= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 6: (95) exit\n\n from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 7: (d5) if r3 s\u003c= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 8: (95) exit\n\n from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:44.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e917be1f83ea14a68b3cf64d3da9968eaf991dae"
},
{
"url": "https://git.kernel.org/stable/c/a7de8d436db92bab8b1f44624297c2554a6ac36b"
},
{
"url": "https://git.kernel.org/stable/c/b2a28bb36664c94375926cbbb91976242847699d"
},
{
"url": "https://git.kernel.org/stable/c/3844d153a41adea718202c10ae91dc96b37453b5"
}
],
"title": "bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49658",
"datePublished": "2025-02-26T02:23:56.922Z",
"dateReserved": "2025-02-26T02:21:30.434Z",
"dateUpdated": "2025-05-04T08:42:44.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49221 (GCVE-0-2022-49221)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: populate connector of struct dp_panel
DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose
and expect DP source return correct checksum. During drm edid read,
correct edid checksum is calculated and stored at
connector::real_edid_checksum.
The problem is struct dp_panel::connector never be assigned, instead the
connector is stored in struct msm_dp::connector. When we run compliance
testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid
edid set in struct dp_panel::edid so we'll try to use the connectors
real_edid_checksum and hit a NULL pointer dereference error because the
connector pointer is never assigned.
Changes in V2:
-- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()
Changes in V3:
-- remove unhelpful kernel crash trace commit text
-- remove renaming dp_display parameter to dp
Changes in V4:
-- add more details to commit text
Changes in v10:
-- group into one series
Changes in v11:
-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read
Signee-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f86bc4a1a401d3691bad41e67f9db0c2ea94da32 Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839 Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839 Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839 Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839 Version: ab1ccd1e2584b268784518f838f7cc72faec576b Version: 08a96864a45b65ee406a344c78dd761b2fd66887 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:46:27.011573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:04.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "413c62697b61226a236c8b1f5cd64dcf42bcc12f",
"status": "affected",
"version": "f86bc4a1a401d3691bad41e67f9db0c2ea94da32",
"versionType": "git"
},
{
"lessThan": "9525b8bcae8b99188990b56484799cf4b1b43786",
"status": "affected",
"version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
"versionType": "git"
},
{
"lessThan": "fbba600f432a360b42452fee79d1fb35d3aa8aeb",
"status": "affected",
"version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
"versionType": "git"
},
{
"lessThan": "104074ebc0c3f358dd1ee944fbcde92c6e5a21dd",
"status": "affected",
"version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
"versionType": "git"
},
{
"lessThan": "5e602f5156910c7b19661699896cb6e3fb94fab9",
"status": "affected",
"version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
"versionType": "git"
},
{
"status": "affected",
"version": "ab1ccd1e2584b268784518f838f7cc72faec576b",
"versionType": "git"
},
{
"status": "affected",
"version": "08a96864a45b65ee406a344c78dd761b2fd66887",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.10.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: populate connector of struct dp_panel\n\nDP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose\nand expect DP source return correct checksum. During drm edid read,\ncorrect edid checksum is calculated and stored at\nconnector::real_edid_checksum.\n\nThe problem is struct dp_panel::connector never be assigned, instead the\nconnector is stored in struct msm_dp::connector. When we run compliance\ntesting test case 4.2.2.6 dp_panel_handle_sink_request() won\u0027t have a valid\nedid set in struct dp_panel::edid so we\u0027ll try to use the connectors\nreal_edid_checksum and hit a NULL pointer dereference error because the\nconnector pointer is never assigned.\n\nChanges in V2:\n-- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()\n\nChanges in V3:\n-- remove unhelpful kernel crash trace commit text\n-- remove renaming dp_display parameter to dp\n\nChanges in V4:\n-- add more details to commit text\n\nChanges in v10:\n-- group into one series\n\nChanges in v11:\n-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read\n\nSignee-off-by: Kuogee Hsieh \u003cquic_khsieh@quicinc.com\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:22.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/413c62697b61226a236c8b1f5cd64dcf42bcc12f"
},
{
"url": "https://git.kernel.org/stable/c/9525b8bcae8b99188990b56484799cf4b1b43786"
},
{
"url": "https://git.kernel.org/stable/c/fbba600f432a360b42452fee79d1fb35d3aa8aeb"
},
{
"url": "https://git.kernel.org/stable/c/104074ebc0c3f358dd1ee944fbcde92c6e5a21dd"
},
{
"url": "https://git.kernel.org/stable/c/5e602f5156910c7b19661699896cb6e3fb94fab9"
}
],
"title": "drm/msm/dp: populate connector of struct dp_panel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49221",
"datePublished": "2025-02-26T01:55:53.318Z",
"dateReserved": "2025-02-26T01:49:39.292Z",
"dateUpdated": "2025-10-01T19:47:04.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56718 (GCVE-0-2024-56718)
Vulnerability from cvelistv5
Published
2024-12-29 08:48
Modified
2025-11-03 20:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: protect link down work from execute after lgr freed
link down work may be scheduled before lgr freed but execute
after lgr freed, which may result in crash. So it is need to
hold a reference before shedule link down work, and put the
reference after work executed or canceled.
The relevant crash call stack as follows:
list_del corruption. prev->next should be ffffb638c9c0fe20,
but was 0000000000000000
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:51!
invalid opcode: 0000 [#1] SMP NOPTI
CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1
Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014
Workqueue: events smc_link_down_work [smc]
RIP: 0010:__list_del_entry_valid.cold+0x31/0x47
RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086
RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000
RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38
R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002
R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0
FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
rwsem_down_write_slowpath+0x17e/0x470
smc_link_down_work+0x3c/0x60 [smc]
process_one_work+0x1ac/0x350
worker_thread+0x49/0x2f0
? rescuer_thread+0x360/0x360
kthread+0x118/0x140
? __kthread_bind_mask+0x60/0x60
ret_from_fork+0x1f/0x30
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56718",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:58:28.250334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:06.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:53:09.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bec2f52866d511e94c1c37cd962e4382b1b1a299",
"status": "affected",
"version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
"versionType": "git"
},
{
"lessThan": "2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2",
"status": "affected",
"version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
"versionType": "git"
},
{
"lessThan": "841b1824750d3b8d1dc0a96b14db4418b952abbc",
"status": "affected",
"version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
"versionType": "git"
},
{
"lessThan": "2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec",
"status": "affected",
"version": "541afa10c126b6c22c2a805a559c70cc41fd156e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.122",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: protect link down work from execute after lgr freed\n\nlink down work may be scheduled before lgr freed but execute\nafter lgr freed, which may result in crash. So it is need to\nhold a reference before shedule link down work, and put the\nreference after work executed or canceled.\n\nThe relevant crash call stack as follows:\n list_del corruption. prev-\u003enext should be ffffb638c9c0fe20,\n but was 0000000000000000\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:51!\n invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1\n Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014\n Workqueue: events smc_link_down_work [smc]\n RIP: 0010:__list_del_entry_valid.cold+0x31/0x47\n RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086\n RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000\n RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38\n R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002\n R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0\n FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n rwsem_down_write_slowpath+0x17e/0x470\n smc_link_down_work+0x3c/0x60 [smc]\n process_one_work+0x1ac/0x350\n worker_thread+0x49/0x2f0\n ? rescuer_thread+0x360/0x360\n kthread+0x118/0x140\n ? __kthread_bind_mask+0x60/0x60\n ret_from_fork+0x1f/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:03:15.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bec2f52866d511e94c1c37cd962e4382b1b1a299"
},
{
"url": "https://git.kernel.org/stable/c/2627c3e8646932dfc7b9722c88c2e1ffcf7a9fb2"
},
{
"url": "https://git.kernel.org/stable/c/841b1824750d3b8d1dc0a96b14db4418b952abbc"
},
{
"url": "https://git.kernel.org/stable/c/2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec"
}
],
"title": "net/smc: protect link down work from execute after lgr freed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56718",
"datePublished": "2024-12-29T08:48:50.740Z",
"dateReserved": "2024-12-27T15:00:39.858Z",
"dateUpdated": "2025-11-03T20:53:09.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49521 (GCVE-0-2022-49521)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix resource leak in lpfc_sli4_send_seq_to_ulp()
If no handler is found in lpfc_complete_unsol_iocb() to match the rctl of a
received frame, the frame is dropped and resources are leaked.
Fix by returning resources when discarding an unhandled frame type. Update
lpfc_fc_frame_check() handling of NOP basic link service.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa1b509d41c5433672f72c0615cf4aefa0611c99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40cf4ea4d2d497f7732c87d350ba5c3f5e8a43a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "08709769ff2fb6c5ffedcda3742700d8ea1618a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7860d8f8082605b57596aa82d3d438c1fdad9a9e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "646db1a560f44236b7278b822ca99a1d3b6ea72c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix resource leak in lpfc_sli4_send_seq_to_ulp()\n\nIf no handler is found in lpfc_complete_unsol_iocb() to match the rctl of a\nreceived frame, the frame is dropped and resources are leaked.\n\nFix by returning resources when discarding an unhandled frame type. Update\nlpfc_fc_frame_check() handling of NOP basic link service."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:42.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa1b509d41c5433672f72c0615cf4aefa0611c99"
},
{
"url": "https://git.kernel.org/stable/c/40cf4ea4d2d497f7732c87d350ba5c3f5e8a43a1"
},
{
"url": "https://git.kernel.org/stable/c/08709769ff2fb6c5ffedcda3742700d8ea1618a8"
},
{
"url": "https://git.kernel.org/stable/c/7860d8f8082605b57596aa82d3d438c1fdad9a9e"
},
{
"url": "https://git.kernel.org/stable/c/646db1a560f44236b7278b822ca99a1d3b6ea72c"
}
],
"title": "scsi: lpfc: Fix resource leak in lpfc_sli4_send_seq_to_ulp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49521",
"datePublished": "2025-02-26T02:13:46.812Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-05-04T08:39:42.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21847 (GCVE-0-2025-21847)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-10-01 19:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()
The nullity of sps->cstream should be checked similarly as it is done in
sof_set_stream_data_offset() function.
Assuming that it is not NULL if sps->stream is NULL is incorrect and can
lead to NULL pointer dereference.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:26:29.116164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:39.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/stream-ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b3878baf90918a361a3dfd3513025100b1b40b6",
"status": "affected",
"version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
"versionType": "git"
},
{
"lessThan": "62ab1ae5511c59b5f0bf550136ff321331adca9f",
"status": "affected",
"version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
"versionType": "git"
},
{
"lessThan": "6c18f5eb2043ebf4674c08a9690218dc818a11ab",
"status": "affected",
"version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
"versionType": "git"
},
{
"lessThan": "d8d99c3b5c485f339864aeaa29f76269cc0ea975",
"status": "affected",
"version": "090349a9feba3ceee3997d31d68ffe54e5b57acb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/stream-ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()\n\nThe nullity of sps-\u003ecstream should be checked similarly as it is done in\nsof_set_stream_data_offset() function.\nAssuming that it is not NULL if sps-\u003estream is NULL is incorrect and can\nlead to NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:27.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b3878baf90918a361a3dfd3513025100b1b40b6"
},
{
"url": "https://git.kernel.org/stable/c/62ab1ae5511c59b5f0bf550136ff321331adca9f"
},
{
"url": "https://git.kernel.org/stable/c/6c18f5eb2043ebf4674c08a9690218dc818a11ab"
},
{
"url": "https://git.kernel.org/stable/c/d8d99c3b5c485f339864aeaa29f76269cc0ea975"
}
],
"title": "ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21847",
"datePublished": "2025-03-12T09:42:03.568Z",
"dateReserved": "2024-12-29T08:45:45.778Z",
"dateUpdated": "2025-10-01T19:26:39.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49238 (GCVE-0-2022-49238)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855
Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station
for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI
command sequence, but actually skip all the peer delete operation, then
it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon
peer delete failure") not take effect, and then happened a use-after-free
warning from KASAN. because the peer->sta is not set to NULL and then used
later.
Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.
log of user-after-free:
[ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
[ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860
[ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523
[ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021
[ 534.888716] Call Trace:
[ 534.888720] <IRQ>
[ 534.888726] dump_stack_lvl+0x57/0x7d
[ 534.888736] print_address_description.constprop.0+0x1f/0x170
[ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
[ 534.888771] kasan_report.cold+0x83/0xdf
[ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
[ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
[ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]
[ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]
[ 534.888897] ? check_prev_add+0x20f0/0x20f0
[ 534.888922] ? __lock_acquire+0xb72/0x1870
[ 534.888937] ? find_held_lock+0x33/0x110
[ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]
[ 534.888981] ? rcu_read_unlock+0x40/0x40
[ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]
[ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]
[ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]
[ 534.889075] call_timer_fn+0x167/0x4a0
[ 534.889084] ? add_timer_on+0x3b0/0x3b0
[ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370
[ 534.889117] __run_timers.part.0+0x539/0x8b0
[ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]
[ 534.889157] ? call_timer_fn+0x4a0/0x4a0
[ 534.889164] ? mark_lock_irq+0x1c30/0x1c30
[ 534.889173] ? clockevents_program_event+0xdd/0x280
[ 534.889189] ? mark_held_locks+0xa5/0xe0
[ 534.889203] run_timer_softirq+0x97/0x180
[ 534.889213] __do_softirq+0x276/0x86a
[ 534.889230] __irq_exit_rcu+0x11c/0x180
[ 534.889238] irq_exit_rcu+0x5/0x20
[ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 534.889251] </IRQ>
[ 534.889254] <TASK>
[ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70
[ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee
[ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206
[ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10
[ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001
[ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f
[ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68
[ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000
[ 534.889316] ? mark_lock+0xd0/0x14a0
[ 534.889332] klist_next+0x1d4/0x450
[ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0
[ 534.889350] device_for_each_child+0xa8/0x140
[ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0
[ 534.889370] ? __lock_release+0x4bd/0x9f0
[ 534.889378] ? dpm_suspend+0x26b/0x3f0
[ 534.889390] dpm_wait_for_subordinate+
---truncated---
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:59.098528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:34.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "400705c50bbf184794c885d1efad7fe9ccf1471a",
"status": "affected",
"version": "b4a0f54156ac7720de1750b6ea06657c91c52163",
"versionType": "git"
},
{
"lessThan": "212ad7cb7d7592669c067125949e0a8e31ce6a0b",
"status": "affected",
"version": "b4a0f54156ac7720de1750b6ea06657c91c52163",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: free peer for station when disconnect from AP for QCA6390/WCN6855\n\nCommit b4a0f54156ac (\"ath11k: move peer delete after vdev stop of station\nfor QCA6390 and WCN6855\") is to fix firmware crash by changing the WMI\ncommand sequence, but actually skip all the peer delete operation, then\nit lead commit 58595c9874c6 (\"ath11k: Fixing dangling pointer issue upon\npeer delete failure\") not take effect, and then happened a use-after-free\nwarning from KASAN. because the peer-\u003esta is not set to NULL and then used\nlater.\n\nChange to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.\n\nlog of user-after-free:\n\n[ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860\n\n[ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523\n[ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 534.888716] Call Trace:\n[ 534.888720] \u003cIRQ\u003e\n[ 534.888726] dump_stack_lvl+0x57/0x7d\n[ 534.888736] print_address_description.constprop.0+0x1f/0x170\n[ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888771] kasan_report.cold+0x83/0xdf\n[ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]\n[ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]\n[ 534.888897] ? check_prev_add+0x20f0/0x20f0\n[ 534.888922] ? __lock_acquire+0xb72/0x1870\n[ 534.888937] ? find_held_lock+0x33/0x110\n[ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]\n[ 534.888981] ? rcu_read_unlock+0x40/0x40\n[ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]\n[ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]\n[ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[ 534.889075] call_timer_fn+0x167/0x4a0\n[ 534.889084] ? add_timer_on+0x3b0/0x3b0\n[ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[ 534.889117] __run_timers.part.0+0x539/0x8b0\n[ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[ 534.889157] ? call_timer_fn+0x4a0/0x4a0\n[ 534.889164] ? mark_lock_irq+0x1c30/0x1c30\n[ 534.889173] ? clockevents_program_event+0xdd/0x280\n[ 534.889189] ? mark_held_locks+0xa5/0xe0\n[ 534.889203] run_timer_softirq+0x97/0x180\n[ 534.889213] __do_softirq+0x276/0x86a\n[ 534.889230] __irq_exit_rcu+0x11c/0x180\n[ 534.889238] irq_exit_rcu+0x5/0x20\n[ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0\n[ 534.889251] \u003c/IRQ\u003e\n[ 534.889254] \u003cTASK\u003e\n[ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70\n[ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 \u003ce8\u003e 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee\n[ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206\n[ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10\n[ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001\n[ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f\n[ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68\n[ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000\n[ 534.889316] ? mark_lock+0xd0/0x14a0\n[ 534.889332] klist_next+0x1d4/0x450\n[ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0\n[ 534.889350] device_for_each_child+0xa8/0x140\n[ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0\n[ 534.889370] ? __lock_release+0x4bd/0x9f0\n[ 534.889378] ? dpm_suspend+0x26b/0x3f0\n[ 534.889390] dpm_wait_for_subordinate+\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:06.459Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/400705c50bbf184794c885d1efad7fe9ccf1471a"
},
{
"url": "https://git.kernel.org/stable/c/212ad7cb7d7592669c067125949e0a8e31ce6a0b"
}
],
"title": "ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49238",
"datePublished": "2025-02-26T01:56:01.716Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-05-04T08:33:06.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21784 (GCVE-0-2025-21784)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-05-04 07:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()
In function psp_init_cap_microcode(), it should bail out when failed to
load firmware, otherwise it may cause invalid memory access.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f40a7ff39d9f1d283d5aa9b13e2fb16200aff5f",
"status": "affected",
"version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
"versionType": "git"
},
{
"lessThan": "d1d10bd595539ed82ab59b60249f9bdf0994f678",
"status": "affected",
"version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
"versionType": "git"
},
{
"lessThan": "e7eb84384335e2abf960c94ec0f8c5b835283777",
"status": "affected",
"version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
"versionType": "git"
},
{
"lessThan": "a0a455b4bc7483ad60e8b8a50330c1e05bb7bfcf",
"status": "affected",
"version": "07dbfc6b102e25087ec345ef2c2eae21c9856f17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()\n\nIn function psp_init_cap_microcode(), it should bail out when failed to\nload firmware, otherwise it may cause invalid memory access."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:21:11.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f40a7ff39d9f1d283d5aa9b13e2fb16200aff5f"
},
{
"url": "https://git.kernel.org/stable/c/d1d10bd595539ed82ab59b60249f9bdf0994f678"
},
{
"url": "https://git.kernel.org/stable/c/e7eb84384335e2abf960c94ec0f8c5b835283777"
},
{
"url": "https://git.kernel.org/stable/c/a0a455b4bc7483ad60e8b8a50330c1e05bb7bfcf"
}
],
"title": "drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21784",
"datePublished": "2025-02-27T02:18:25.431Z",
"dateReserved": "2024-12-29T08:45:45.765Z",
"dateUpdated": "2025-05-04T07:21:11.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49381 (GCVE-0-2022-49381)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jffs2: fix memory leak in jffs2_do_fill_super
If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns
an error, we can observe the following kmemleak report:
--------------------------------------------
unreferenced object 0xffff888105a65340 (size 64):
comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff859c45e5>] kmem_cache_alloc_trace+0x475/0x8a0
[<ffffffff86160146>] jffs2_sum_init+0x96/0x1a0
[<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
[<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
[<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
[...]
unreferenced object 0xffff8881bd7f0000 (size 65536):
comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
hex dump (first 32 bytes):
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
backtrace:
[<ffffffff858579ba>] kmalloc_order+0xda/0x110
[<ffffffff85857a11>] kmalloc_order_trace+0x21/0x130
[<ffffffff859c2ed1>] __kmalloc+0x711/0x8a0
[<ffffffff86160189>] jffs2_sum_init+0xd9/0x1a0
[<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
[<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
[<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
[...]
--------------------------------------------
This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:55.283015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:52.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jffs2/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ba7bbeab8009faf3a726e565d98816593ddd5b0",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "4da8763a3d2b684c773b72ed80fad40bc264bc40",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "28048a4cf3813b7cf5cc8cce629dfdc7951cb1c2",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "d3a4fff1e7e408c32649030daa7c2c42a7e19a95",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "3252d327f977b14663a10967f3b0930d6c325687",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "ecc53e58596542791e82eff00702f8af7a313f70",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "cf9db013e167bc8fc2ecd7a13ed97a37df0c9dab",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "69295267c481545f636b69ff341b8db75aa136b9",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "c14adb1cf70a984ed081c67e9d27bc3caad9537c",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jffs2/fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_do_fill_super\n\nIf jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns\nan error, we can observe the following kmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff888105a65340 (size 64):\n comm \"mount\", pid 710, jiffies 4302851558 (age 58.239s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff859c45e5\u003e] kmem_cache_alloc_trace+0x475/0x8a0\n [\u003cffffffff86160146\u003e] jffs2_sum_init+0x96/0x1a0\n [\u003cffffffff86140e25\u003e] jffs2_do_mount_fs+0x745/0x2120\n [\u003cffffffff86149fec\u003e] jffs2_do_fill_super+0x35c/0x810\n [\u003cffffffff8614aae9\u003e] jffs2_fill_super+0x2b9/0x3b0\n [...]\nunreferenced object 0xffff8881bd7f0000 (size 65536):\n comm \"mount\", pid 710, jiffies 4302851558 (age 58.239s)\n hex dump (first 32 bytes):\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n backtrace:\n [\u003cffffffff858579ba\u003e] kmalloc_order+0xda/0x110\n [\u003cffffffff85857a11\u003e] kmalloc_order_trace+0x21/0x130\n [\u003cffffffff859c2ed1\u003e] __kmalloc+0x711/0x8a0\n [\u003cffffffff86160189\u003e] jffs2_sum_init+0xd9/0x1a0\n [\u003cffffffff86140e25\u003e] jffs2_do_mount_fs+0x745/0x2120\n [\u003cffffffff86149fec\u003e] jffs2_do_fill_super+0x35c/0x810\n [\u003cffffffff8614aae9\u003e] jffs2_fill_super+0x2b9/0x3b0\n [...]\n--------------------------------------------\n\nThis is because the resources allocated in jffs2_sum_init() are not\nreleased. Call jffs2_sum_exit() to release these resources to solve\nthe problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:28.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ba7bbeab8009faf3a726e565d98816593ddd5b0"
},
{
"url": "https://git.kernel.org/stable/c/4da8763a3d2b684c773b72ed80fad40bc264bc40"
},
{
"url": "https://git.kernel.org/stable/c/28048a4cf3813b7cf5cc8cce629dfdc7951cb1c2"
},
{
"url": "https://git.kernel.org/stable/c/d3a4fff1e7e408c32649030daa7c2c42a7e19a95"
},
{
"url": "https://git.kernel.org/stable/c/3252d327f977b14663a10967f3b0930d6c325687"
},
{
"url": "https://git.kernel.org/stable/c/ecc53e58596542791e82eff00702f8af7a313f70"
},
{
"url": "https://git.kernel.org/stable/c/cf9db013e167bc8fc2ecd7a13ed97a37df0c9dab"
},
{
"url": "https://git.kernel.org/stable/c/69295267c481545f636b69ff341b8db75aa136b9"
},
{
"url": "https://git.kernel.org/stable/c/c14adb1cf70a984ed081c67e9d27bc3caad9537c"
}
],
"title": "jffs2: fix memory leak in jffs2_do_fill_super",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49381",
"datePublished": "2025-02-26T02:11:18.812Z",
"dateReserved": "2025-02-26T02:08:31.559Z",
"dateUpdated": "2025-10-01T19:46:52.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49320 (GCVE-0-2022-49320)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type
In zynqmp_dma_alloc/free_chan_resources functions there is a
potential overflow in the below expressions.
dma_alloc_coherent(chan->dev, (2 * chan->desc_size *
ZYNQMP_DMA_NUM_DESCS),
&chan->desc_pool_p, GFP_KERNEL);
dma_free_coherent(chan->dev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) *
ZYNQMP_DMA_NUM_DESCS),
chan->desc_pool_v, chan->desc_pool_p);
The arguments desc_size and ZYNQMP_DMA_NUM_DESCS were 32 bit. Though
this overflow condition is not observed but it is a potential problem
in the case of 32-bit multiplication. Hence fix it by changing the
desc_size data type to size_t.
In addition to coverity fix it also reuse ZYNQMP_DMA_DESC_SIZE macro in
dma_alloc_coherent API argument.
Addresses-Coverity: Event overflow_before_widen.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 Version: b0cc417c1637192be658e68a74c8d1568e3d35f6 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/xilinx/zynqmp_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83960276ffc9bf5570d4106490346b61e61be5f3",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "95a0ba85c1b51b36e909841c02d205cd223ab753",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "7b5488f4721fed6e121e661e165bab06ae2f8675",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "4838969e4d95d2bd2995d1605b20d3144fcb3e74",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "90aefae2e3a770a6909d339f5d8a988c0b0ceaf0",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
},
{
"lessThan": "f9a9f43a62a04ec3183fb0da9226c7706eed0115",
"status": "affected",
"version": "b0cc417c1637192be658e68a74c8d1568e3d35f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/xilinx/zynqmp_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type\n\nIn zynqmp_dma_alloc/free_chan_resources functions there is a\npotential overflow in the below expressions.\n\ndma_alloc_coherent(chan-\u003edev, (2 * chan-\u003edesc_size *\n\t\t ZYNQMP_DMA_NUM_DESCS),\n\t\t \u0026chan-\u003edesc_pool_p, GFP_KERNEL);\n\ndma_free_coherent(chan-\u003edev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) *\n ZYNQMP_DMA_NUM_DESCS),\n chan-\u003edesc_pool_v, chan-\u003edesc_pool_p);\n\nThe arguments desc_size and ZYNQMP_DMA_NUM_DESCS were 32 bit. Though\nthis overflow condition is not observed but it is a potential problem\nin the case of 32-bit multiplication. Hence fix it by changing the\ndesc_size data type to size_t.\n\nIn addition to coverity fix it also reuse ZYNQMP_DMA_DESC_SIZE macro in\ndma_alloc_coherent API argument.\n\nAddresses-Coverity: Event overflow_before_widen."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:08.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83960276ffc9bf5570d4106490346b61e61be5f3"
},
{
"url": "https://git.kernel.org/stable/c/95a0ba85c1b51b36e909841c02d205cd223ab753"
},
{
"url": "https://git.kernel.org/stable/c/7b5488f4721fed6e121e661e165bab06ae2f8675"
},
{
"url": "https://git.kernel.org/stable/c/4838969e4d95d2bd2995d1605b20d3144fcb3e74"
},
{
"url": "https://git.kernel.org/stable/c/90aefae2e3a770a6909d339f5d8a988c0b0ceaf0"
},
{
"url": "https://git.kernel.org/stable/c/f9a9f43a62a04ec3183fb0da9226c7706eed0115"
}
],
"title": "dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49320",
"datePublished": "2025-02-26T02:10:45.703Z",
"dateReserved": "2025-02-26T02:08:31.537Z",
"dateUpdated": "2025-05-04T08:35:08.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49155 (GCVE-0-2022-49155)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
[ 12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020
[ 12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]
[ 12.338417] CPU: 7 PID: 1020 Comm: systemd-udevd Tainted: G I --------- --- 5.14.0-29.el9.x86_64 #1
[ 12.348827] Hardware name: Dell Inc. PowerEdge R610/0F0XJ6, BIOS 6.6.0 05/22/2018
[ 12.356356] Call Trace:
[ 12.358821] dump_stack_lvl+0x34/0x44
[ 12.362514] check_preemption_disabled+0xd9/0xe0
[ 12.367164] qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]
[ 12.372481] qla2x00_probe_one+0xa3a/0x1b80 [qla2xxx]
[ 12.377617] ? _raw_spin_lock_irqsave+0x19/0x40
[ 12.384284] local_pci_probe+0x42/0x80
[ 12.390162] ? pci_match_device+0xd7/0x110
[ 12.396366] pci_device_probe+0xfd/0x1b0
[ 12.402372] really_probe+0x1e7/0x3e0
[ 12.408114] __driver_probe_device+0xfe/0x180
[ 12.414544] driver_probe_device+0x1e/0x90
[ 12.420685] __driver_attach+0xc0/0x1c0
[ 12.426536] ? __device_attach_driver+0xe0/0xe0
[ 12.433061] ? __device_attach_driver+0xe0/0xe0
[ 12.439538] bus_for_each_dev+0x78/0xc0
[ 12.445294] bus_add_driver+0x12b/0x1e0
[ 12.451021] driver_register+0x8f/0xe0
[ 12.456631] ? 0xffffffffc07bc000
[ 12.461773] qla2x00_module_init+0x1be/0x229 [qla2xxx]
[ 12.468776] do_one_initcall+0x44/0x200
[ 12.474401] ? load_module+0xad3/0xba0
[ 12.479908] ? kmem_cache_alloc_trace+0x45/0x410
[ 12.486268] do_init_module+0x5c/0x280
[ 12.491730] __do_sys_init_module+0x12e/0x1b0
[ 12.497785] do_syscall_64+0x3b/0x90
[ 12.503029] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 12.509764] RIP: 0033:0x7f554f73ab2e
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:40.390281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:00.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43195a0c620761fbb88db04e2475313855b948a4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f68776f28d9134fa65056e7e63bfc734049730b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8077a7162bc3cf658dd9ff112bc77716c08458c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f97316dd393bc8df1cc2af6295a97b876eecf252",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c33d49ab9f3d8bd7512b3070cd2f07c4a8849d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ab81d82fb1db7ec4be4b0d04563513e6d4bcdd5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a669a22aef0ceff706b885370af74b5a60a8ac85",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a60447e7d451df42c7bde43af53b34f10f34f469",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()\n\n[ 12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020\n[ 12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]\n[ 12.338417] CPU: 7 PID: 1020 Comm: systemd-udevd Tainted: G I --------- --- 5.14.0-29.el9.x86_64 #1\n[ 12.348827] Hardware name: Dell Inc. PowerEdge R610/0F0XJ6, BIOS 6.6.0 05/22/2018\n[ 12.356356] Call Trace:\n[ 12.358821] dump_stack_lvl+0x34/0x44\n[ 12.362514] check_preemption_disabled+0xd9/0xe0\n[ 12.367164] qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]\n[ 12.372481] qla2x00_probe_one+0xa3a/0x1b80 [qla2xxx]\n[ 12.377617] ? _raw_spin_lock_irqsave+0x19/0x40\n[ 12.384284] local_pci_probe+0x42/0x80\n[ 12.390162] ? pci_match_device+0xd7/0x110\n[ 12.396366] pci_device_probe+0xfd/0x1b0\n[ 12.402372] really_probe+0x1e7/0x3e0\n[ 12.408114] __driver_probe_device+0xfe/0x180\n[ 12.414544] driver_probe_device+0x1e/0x90\n[ 12.420685] __driver_attach+0xc0/0x1c0\n[ 12.426536] ? __device_attach_driver+0xe0/0xe0\n[ 12.433061] ? __device_attach_driver+0xe0/0xe0\n[ 12.439538] bus_for_each_dev+0x78/0xc0\n[ 12.445294] bus_add_driver+0x12b/0x1e0\n[ 12.451021] driver_register+0x8f/0xe0\n[ 12.456631] ? 0xffffffffc07bc000\n[ 12.461773] qla2x00_module_init+0x1be/0x229 [qla2xxx]\n[ 12.468776] do_one_initcall+0x44/0x200\n[ 12.474401] ? load_module+0xad3/0xba0\n[ 12.479908] ? kmem_cache_alloc_trace+0x45/0x410\n[ 12.486268] do_init_module+0x5c/0x280\n[ 12.491730] __do_sys_init_module+0x12e/0x1b0\n[ 12.497785] do_syscall_64+0x3b/0x90\n[ 12.503029] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 12.509764] RIP: 0033:0x7f554f73ab2e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:10.418Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43195a0c620761fbb88db04e2475313855b948a4"
},
{
"url": "https://git.kernel.org/stable/c/f68776f28d9134fa65056e7e63bfc734049730b7"
},
{
"url": "https://git.kernel.org/stable/c/8077a7162bc3cf658dd9ff112bc77716c08458c5"
},
{
"url": "https://git.kernel.org/stable/c/f97316dd393bc8df1cc2af6295a97b876eecf252"
},
{
"url": "https://git.kernel.org/stable/c/9c33d49ab9f3d8bd7512b3070cd2f07c4a8849d5"
},
{
"url": "https://git.kernel.org/stable/c/1ab81d82fb1db7ec4be4b0d04563513e6d4bcdd5"
},
{
"url": "https://git.kernel.org/stable/c/a669a22aef0ceff706b885370af74b5a60a8ac85"
},
{
"url": "https://git.kernel.org/stable/c/a60447e7d451df42c7bde43af53b34f10f34f469"
}
],
"title": "scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49155",
"datePublished": "2025-02-26T01:55:19.760Z",
"dateReserved": "2025-02-26T01:49:39.275Z",
"dateUpdated": "2025-10-01T19:57:00.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49445 (GCVE-0-2022-49445)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: renesas: core: Fix possible null-ptr-deref in sh_pfc_map_resources()
It will cause null-ptr-deref when using 'res', if platform_get_resource()
returns NULL, so move using 'res' after devm_ioremap_resource() that
will check it to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:49.569465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:48.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/renesas/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f991879762392c19661af5b722578089a12b305f",
"status": "affected",
"version": "c7977ec4a33633c8e8d9267dd014356cf857351c",
"versionType": "git"
},
{
"lessThan": "5ed0519d425619b435150372cce2ffeec71581fa",
"status": "affected",
"version": "c7977ec4a33633c8e8d9267dd014356cf857351c",
"versionType": "git"
},
{
"lessThan": "e3a1ad8fd0ac11f4fa1260c23b5db71a25473254",
"status": "affected",
"version": "c7977ec4a33633c8e8d9267dd014356cf857351c",
"versionType": "git"
},
{
"lessThan": "fb4f022b3ad1f3ff3cafdbc7d51896090ae17701",
"status": "affected",
"version": "c7977ec4a33633c8e8d9267dd014356cf857351c",
"versionType": "git"
},
{
"lessThan": "5376e3d904532e657fd7ca1a9b1ff3d351527b90",
"status": "affected",
"version": "c7977ec4a33633c8e8d9267dd014356cf857351c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/renesas/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: renesas: core: Fix possible null-ptr-deref in sh_pfc_map_resources()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:53.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f991879762392c19661af5b722578089a12b305f"
},
{
"url": "https://git.kernel.org/stable/c/5ed0519d425619b435150372cce2ffeec71581fa"
},
{
"url": "https://git.kernel.org/stable/c/e3a1ad8fd0ac11f4fa1260c23b5db71a25473254"
},
{
"url": "https://git.kernel.org/stable/c/fb4f022b3ad1f3ff3cafdbc7d51896090ae17701"
},
{
"url": "https://git.kernel.org/stable/c/5376e3d904532e657fd7ca1a9b1ff3d351527b90"
}
],
"title": "pinctrl: renesas: core: Fix possible null-ptr-deref in sh_pfc_map_resources()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49445",
"datePublished": "2025-02-26T02:12:57.249Z",
"dateReserved": "2025-02-26T02:08:31.571Z",
"dateUpdated": "2025-10-01T19:46:48.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58020 (GCVE-0-2024-58020)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Add NULL check in mt_input_configured
devm_kasprintf() can return a NULL pointer on failure,but this
returned value in mt_input_configured() is not checked.
Add NULL check in mt_input_configured(), to handle kernel NULL
pointer dereference error.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: df7ca43fe090e1a56c216c8ebc106ef5fd49afc6 Version: 15ec7cb55e7d88755aa01d44a7a1015a42bfce86 Version: dde88ab4e45beb60b217026207aa9c14c88d71ab Version: 2763732ec1e68910719c75b6b896e11b6d3d622b Version: 4794394635293a3e74591351fff469cea7ad15a2 Version: 4794394635293a3e74591351fff469cea7ad15a2 Version: 4794394635293a3e74591351fff469cea7ad15a2 Version: 4794394635293a3e74591351fff469cea7ad15a2 Version: ac0d389402a6ff9ad92cea02c2d8c711483b91ab Version: 39c70c19456e50dcb3abfe53539220dff0490f1d Version: 1d7833db9fd118415dace2ca157bfa603dec9c8c Version: b70ac7849248ec8128fa12f86e3655ba38838f29 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:39.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a04d96ef67a42165f93194eef22a270acba4b74c",
"status": "affected",
"version": "df7ca43fe090e1a56c216c8ebc106ef5fd49afc6",
"versionType": "git"
},
{
"lessThan": "a6bfd3856e9f3da083f177753c623d58ba935e0a",
"status": "affected",
"version": "15ec7cb55e7d88755aa01d44a7a1015a42bfce86",
"versionType": "git"
},
{
"lessThan": "2052b44cd0a62b6fdbe3371e5ba6029c56c400ca",
"status": "affected",
"version": "dde88ab4e45beb60b217026207aa9c14c88d71ab",
"versionType": "git"
},
{
"lessThan": "4e7113f591163d99adc7cbcd7295030c8c5d3fc7",
"status": "affected",
"version": "2763732ec1e68910719c75b6b896e11b6d3d622b",
"versionType": "git"
},
{
"lessThan": "62f8bf06262b6fc55c58f4c5256140f1382f3b01",
"status": "affected",
"version": "4794394635293a3e74591351fff469cea7ad15a2",
"versionType": "git"
},
{
"lessThan": "aa879ef6d3acf96fa2c7122d0632061d4ea58d48",
"status": "affected",
"version": "4794394635293a3e74591351fff469cea7ad15a2",
"versionType": "git"
},
{
"lessThan": "97c09cc2e72769edb6994b531edcfa313b96bade",
"status": "affected",
"version": "4794394635293a3e74591351fff469cea7ad15a2",
"versionType": "git"
},
{
"lessThan": "9b8e2220d3a052a690b1d1b23019673e612494c5",
"status": "affected",
"version": "4794394635293a3e74591351fff469cea7ad15a2",
"versionType": "git"
},
{
"status": "affected",
"version": "ac0d389402a6ff9ad92cea02c2d8c711483b91ab",
"versionType": "git"
},
{
"status": "affected",
"version": "39c70c19456e50dcb3abfe53539220dff0490f1d",
"versionType": "git"
},
{
"status": "affected",
"version": "1d7833db9fd118415dace2ca157bfa603dec9c8c",
"versionType": "git"
},
{
"status": "affected",
"version": "b70ac7849248ec8128fa12f86e3655ba38838f29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.132",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "6.1.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Add NULL check in mt_input_configured\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in mt_input_configured() is not checked.\nAdd NULL check in mt_input_configured(), to handle kernel NULL\npointer dereference error."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:01:50.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a04d96ef67a42165f93194eef22a270acba4b74c"
},
{
"url": "https://git.kernel.org/stable/c/a6bfd3856e9f3da083f177753c623d58ba935e0a"
},
{
"url": "https://git.kernel.org/stable/c/2052b44cd0a62b6fdbe3371e5ba6029c56c400ca"
},
{
"url": "https://git.kernel.org/stable/c/4e7113f591163d99adc7cbcd7295030c8c5d3fc7"
},
{
"url": "https://git.kernel.org/stable/c/62f8bf06262b6fc55c58f4c5256140f1382f3b01"
},
{
"url": "https://git.kernel.org/stable/c/aa879ef6d3acf96fa2c7122d0632061d4ea58d48"
},
{
"url": "https://git.kernel.org/stable/c/97c09cc2e72769edb6994b531edcfa313b96bade"
},
{
"url": "https://git.kernel.org/stable/c/9b8e2220d3a052a690b1d1b23019673e612494c5"
}
],
"title": "HID: multitouch: Add NULL check in mt_input_configured",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58020",
"datePublished": "2025-02-27T02:18:10.081Z",
"dateReserved": "2025-02-27T02:10:48.228Z",
"dateUpdated": "2025-11-03T19:33:39.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49319 (GCVE-0-2022-49319)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu-v3: check return value after calling platform_get_resource()
It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49319",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:48.096516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:56.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54c1e0e3bbcab2abe25b2874a43050ae5df87831",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb0f1c5eb8d60b3e018ba7c87da249b52674ebe6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db728a891f9177b044aaca89b678f6b5e24d5cc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "54cf47da0c7532d151d76e5d63f5936191698c44",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b131fa8c1d2afd05d0b7598621114674289c2fbb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:06.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54c1e0e3bbcab2abe25b2874a43050ae5df87831"
},
{
"url": "https://git.kernel.org/stable/c/fb0f1c5eb8d60b3e018ba7c87da249b52674ebe6"
},
{
"url": "https://git.kernel.org/stable/c/db728a891f9177b044aaca89b678f6b5e24d5cc3"
},
{
"url": "https://git.kernel.org/stable/c/54cf47da0c7532d151d76e5d63f5936191698c44"
},
{
"url": "https://git.kernel.org/stable/c/b131fa8c1d2afd05d0b7598621114674289c2fbb"
}
],
"title": "iommu/arm-smmu-v3: check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49319",
"datePublished": "2025-02-26T02:10:45.131Z",
"dateReserved": "2025-02-26T02:08:31.537Z",
"dateUpdated": "2025-10-01T19:46:56.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49183 (GCVE-0-2022-49183)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: fix ref leak when switching zones
When switching zones or network namespaces without doing a ct clear in
between, it is now leaking a reference to the old ct entry. That's
because tcf_ct_skb_nfct_cached() returns false and
tcf_ct_flow_table_lookup() may simply overwrite it.
The fix is to, as the ct entry is not reusable, free it already at
tcf_ct_skb_nfct_cached().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:32.813819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:56:59.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bcbf4e5c3b5b373cd61528392dd1ec8e9c0fd33d",
"status": "affected",
"version": "a95ea90deb3071c1ded77a05e91cfebc5238d908",
"versionType": "git"
},
{
"lessThan": "4bb42d73def9411e5cad885b9811987d72431df1",
"status": "affected",
"version": "e9408de00e5ecd0dbe91cf061c7da23711c4febb",
"versionType": "git"
},
{
"lessThan": "b24793a37d91aacad7cb9893b226a7924a89636a",
"status": "affected",
"version": "2f131de361f6d0eaff17db26efdb844c178432f8",
"versionType": "git"
},
{
"lessThan": "bcb74e132a76ce0502bb33d5b65533a4ed72d159",
"status": "affected",
"version": "2f131de361f6d0eaff17db26efdb844c178432f8",
"versionType": "git"
},
{
"status": "affected",
"version": "0fc1847359964e95e521cf2bb2b10f8e33dd0970",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.15.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.103",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix ref leak when switching zones\n\nWhen switching zones or network namespaces without doing a ct clear in\nbetween, it is now leaking a reference to the old ct entry. That\u0027s\nbecause tcf_ct_skb_nfct_cached() returns false and\ntcf_ct_flow_table_lookup() may simply overwrite it.\n\nThe fix is to, as the ct entry is not reusable, free it already at\ntcf_ct_skb_nfct_cached()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:20.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bcbf4e5c3b5b373cd61528392dd1ec8e9c0fd33d"
},
{
"url": "https://git.kernel.org/stable/c/4bb42d73def9411e5cad885b9811987d72431df1"
},
{
"url": "https://git.kernel.org/stable/c/b24793a37d91aacad7cb9893b226a7924a89636a"
},
{
"url": "https://git.kernel.org/stable/c/bcb74e132a76ce0502bb33d5b65533a4ed72d159"
}
],
"title": "net/sched: act_ct: fix ref leak when switching zones",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49183",
"datePublished": "2025-02-26T01:55:34.041Z",
"dateReserved": "2025-02-26T01:49:39.283Z",
"dateUpdated": "2025-10-01T19:56:59.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21844 (GCVE-0-2025-21844)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Add check for next_buffer in receive_encrypted_standard()
Add check for the return value of cifs_buf_get() and cifs_small_buf_get()
in receive_encrypted_standard() to prevent null pointer dereference.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b03c8099a738a04d2343547ae6a04e5f0f63d3fa Version: 858e73ff25639a0cc1f6f8d2587b62c045867e41 Version: 9f528a8e68327117837b5e28b096f52af4c26a05 Version: 534733397da26de0303057ce0b93a22bda150365 Version: eec04ea119691e65227a97ce53c0da6b9b74b0b7 Version: eec04ea119691e65227a97ce53c0da6b9b74b0b7 Version: eec04ea119691e65227a97ce53c0da6b9b74b0b7 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21844",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:26:41.993251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:34.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:00.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f277e479eea3d1aa18bc712abe1d2bf3dece2e30",
"status": "affected",
"version": "b03c8099a738a04d2343547ae6a04e5f0f63d3fa",
"versionType": "git"
},
{
"lessThan": "f618aeb6cad2307e48a641379db610abcf593edf",
"status": "affected",
"version": "858e73ff25639a0cc1f6f8d2587b62c045867e41",
"versionType": "git"
},
{
"lessThan": "24e8e4523d3071bc5143b0db9127d511489f7b3b",
"status": "affected",
"version": "9f528a8e68327117837b5e28b096f52af4c26a05",
"versionType": "git"
},
{
"lessThan": "9e5d99a4cf2e23c716b44862975548415fae5391",
"status": "affected",
"version": "534733397da26de0303057ce0b93a22bda150365",
"versionType": "git"
},
{
"lessThan": "a9b0b4b29877cb4dc5d0842b59b5ccbacddb85bd",
"status": "affected",
"version": "eec04ea119691e65227a97ce53c0da6b9b74b0b7",
"versionType": "git"
},
{
"lessThan": "554736b583f529ee159aa95af9a0cbc12b5ffc96",
"status": "affected",
"version": "eec04ea119691e65227a97ce53c0da6b9b74b0b7",
"versionType": "git"
},
{
"lessThan": "860ca5e50f73c2a1cef7eefc9d39d04e275417f7",
"status": "affected",
"version": "eec04ea119691e65227a97ce53c0da6b9b74b0b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "6.1.69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "6.6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Add check for next_buffer in receive_encrypted_standard()\n\nAdd check for the return value of cifs_buf_get() and cifs_small_buf_get()\nin receive_encrypted_standard() to prevent null pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:24.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f277e479eea3d1aa18bc712abe1d2bf3dece2e30"
},
{
"url": "https://git.kernel.org/stable/c/f618aeb6cad2307e48a641379db610abcf593edf"
},
{
"url": "https://git.kernel.org/stable/c/24e8e4523d3071bc5143b0db9127d511489f7b3b"
},
{
"url": "https://git.kernel.org/stable/c/9e5d99a4cf2e23c716b44862975548415fae5391"
},
{
"url": "https://git.kernel.org/stable/c/a9b0b4b29877cb4dc5d0842b59b5ccbacddb85bd"
},
{
"url": "https://git.kernel.org/stable/c/554736b583f529ee159aa95af9a0cbc12b5ffc96"
},
{
"url": "https://git.kernel.org/stable/c/860ca5e50f73c2a1cef7eefc9d39d04e275417f7"
}
],
"title": "smb: client: Add check for next_buffer in receive_encrypted_standard()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21844",
"datePublished": "2025-03-12T09:42:00.435Z",
"dateReserved": "2024-12-29T08:45:45.778Z",
"dateUpdated": "2025-11-03T19:38:00.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58007 (GCVE-0-2024-58007)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: socinfo: Avoid out of bounds read of serial number
On MSM8916 devices, the serial number exposed in sysfs is constant and does
not change across individual devices. It's always:
db410c:/sys/devices/soc0$ cat serial_number
2644893864
The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not
have support for the serial_num field in the socinfo struct. There is an
existing check to avoid exposing the serial number in that case, but it's
not correct: When checking the item_size returned by SMEM, we need to make
sure the *end* of the serial_num is within bounds, instead of comparing
with the *start* offset. The serial_number currently exposed on MSM8916
devices is just an out of bounds read of whatever comes after the socinfo
struct in SMEM.
Fix this by changing offsetof() to offsetofend(), so that the size of the
field is also taken into account.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: efb448d0a3fca01bb987dd70963da6185b81751e Version: efb448d0a3fca01bb987dd70963da6185b81751e Version: efb448d0a3fca01bb987dd70963da6185b81751e Version: efb448d0a3fca01bb987dd70963da6185b81751e Version: efb448d0a3fca01bb987dd70963da6185b81751e Version: efb448d0a3fca01bb987dd70963da6185b81751e Version: efb448d0a3fca01bb987dd70963da6185b81751e Version: efb448d0a3fca01bb987dd70963da6185b81751e |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:21.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/socinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7445fa05317534bbd8b373c0eff8319187916030",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
},
{
"lessThan": "2495c6598731b6d7f565140f2bd63ef4bc36ce7d",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
},
{
"lessThan": "2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
},
{
"lessThan": "9c88b3a3fae4d60641c3a45be66269d00eff33cd",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
},
{
"lessThan": "47470acd719d45c4c8c418c07962f74cc995652b",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
},
{
"lessThan": "407c928305c1a37232a63811c400ef616f85ccbc",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
},
{
"lessThan": "0a92feddae0634a0b87c04b19d343f6af97af700",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
},
{
"lessThan": "22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0",
"status": "affected",
"version": "efb448d0a3fca01bb987dd70963da6185b81751e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/socinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: socinfo: Avoid out of bounds read of serial number\n\nOn MSM8916 devices, the serial number exposed in sysfs is constant and does\nnot change across individual devices. It\u0027s always:\n\n db410c:/sys/devices/soc0$ cat serial_number\n 2644893864\n\nThe firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not\nhave support for the serial_num field in the socinfo struct. There is an\nexisting check to avoid exposing the serial number in that case, but it\u0027s\nnot correct: When checking the item_size returned by SMEM, we need to make\nsure the *end* of the serial_num is within bounds, instead of comparing\nwith the *start* offset. The serial_number currently exposed on MSM8916\ndevices is just an out of bounds read of whatever comes after the socinfo\nstruct in SMEM.\n\nFix this by changing offsetof() to offsetofend(), so that the size of the\nfield is also taken into account."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:16.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7445fa05317534bbd8b373c0eff8319187916030"
},
{
"url": "https://git.kernel.org/stable/c/2495c6598731b6d7f565140f2bd63ef4bc36ce7d"
},
{
"url": "https://git.kernel.org/stable/c/2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd"
},
{
"url": "https://git.kernel.org/stable/c/9c88b3a3fae4d60641c3a45be66269d00eff33cd"
},
{
"url": "https://git.kernel.org/stable/c/47470acd719d45c4c8c418c07962f74cc995652b"
},
{
"url": "https://git.kernel.org/stable/c/407c928305c1a37232a63811c400ef616f85ccbc"
},
{
"url": "https://git.kernel.org/stable/c/0a92feddae0634a0b87c04b19d343f6af97af700"
},
{
"url": "https://git.kernel.org/stable/c/22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0"
}
],
"title": "soc: qcom: socinfo: Avoid out of bounds read of serial number",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58007",
"datePublished": "2025-02-27T02:12:03.593Z",
"dateReserved": "2025-02-27T02:10:48.227Z",
"dateUpdated": "2025-11-03T19:33:21.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21855 (GCVE-0-2025-21855)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Don't reference skb after sending to VIOS
Previously, after successfully flushing the xmit buffer to VIOS,
the tx_bytes stat was incremented by the length of the skb.
It is invalid to access the skb memory after sending the buffer to
the VIOS because, at any point after sending, the VIOS can trigger
an interrupt to free this memory. A race between reading skb->len
and freeing the skb is possible (especially during LPM) and will
result in use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
Read of size 4 at addr c00000024eb48a70 by task hxecom/14495
<...>
Call Trace:
[c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)
[c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0
[c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8
[c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0
[c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
[c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358
<...>
Freed by task 0:
kasan_save_stack+0x34/0x68
kasan_save_track+0x2c/0x50
kasan_save_free_info+0x64/0x108
__kasan_mempool_poison_object+0x148/0x2d4
napi_skb_cache_put+0x5c/0x194
net_tx_action+0x154/0x5b8
handle_softirqs+0x20c/0x60c
do_softirq_own_stack+0x6c/0x88
<...>
The buggy address belongs to the object at c00000024eb48a00 which
belongs to the cache skbuff_head_cache of size 224
==================================================================
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:53.080311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:32:00.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:10.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "501ac6a7e21b82e05207c6b4449812d82820f306",
"status": "affected",
"version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
"versionType": "git"
},
{
"lessThan": "093b0e5c90592773863f300b908b741622eef597",
"status": "affected",
"version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
"versionType": "git"
},
{
"lessThan": "25dddd01dcc8ef3acff964dbb32eeb0d89f098e9",
"status": "affected",
"version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
"versionType": "git"
},
{
"lessThan": "abaff2717470e4b5b7c0c3a90e128b211a23da09",
"status": "affected",
"version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
"versionType": "git"
},
{
"lessThan": "bdf5d13aa05ec314d4385b31ac974d6c7e0997c9",
"status": "affected",
"version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Don\u0027t reference skb after sending to VIOS\n\nPreviously, after successfully flushing the xmit buffer to VIOS,\nthe tx_bytes stat was incremented by the length of the skb.\n\nIt is invalid to access the skb memory after sending the buffer to\nthe VIOS because, at any point after sending, the VIOS can trigger\nan interrupt to free this memory. A race between reading skb-\u003elen\nand freeing the skb is possible (especially during LPM) and will\nresult in use-after-free:\n ==================================================================\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\n \u003c...\u003e\n Call Trace:\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\n \u003c...\u003e\n Freed by task 0:\n kasan_save_stack+0x34/0x68\n kasan_save_track+0x2c/0x50\n kasan_save_free_info+0x64/0x108\n __kasan_mempool_poison_object+0x148/0x2d4\n napi_skb_cache_put+0x5c/0x194\n net_tx_action+0x154/0x5b8\n handle_softirqs+0x20c/0x60c\n do_softirq_own_stack+0x6c/0x88\n \u003c...\u003e\n The buggy address belongs to the object at c00000024eb48a00 which\n belongs to the cache skbuff_head_cache of size 224\n=================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:37.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306"
},
{
"url": "https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597"
},
{
"url": "https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9"
},
{
"url": "https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09"
},
{
"url": "https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9"
}
],
"title": "ibmvnic: Don\u0027t reference skb after sending to VIOS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21855",
"datePublished": "2025-03-12T09:42:09.251Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-11-03T19:38:10.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49298 (GCVE-0-2022-49298)
Vulnerability from cvelistv5
Published
2025-02-26 02:01
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8712: fix uninit-value in r871xu_drv_init()
When 'tmpU1b' returns from r8712_read8(padapter, EE_9346CR) is 0,
'mac[6]' will not be initialized.
BUG: KMSAN: uninit-value in r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541
r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541
usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396
really_probe+0x653/0x14b0 drivers/base/dd.c:596
__driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
driver_probe_device drivers/base/dd.c:782 [inline]
__device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
__device_attach+0x593/0x8e0 drivers/base/dd.c:970
device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
device_add+0x1fff/0x26e0 drivers/base/core.c:3405
usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238
usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293
really_probe+0x653/0x14b0 drivers/base/dd.c:596
__driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
driver_probe_device drivers/base/dd.c:782 [inline]
__device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
__device_attach+0x593/0x8e0 drivers/base/dd.c:970
device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
device_add+0x1fff/0x26e0 drivers/base/core.c:3405
usb_new_device+0x1b8e/0x2950 drivers/usb/core/hub.c:2566
hub_port_connect drivers/usb/core/hub.c:5358 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
port_event drivers/usb/core/hub.c:5660 [inline]
hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5742
process_one_work+0xdb6/0x1820 kernel/workqueue.c:2307
worker_thread+0x10b3/0x21e0 kernel/workqueue.c:2454
kthread+0x3c7/0x500 kernel/kthread.c:377
ret_from_fork+0x1f/0x30
Local variable mac created at:
r871xu_drv_init+0x1771/0x3070 drivers/staging/rtl8712/usb_intf.c:394
usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396
KMSAN: uninit-value in r871xu_drv_init
https://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:56.175459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:59.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/usb_intf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b7371a22489cbb2e8e826ca03fb5ce92afb04fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "277faa442fe0c59f418ac53f47a78e1266addd65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a6535d00a9d54ce1c2a8d86a85001ffb6844f9b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52a0d88c328098b4e9fb8f2f3877fec0eff4104b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ff727ab0b7d7a56b5ef281f12abd00c4b85894e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f36e754a1f0bafb9feeea63463de78080acb6de0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76a964ad0ea8f2b10abd69a7532e174a28258283",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70df04433fd351ba72bc635bd0b5fe443d9ac964",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0458e5428e5e959d201a40ffe71d762a79ecedc4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/usb_intf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix uninit-value in r871xu_drv_init()\n\nWhen \u0027tmpU1b\u0027 returns from r8712_read8(padapter, EE_9346CR) is 0,\n\u0027mac[6]\u0027 will not be initialized.\n\nBUG: KMSAN: uninit-value in r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541\n r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541\n usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396\n really_probe+0x653/0x14b0 drivers/base/dd.c:596\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238\n usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293\n really_probe+0x653/0x14b0 drivers/base/dd.c:596\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_new_device+0x1b8e/0x2950 drivers/usb/core/hub.c:2566\n hub_port_connect drivers/usb/core/hub.c:5358 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]\n port_event drivers/usb/core/hub.c:5660 [inline]\n hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5742\n process_one_work+0xdb6/0x1820 kernel/workqueue.c:2307\n worker_thread+0x10b3/0x21e0 kernel/workqueue.c:2454\n kthread+0x3c7/0x500 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30\n\nLocal variable mac created at:\n r871xu_drv_init+0x1771/0x3070 drivers/staging/rtl8712/usb_intf.c:394\n usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396\n\nKMSAN: uninit-value in r871xu_drv_init\nhttps://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:36.038Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b7371a22489cbb2e8e826ca03fb5ce92afb04fe"
},
{
"url": "https://git.kernel.org/stable/c/277faa442fe0c59f418ac53f47a78e1266addd65"
},
{
"url": "https://git.kernel.org/stable/c/a6535d00a9d54ce1c2a8d86a85001ffb6844f9b2"
},
{
"url": "https://git.kernel.org/stable/c/52a0d88c328098b4e9fb8f2f3877fec0eff4104b"
},
{
"url": "https://git.kernel.org/stable/c/ff727ab0b7d7a56b5ef281f12abd00c4b85894e9"
},
{
"url": "https://git.kernel.org/stable/c/f36e754a1f0bafb9feeea63463de78080acb6de0"
},
{
"url": "https://git.kernel.org/stable/c/76a964ad0ea8f2b10abd69a7532e174a28258283"
},
{
"url": "https://git.kernel.org/stable/c/70df04433fd351ba72bc635bd0b5fe443d9ac964"
},
{
"url": "https://git.kernel.org/stable/c/0458e5428e5e959d201a40ffe71d762a79ecedc4"
}
],
"title": "staging: rtl8712: fix uninit-value in r871xu_drv_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49298",
"datePublished": "2025-02-26T02:01:27.111Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-10-01T19:46:59.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49306 (GCVE-0-2022-49306)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-09-03 12:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: host: Stop setting the ACPI companion
It is no longer needed. The sysdev pointer is now used when
assigning the ACPI companions to the xHCI ports and USB
devices.
Assigning the ACPI companion here resulted in the
fwnode->secondary pointer to be replaced also for the parent
dwc3 device since the primary fwnode (the ACPI companion)
was shared. That was unintentional and it created potential
side effects like resource leaks.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7f35934f7ab67bfd9adabc84207e59da9c19108",
"status": "affected",
"version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66",
"versionType": "git"
},
{
"lessThan": "9c185fde906a48368bd2d2a8c17d4b6fb3d670af",
"status": "affected",
"version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66",
"versionType": "git"
},
{
"lessThan": "7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2",
"status": "affected",
"version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: host: Stop setting the ACPI companion\n\nIt is no longer needed. The sysdev pointer is now used when\nassigning the ACPI companions to the xHCI ports and USB\ndevices.\n\nAssigning the ACPI companion here resulted in the\nfwnode-\u003esecondary pointer to be replaced also for the parent\ndwc3 device since the primary fwnode (the ACPI companion)\nwas shared. That was unintentional and it created potential\nside effects like resource leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:58:40.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7f35934f7ab67bfd9adabc84207e59da9c19108"
},
{
"url": "https://git.kernel.org/stable/c/9c185fde906a48368bd2d2a8c17d4b6fb3d670af"
},
{
"url": "https://git.kernel.org/stable/c/7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2"
}
],
"title": "usb: dwc3: host: Stop setting the ACPI companion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49306",
"datePublished": "2025-02-26T02:10:38.680Z",
"dateReserved": "2025-02-26T02:08:31.535Z",
"dateUpdated": "2025-09-03T12:58:40.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21738 (GCVE-0-2025-21738)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ata: libata-sff: Ensure that we cannot write outside the allocated buffer
reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len
set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to
ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to
write outside the allocated buffer, overwriting random memory.
While a ATA device is supposed to abort a ATA_NOP command, there does seem
to be a bug either in libata-sff or QEMU, where either this status is not
set, or the status is cleared before read by ata_sff_hsm_move().
Anyway, that is most likely a separate bug.
Looking at __atapi_pio_bytes(), it already has a safety check to ensure
that __atapi_pio_bytes() cannot write outside the allocated buffer.
Add a similar check to ata_pio_sector(), such that also ata_pio_sector()
cannot write outside the allocated buffer.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:44.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ata/libata-sff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5e6e3000309359eae2a17117aa6e3c44897bf6c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0dd5aade301a10f4b329fa7454fdcc2518741902",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0a17a9944b8d89ef03946121241870ac53ddaf45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e74e53b34b6dec5a50e1404e2680852ec6768d2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ata/libata-sff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-sff: Ensure that we cannot write outside the allocated buffer\n\nreveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len\nset to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to\nATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to\nwrite outside the allocated buffer, overwriting random memory.\n\nWhile a ATA device is supposed to abort a ATA_NOP command, there does seem\nto be a bug either in libata-sff or QEMU, where either this status is not\nset, or the status is cleared before read by ata_sff_hsm_move().\nAnyway, that is most likely a separate bug.\n\nLooking at __atapi_pio_bytes(), it already has a safety check to ensure\nthat __atapi_pio_bytes() cannot write outside the allocated buffer.\n\nAdd a similar check to ata_pio_sector(), such that also ata_pio_sector()\ncannot write outside the allocated buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:05.966Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c"
},
{
"url": "https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c"
},
{
"url": "https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902"
},
{
"url": "https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45"
},
{
"url": "https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2"
}
],
"title": "ata: libata-sff: Ensure that we cannot write outside the allocated buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21738",
"datePublished": "2025-02-27T02:12:13.942Z",
"dateReserved": "2024-12-29T08:45:45.757Z",
"dateUpdated": "2025-11-03T19:36:44.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49616 (GCVE-0-2022-49616)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: rt7*-sdw: harden jack_detect_handler
Realtek headset codec drivers typically check if the card is
instantiated before proceeding with the jack detection.
The rt700, rt711 and rt711-sdca are however missing a check on the
card pointer, which can lead to NULL dereferences encountered in
driver bind/unbind tests.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt700.c",
"sound/soc/codecs/rt711-sdca.c",
"sound/soc/codecs/rt711.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07a606e1389a63b61cb8cd591026f30529117573",
"status": "affected",
"version": "320b8b0d13b81f3697acff5b6ddb47f88a09c118",
"versionType": "git"
},
{
"lessThan": "1d75b73ec6d6b705cca528b36d8315e43e8d7fa5",
"status": "affected",
"version": "320b8b0d13b81f3697acff5b6ddb47f88a09c118",
"versionType": "git"
},
{
"lessThan": "0484271ab0ce50649329fa9dc23c50853c5b26a4",
"status": "affected",
"version": "320b8b0d13b81f3697acff5b6ddb47f88a09c118",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt700.c",
"sound/soc/codecs/rt711-sdca.c",
"sound/soc/codecs/rt711.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt7*-sdw: harden jack_detect_handler\n\nRealtek headset codec drivers typically check if the card is\ninstantiated before proceeding with the jack detection.\n\nThe rt700, rt711 and rt711-sdca are however missing a check on the\ncard pointer, which can lead to NULL dereferences encountered in\ndriver bind/unbind tests."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:51.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07a606e1389a63b61cb8cd591026f30529117573"
},
{
"url": "https://git.kernel.org/stable/c/1d75b73ec6d6b705cca528b36d8315e43e8d7fa5"
},
{
"url": "https://git.kernel.org/stable/c/0484271ab0ce50649329fa9dc23c50853c5b26a4"
}
],
"title": "ASoC: rt7*-sdw: harden jack_detect_handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49616",
"datePublished": "2025-02-26T02:23:36.180Z",
"dateReserved": "2025-02-26T02:21:30.419Z",
"dateUpdated": "2025-05-04T08:41:51.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49302 (GCVE-0-2022-49302)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: host: isp116x: check return value after calling platform_get_resource()
It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:40.488195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:58.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/isp116x-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "804de302ada3544699c5f48c5314b249af76faa3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bffda1560a6f255fdf504e059fbbdb5d46b9e44",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3825db88d8c704e7992b685618a03f82bffcf2ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c91a74b1f0f2d2d7e728742ae55e3ffe9ba7853d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee105039d3653444de4d3ede642383c92855dc1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3592cfd8b848bf0c4d7740d78a87a7b8f6e1fa9a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aca0cab0e9ed33b6371aafb519a6c38f2850ffc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82a101f14943f479fd190b1e5b40d91c77e2ac1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "134a3408c2d3f7e23eb0e4556e0a2d9f36c2614e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/isp116x-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: host: isp116x: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:40.636Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/804de302ada3544699c5f48c5314b249af76faa3"
},
{
"url": "https://git.kernel.org/stable/c/7bffda1560a6f255fdf504e059fbbdb5d46b9e44"
},
{
"url": "https://git.kernel.org/stable/c/3825db88d8c704e7992b685618a03f82bffcf2ef"
},
{
"url": "https://git.kernel.org/stable/c/c91a74b1f0f2d2d7e728742ae55e3ffe9ba7853d"
},
{
"url": "https://git.kernel.org/stable/c/ee105039d3653444de4d3ede642383c92855dc1e"
},
{
"url": "https://git.kernel.org/stable/c/3592cfd8b848bf0c4d7740d78a87a7b8f6e1fa9a"
},
{
"url": "https://git.kernel.org/stable/c/aca0cab0e9ed33b6371aafb519a6c38f2850ffc3"
},
{
"url": "https://git.kernel.org/stable/c/82a101f14943f479fd190b1e5b40d91c77e2ac1b"
},
{
"url": "https://git.kernel.org/stable/c/134a3408c2d3f7e23eb0e4556e0a2d9f36c2614e"
}
],
"title": "USB: host: isp116x: check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49302",
"datePublished": "2025-02-26T02:10:36.556Z",
"dateReserved": "2025-02-26T02:08:31.535Z",
"dateUpdated": "2025-10-01T19:46:58.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49634 (GCVE-0-2022-49634)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sysctl: Fix data-races in proc_dou8vec_minmax().
A sysctl variable is accessed concurrently, and there is always a chance
of data-race. So, all readers and writers need some basic protection to
avoid load/store-tearing.
This patch changes proc_dou8vec_minmax() to use READ_ONCE() and
WRITE_ONCE() internally to fix data-races on the sysctl side. For now,
proc_dou8vec_minmax() itself is tolerant to a data-race, but we still
need to add annotations on the other subsystem's side.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:15.087673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:49.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f177b382c33900d0e5a9766493c11a1074076f78",
"status": "affected",
"version": "389dab6142d742f91010f38de0f1f2f440b97e1b",
"versionType": "git"
},
{
"lessThan": "e58b02e445463065b4078bf621561da75197853f",
"status": "affected",
"version": "cb9444130662c6c13022579c861098f212db2562",
"versionType": "git"
},
{
"lessThan": "5f776daef0b5354615ec4b4234cd9539ca05f273",
"status": "affected",
"version": "cb9444130662c6c13022579c861098f212db2562",
"versionType": "git"
},
{
"lessThan": "7dee5d7747a69aa2be41f04c6a7ecfe3ac8cdf18",
"status": "affected",
"version": "cb9444130662c6c13022579c861098f212db2562",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix data-races in proc_dou8vec_minmax().\n\nA sysctl variable is accessed concurrently, and there is always a chance\nof data-race. So, all readers and writers need some basic protection to\navoid load/store-tearing.\n\nThis patch changes proc_dou8vec_minmax() to use READ_ONCE() and\nWRITE_ONCE() internally to fix data-races on the sysctl side. For now,\nproc_dou8vec_minmax() itself is tolerant to a data-race, but we still\nneed to add annotations on the other subsystem\u0027s side."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:15.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f177b382c33900d0e5a9766493c11a1074076f78"
},
{
"url": "https://git.kernel.org/stable/c/e58b02e445463065b4078bf621561da75197853f"
},
{
"url": "https://git.kernel.org/stable/c/5f776daef0b5354615ec4b4234cd9539ca05f273"
},
{
"url": "https://git.kernel.org/stable/c/7dee5d7747a69aa2be41f04c6a7ecfe3ac8cdf18"
}
],
"title": "sysctl: Fix data-races in proc_dou8vec_minmax().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49634",
"datePublished": "2025-02-26T02:23:45.254Z",
"dateReserved": "2025-02-26T02:21:30.429Z",
"dateUpdated": "2025-10-01T19:36:49.653Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49157 (GCVE-0-2022-49157)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix premature hw access after PCI error
After a recoverable PCI error has been detected and recovered, qla driver
needs to check to see if the error condition still persist and/or wait
for the OS to give the resume signal.
Sep 8 22:26:03 localhost kernel: WARNING: CPU: 9 PID: 124606 at qla_tmpl.c:440
qla27xx_fwdt_entry_t266+0x55/0x60 [qla2xxx]
Sep 8 22:26:03 localhost kernel: RIP: 0010:qla27xx_fwdt_entry_t266+0x55/0x60
[qla2xxx]
Sep 8 22:26:03 localhost kernel: Call Trace:
Sep 8 22:26:03 localhost kernel: ? qla27xx_walk_template+0xb1/0x1b0 [qla2xxx]
Sep 8 22:26:03 localhost kernel: ? qla27xx_execute_fwdt_template+0x12a/0x160
[qla2xxx]
Sep 8 22:26:03 localhost kernel: ? qla27xx_fwdump+0xa0/0x1c0 [qla2xxx]
Sep 8 22:26:03 localhost kernel: ? qla2xxx_pci_mmio_enabled+0xfb/0x120
[qla2xxx]
Sep 8 22:26:03 localhost kernel: ? report_mmio_enabled+0x44/0x80
Sep 8 22:26:03 localhost kernel: ? report_slot_reset+0x80/0x80
Sep 8 22:26:03 localhost kernel: ? pci_walk_bus+0x70/0x90
Sep 8 22:26:03 localhost kernel: ? aer_dev_correctable_show+0xc0/0xc0
Sep 8 22:26:03 localhost kernel: ? pcie_do_recovery+0x1bb/0x240
Sep 8 22:26:03 localhost kernel: ? aer_recover_work_func+0xaa/0xd0
Sep 8 22:26:03 localhost kernel: ? process_one_work+0x1a7/0x360
..
Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-8041:22: detected PCI
disconnect.
Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22:
qla27xx_fwdt_entry_t262: dump ram MB failed. Area 5h start 198013h end 198013h
Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22: Unable to
capture FW dump
Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-1015:22: cmd=0x0,
waited 5221 msecs
Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-680d:22: mmio
enabled returning.
Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-d04c:22: MBX
Command timeout for cmd 0, iocontrol=ffffffff jiffies=10140f2e5
mb[0-3]=[0xffff 0xffff 0xffff 0xffff]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c",
"drivers/scsi/qla2xxx/qla_tmpl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ef6319f9882699613d5182fbd7929b017e8c5ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7994dff9071555a959a168f9184dd9abae68a6b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c125fd5ad035777f7b471553f7ddda76e8e7136",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e35920ab7874d5e2faeb4f958a74bfa793f1ce5a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c",
"drivers/scsi/qla2xxx/qla_tmpl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix premature hw access after PCI error\n\nAfter a recoverable PCI error has been detected and recovered, qla driver\nneeds to check to see if the error condition still persist and/or wait\nfor the OS to give the resume signal.\n\nSep 8 22:26:03 localhost kernel: WARNING: CPU: 9 PID: 124606 at qla_tmpl.c:440\nqla27xx_fwdt_entry_t266+0x55/0x60 [qla2xxx]\nSep 8 22:26:03 localhost kernel: RIP: 0010:qla27xx_fwdt_entry_t266+0x55/0x60\n[qla2xxx]\nSep 8 22:26:03 localhost kernel: Call Trace:\nSep 8 22:26:03 localhost kernel: ? qla27xx_walk_template+0xb1/0x1b0 [qla2xxx]\nSep 8 22:26:03 localhost kernel: ? qla27xx_execute_fwdt_template+0x12a/0x160\n[qla2xxx]\nSep 8 22:26:03 localhost kernel: ? qla27xx_fwdump+0xa0/0x1c0 [qla2xxx]\nSep 8 22:26:03 localhost kernel: ? qla2xxx_pci_mmio_enabled+0xfb/0x120\n[qla2xxx]\nSep 8 22:26:03 localhost kernel: ? report_mmio_enabled+0x44/0x80\nSep 8 22:26:03 localhost kernel: ? report_slot_reset+0x80/0x80\nSep 8 22:26:03 localhost kernel: ? pci_walk_bus+0x70/0x90\nSep 8 22:26:03 localhost kernel: ? aer_dev_correctable_show+0xc0/0xc0\nSep 8 22:26:03 localhost kernel: ? pcie_do_recovery+0x1bb/0x240\nSep 8 22:26:03 localhost kernel: ? aer_recover_work_func+0xaa/0xd0\nSep 8 22:26:03 localhost kernel: ? process_one_work+0x1a7/0x360\n..\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-8041:22: detected PCI\ndisconnect.\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22:\nqla27xx_fwdt_entry_t262: dump ram MB failed. Area 5h start 198013h end 198013h\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22: Unable to\ncapture FW dump\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-1015:22: cmd=0x0,\nwaited 5221 msecs\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-680d:22: mmio\nenabled returning.\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-d04c:22: MBX\nCommand timeout for cmd 0, iocontrol=ffffffff jiffies=10140f2e5\nmb[0-3]=[0xffff 0xffff 0xffff 0xffff]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:12.861Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ef6319f9882699613d5182fbd7929b017e8c5ab"
},
{
"url": "https://git.kernel.org/stable/c/d7994dff9071555a959a168f9184dd9abae68a6b"
},
{
"url": "https://git.kernel.org/stable/c/6c125fd5ad035777f7b471553f7ddda76e8e7136"
},
{
"url": "https://git.kernel.org/stable/c/e35920ab7874d5e2faeb4f958a74bfa793f1ce5a"
}
],
"title": "scsi: qla2xxx: Fix premature hw access after PCI error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49157",
"datePublished": "2025-02-26T01:55:20.807Z",
"dateReserved": "2025-02-26T01:49:39.276Z",
"dateUpdated": "2025-05-04T08:31:12.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49189 (GCVE-0-2022-49189)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: clk-rcg2: Update logic to calculate D value for RCG
The display pixel clock has a requirement on certain newer platforms to
support M/N as (2/3) and the final D value calculated results in
underflow errors.
As the current implementation does not check for D value is within
the accepted range for a given M & N value. Update the logic to
calculate the final D value based on the range.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 99cbd064b059f222c8839ba433a68b2d6ee33066 Version: 99cbd064b059f222c8839ba433a68b2d6ee33066 Version: 99cbd064b059f222c8839ba433a68b2d6ee33066 Version: 99cbd064b059f222c8839ba433a68b2d6ee33066 Version: 99cbd064b059f222c8839ba433a68b2d6ee33066 Version: 99cbd064b059f222c8839ba433a68b2d6ee33066 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/clk-rcg2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52592f9afbfe01bce8f8953e4f19cbe3bcbdbd3a",
"status": "affected",
"version": "99cbd064b059f222c8839ba433a68b2d6ee33066",
"versionType": "git"
},
{
"lessThan": "334720f418f57b1d969dad2117b21f9388cb9395",
"status": "affected",
"version": "99cbd064b059f222c8839ba433a68b2d6ee33066",
"versionType": "git"
},
{
"lessThan": "34dca60982e93e69ae442aa2d36ce61c9a3bb563",
"status": "affected",
"version": "99cbd064b059f222c8839ba433a68b2d6ee33066",
"versionType": "git"
},
{
"lessThan": "96888f0dcf351e758b9df57e015a48427ca709c1",
"status": "affected",
"version": "99cbd064b059f222c8839ba433a68b2d6ee33066",
"versionType": "git"
},
{
"lessThan": "a4e2e31971354790b0d1fa3e783452a9d135fcff",
"status": "affected",
"version": "99cbd064b059f222c8839ba433a68b2d6ee33066",
"versionType": "git"
},
{
"lessThan": "58922910add18583d5273c2edcdb9fd7bf4eca02",
"status": "affected",
"version": "99cbd064b059f222c8839ba433a68b2d6ee33066",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/clk-rcg2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: clk-rcg2: Update logic to calculate D value for RCG\n\nThe display pixel clock has a requirement on certain newer platforms to\nsupport M/N as (2/3) and the final D value calculated results in\nunderflow errors.\nAs the current implementation does not check for D value is within\nthe accepted range for a given M \u0026 N value. Update the logic to\ncalculate the final D value based on the range."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:54.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52592f9afbfe01bce8f8953e4f19cbe3bcbdbd3a"
},
{
"url": "https://git.kernel.org/stable/c/334720f418f57b1d969dad2117b21f9388cb9395"
},
{
"url": "https://git.kernel.org/stable/c/34dca60982e93e69ae442aa2d36ce61c9a3bb563"
},
{
"url": "https://git.kernel.org/stable/c/96888f0dcf351e758b9df57e015a48427ca709c1"
},
{
"url": "https://git.kernel.org/stable/c/a4e2e31971354790b0d1fa3e783452a9d135fcff"
},
{
"url": "https://git.kernel.org/stable/c/58922910add18583d5273c2edcdb9fd7bf4eca02"
}
],
"title": "clk: qcom: clk-rcg2: Update logic to calculate D value for RCG",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49189",
"datePublished": "2025-02-26T01:55:37.095Z",
"dateReserved": "2025-02-26T01:49:39.286Z",
"dateUpdated": "2025-05-04T08:31:54.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53063 (GCVE-0-2024-53063)
Vulnerability from cvelistv5
Published
2024-11-19 17:22
Modified
2025-11-03 22:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvbdev: prevent the risk of out of memory access
The dvbdev contains a static variable used to store dvb minors.
The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set
or not. When not set, dvb_register_device() won't check for
boundaries, as it will rely that a previous call to
dvb_register_adapter() would already be enforcing it.
On a similar way, dvb_device_open() uses the assumption
that the register functions already did the needed checks.
This can be fragile if some device ends using different
calls. This also generate warnings on static check analysers
like Coverity.
So, add explicit guards to prevent potential risk of OOM issues.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba Version: 5dd3f3071070f5a306bdf8d474c80062f5691cba |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:12:43.056905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:17.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:28:57.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fedfde9deb83ac8d2f3d5f36f111023df34b1684",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
},
{
"lessThan": "3b88675e18b6517043a6f734eaa8ea6eb3bfa140",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
},
{
"lessThan": "a4a17210c03ade1c8d9a9f193a105654b7a05c11",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
},
{
"lessThan": "5f76f7df14861e3a560898fa41979ec92424b58f",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
},
{
"lessThan": "b751a96025275c17f04083cbfe856822f1658946",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
},
{
"lessThan": "1e461672616b726f29261ee81bb991528818537c",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
},
{
"lessThan": "9c17085fabbde2041c893d29599800f2d4992b23",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
},
{
"lessThan": "972e63e895abbe8aa1ccbdbb4e6362abda7cd457",
"status": "affected",
"version": "5dd3f3071070f5a306bdf8d474c80062f5691cba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.286",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.324",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.286",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.230",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.172",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: prevent the risk of out of memory access\n\nThe dvbdev contains a static variable used to store dvb minors.\n\nThe behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set\nor not. When not set, dvb_register_device() won\u0027t check for\nboundaries, as it will rely that a previous call to\ndvb_register_adapter() would already be enforcing it.\n\nOn a similar way, dvb_device_open() uses the assumption\nthat the register functions already did the needed checks.\n\nThis can be fragile if some device ends using different\ncalls. This also generate warnings on static check analysers\nlike Coverity.\n\nSo, add explicit guards to prevent potential risk of OOM issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:52:00.976Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fedfde9deb83ac8d2f3d5f36f111023df34b1684"
},
{
"url": "https://git.kernel.org/stable/c/3b88675e18b6517043a6f734eaa8ea6eb3bfa140"
},
{
"url": "https://git.kernel.org/stable/c/a4a17210c03ade1c8d9a9f193a105654b7a05c11"
},
{
"url": "https://git.kernel.org/stable/c/5f76f7df14861e3a560898fa41979ec92424b58f"
},
{
"url": "https://git.kernel.org/stable/c/b751a96025275c17f04083cbfe856822f1658946"
},
{
"url": "https://git.kernel.org/stable/c/1e461672616b726f29261ee81bb991528818537c"
},
{
"url": "https://git.kernel.org/stable/c/9c17085fabbde2041c893d29599800f2d4992b23"
},
{
"url": "https://git.kernel.org/stable/c/972e63e895abbe8aa1ccbdbb4e6362abda7cd457"
}
],
"title": "media: dvbdev: prevent the risk of out of memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53063",
"datePublished": "2024-11-19T17:22:33.518Z",
"dateReserved": "2024-11-19T17:17:24.975Z",
"dateUpdated": "2025-11-03T22:28:57.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21711 (GCVE-0-2025-21711)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rose: prevent integer overflows in rose_setsockopt()
In case of possible unpredictably large arguments passed to
rose_setsockopt() and multiplied by extra values on top of that,
integer overflows may occur.
Do the safest minimum and fix these issues by checking the
contents of 'opt' and returning -EINVAL if they are too large. Also,
switch to unsigned int and remove useless check for negative 'opt'
in ROSE_IDLE case.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:05.168Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bdd449977e2364a53d0b2a5427e71beb1cd702d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b8583b54455cbec2fc038fa32b6700890b369815",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9bdee49ad6bbd26ab5e13cc6731e54fb1b6c1dca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "352daa50946c3bbb662432e8daf54d6760796589",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d08f4074f9c69f7e95502587eb1b258a965ba7f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e5338930a29d0ab2a5af402f5f664aeba0d1a676",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d640627663bfe7d8963c7615316d7d4ef60f3b0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rose: prevent integer overflows in rose_setsockopt()\n\nIn case of possible unpredictably large arguments passed to\nrose_setsockopt() and multiplied by extra values on top of that,\ninteger overflows may occur.\n\nDo the safest minimum and fix these issues by checking the\ncontents of \u0027opt\u0027 and returning -EINVAL if they are too large. Also,\nswitch to unsigned int and remove useless check for negative \u0027opt\u0027\nin ROSE_IDLE case."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:29.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bdd449977e2364a53d0b2a5427e71beb1cd702d"
},
{
"url": "https://git.kernel.org/stable/c/b8583b54455cbec2fc038fa32b6700890b369815"
},
{
"url": "https://git.kernel.org/stable/c/9bdee49ad6bbd26ab5e13cc6731e54fb1b6c1dca"
},
{
"url": "https://git.kernel.org/stable/c/352daa50946c3bbb662432e8daf54d6760796589"
},
{
"url": "https://git.kernel.org/stable/c/d08f4074f9c69f7e95502587eb1b258a965ba7f0"
},
{
"url": "https://git.kernel.org/stable/c/e5338930a29d0ab2a5af402f5f664aeba0d1a676"
},
{
"url": "https://git.kernel.org/stable/c/d640627663bfe7d8963c7615316d7d4ef60f3b0b"
}
],
"title": "net/rose: prevent integer overflows in rose_setsockopt()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21711",
"datePublished": "2025-02-27T02:07:23.746Z",
"dateReserved": "2024-12-29T08:45:45.752Z",
"dateUpdated": "2025-11-03T19:36:05.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49631 (GCVE-0-2022-49631)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
raw: Fix a data-race around sysctl_raw_l3mdev_accept.
While reading sysctl_raw_l3mdev_accept, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its reader.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:24.758858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:50.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/raw.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc9540ba5b3652c473af7e54892a48cdced87983",
"status": "affected",
"version": "6897445fb194c8ad046df4a13e1ee9f080a5a21e",
"versionType": "git"
},
{
"lessThan": "038a87b3e460d2ee579c8b1bd3890d816d6687b1",
"status": "affected",
"version": "6897445fb194c8ad046df4a13e1ee9f080a5a21e",
"versionType": "git"
},
{
"lessThan": "46e9c46203fd4676720ddca0fef7eff26826648e",
"status": "affected",
"version": "6897445fb194c8ad046df4a13e1ee9f080a5a21e",
"versionType": "git"
},
{
"lessThan": "ab5adca2e17d6595f3fc0e25ccb6bcbe2e01ca4f",
"status": "affected",
"version": "6897445fb194c8ad046df4a13e1ee9f080a5a21e",
"versionType": "git"
},
{
"lessThan": "1dace014928e6e385363032d359a04dee9158af0",
"status": "affected",
"version": "6897445fb194c8ad046df4a13e1ee9f080a5a21e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/raw.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nraw: Fix a data-race around sysctl_raw_l3mdev_accept.\n\nWhile reading sysctl_raw_l3mdev_accept, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:11.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc9540ba5b3652c473af7e54892a48cdced87983"
},
{
"url": "https://git.kernel.org/stable/c/038a87b3e460d2ee579c8b1bd3890d816d6687b1"
},
{
"url": "https://git.kernel.org/stable/c/46e9c46203fd4676720ddca0fef7eff26826648e"
},
{
"url": "https://git.kernel.org/stable/c/ab5adca2e17d6595f3fc0e25ccb6bcbe2e01ca4f"
},
{
"url": "https://git.kernel.org/stable/c/1dace014928e6e385363032d359a04dee9158af0"
}
],
"title": "raw: Fix a data-race around sysctl_raw_l3mdev_accept.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49631",
"datePublished": "2025-02-26T02:23:43.727Z",
"dateReserved": "2025-02-26T02:21:30.422Z",
"dateUpdated": "2025-10-01T19:36:50.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49258 (GCVE-0-2022-49258)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccree - Fix use after free in cc_cipher_exit()
kfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. But
ctx_p->user.key is still used in the next line, which will lead to a
use after free.
We can call kfree_sensitive() after dev_dbg() to avoid the uaf.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:54.341608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccree/cc_cipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c93017c8d5ebf55a4e453ac7c84cc84cf92ab570",
"status": "affected",
"version": "63ee04c8b491ee148489347e7da9fbfd982ca2bb",
"versionType": "git"
},
{
"lessThan": "335bf1fc74f775a8255257aa3e33763f2257b676",
"status": "affected",
"version": "63ee04c8b491ee148489347e7da9fbfd982ca2bb",
"versionType": "git"
},
{
"lessThan": "25c358efee5153dfd240d4e0d3169d5bebe9cacd",
"status": "affected",
"version": "63ee04c8b491ee148489347e7da9fbfd982ca2bb",
"versionType": "git"
},
{
"lessThan": "cffb5382bd8d3cf21b874ab5b84bf7618932286b",
"status": "affected",
"version": "63ee04c8b491ee148489347e7da9fbfd982ca2bb",
"versionType": "git"
},
{
"lessThan": "3d950c34074ed74d2713c3856ba01264523289e6",
"status": "affected",
"version": "63ee04c8b491ee148489347e7da9fbfd982ca2bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccree/cc_cipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccree - Fix use after free in cc_cipher_exit()\n\nkfree_sensitive(ctx_p-\u003euser.key) will free the ctx_p-\u003euser.key. But\nctx_p-\u003euser.key is still used in the next line, which will lead to a\nuse after free.\n\nWe can call kfree_sensitive() after dev_dbg() to avoid the uaf."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:32.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c93017c8d5ebf55a4e453ac7c84cc84cf92ab570"
},
{
"url": "https://git.kernel.org/stable/c/335bf1fc74f775a8255257aa3e33763f2257b676"
},
{
"url": "https://git.kernel.org/stable/c/25c358efee5153dfd240d4e0d3169d5bebe9cacd"
},
{
"url": "https://git.kernel.org/stable/c/cffb5382bd8d3cf21b874ab5b84bf7618932286b"
},
{
"url": "https://git.kernel.org/stable/c/3d950c34074ed74d2713c3856ba01264523289e6"
}
],
"title": "crypto: ccree - Fix use after free in cc_cipher_exit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49258",
"datePublished": "2025-02-26T01:56:11.561Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:32.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49342 (GCVE-0-2022-49342)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: bgmac: Fix refcount leak in bcma_mdio_mii_register
of_get_child_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:03.611967Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:55.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bgmac-bcma-mdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b51996e35bbfcc7a27d94dfeed5cc2429b2c0df4",
"status": "affected",
"version": "55954f3bfdacc5908515b0c306cea23e77fab740",
"versionType": "git"
},
{
"lessThan": "7fb1fe7d9a167205413f1de8db9f7d0f82c78286",
"status": "affected",
"version": "55954f3bfdacc5908515b0c306cea23e77fab740",
"versionType": "git"
},
{
"lessThan": "b8d91399775c55162073bb2aca061ec42e3d4bc1",
"status": "affected",
"version": "55954f3bfdacc5908515b0c306cea23e77fab740",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bgmac-bcma-mdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: bgmac: Fix refcount leak in bcma_mdio_mii_register\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:41.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b51996e35bbfcc7a27d94dfeed5cc2429b2c0df4"
},
{
"url": "https://git.kernel.org/stable/c/7fb1fe7d9a167205413f1de8db9f7d0f82c78286"
},
{
"url": "https://git.kernel.org/stable/c/b8d91399775c55162073bb2aca061ec42e3d4bc1"
}
],
"title": "net: ethernet: bgmac: Fix refcount leak in bcma_mdio_mii_register",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49342",
"datePublished": "2025-02-26T02:10:58.604Z",
"dateReserved": "2025-02-26T02:08:31.542Z",
"dateUpdated": "2025-10-01T19:46:55.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49204 (GCVE-0-2022-49204)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix more uncharged while msg has more_data
In tcp_bpf_send_verdict(), if msg has more data after
tcp_bpf_sendmsg_redir():
tcp_bpf_send_verdict()
tosend = msg->sg.size //msg->sg.size = 22220
case __SK_REDIRECT:
sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc
tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000
goto more_data;
tosend = msg->sg.size //msg->sg.size = 11000
case __SK_REDIRECT:
sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc
The msg->sg.size(11000) has been uncharged twice, to fix we can charge the
remaining msg->sg.size before goto more data.
This issue can cause the following info:
WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0
Call Trace:
<TASK>
inet_csk_destroy_sock+0x55/0x110
__tcp_close+0x279/0x470
tcp_close+0x1f/0x60
inet_release+0x3f/0x80
__sock_release+0x3d/0xb0
sock_close+0x11/0x20
__fput+0x92/0x250
task_work_run+0x6a/0xa0
do_exit+0x33b/0xb60
do_group_exit+0x2f/0xa0
get_signal+0xb6/0x950
arch_do_signal_or_restart+0xac/0x2a0
? vfs_write+0x237/0x290
exit_to_user_mode_prepare+0xa9/0x200
syscall_exit_to_user_mode+0x12/0x30
do_syscall_64+0x46/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
</TASK>
WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260
Call Trace:
<TASK>
__sk_destruct+0x24/0x1f0
sk_psock_destroy+0x19b/0x1c0
process_one_work+0x1b3/0x3c0
worker_thread+0x30/0x350
? process_one_work+0x3c0/0x3c0
kthread+0xe6/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c Version: 604326b41a6fb9b4a78b6179335decee0365cd8c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "7b812a369e6416ab06d83cdd39d8e3f752781dd0",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "168ff181f5b6e7fce684c98a30d35da1dbf8f82a",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "87d532d41ef937e16f61b3d2094f3a2ac49be365",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "abb4caa477a5450817d2aa1198edce66450aecf8",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "84472b436e760ba439e1969a9e3c5ae7c86de39d",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix more uncharged while msg has more_data\n\nIn tcp_bpf_send_verdict(), if msg has more data after\ntcp_bpf_sendmsg_redir():\n\ntcp_bpf_send_verdict()\n tosend = msg-\u003esg.size //msg-\u003esg.size = 22220\n case __SK_REDIRECT:\n sk_msg_return() //uncharged msg-\u003esg.size(22220) sk-\u003esk_forward_alloc\n tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg-\u003esg.size=11000\n goto more_data;\n tosend = msg-\u003esg.size //msg-\u003esg.size = 11000\n case __SK_REDIRECT:\n sk_msg_return() //uncharged msg-\u003esg.size(11000) to sk-\u003esk_forward_alloc\n\nThe msg-\u003esg.size(11000) has been uncharged twice, to fix we can charge the\nremaining msg-\u003esg.size before goto more data.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0\nCall Trace:\n \u003cTASK\u003e\n inet_csk_destroy_sock+0x55/0x110\n __tcp_close+0x279/0x470\n tcp_close+0x1f/0x60\n inet_release+0x3f/0x80\n __sock_release+0x3d/0xb0\n sock_close+0x11/0x20\n __fput+0x92/0x250\n task_work_run+0x6a/0xa0\n do_exit+0x33b/0xb60\n do_group_exit+0x2f/0xa0\n get_signal+0xb6/0x950\n arch_do_signal_or_restart+0xac/0x2a0\n ? vfs_write+0x237/0x290\n exit_to_user_mode_prepare+0xa9/0x200\n syscall_exit_to_user_mode+0x12/0x30\n do_syscall_64+0x46/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \u003c/TASK\u003e\n\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \u003cTASK\u003e\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:17.906Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/244ce90c8d0bd10ebf957da02c6f3fcd5d920bdf"
},
{
"url": "https://git.kernel.org/stable/c/7b812a369e6416ab06d83cdd39d8e3f752781dd0"
},
{
"url": "https://git.kernel.org/stable/c/168ff181f5b6e7fce684c98a30d35da1dbf8f82a"
},
{
"url": "https://git.kernel.org/stable/c/87d532d41ef937e16f61b3d2094f3a2ac49be365"
},
{
"url": "https://git.kernel.org/stable/c/abb4caa477a5450817d2aa1198edce66450aecf8"
},
{
"url": "https://git.kernel.org/stable/c/84472b436e760ba439e1969a9e3c5ae7c86de39d"
}
],
"title": "bpf, sockmap: Fix more uncharged while msg has more_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49204",
"datePublished": "2025-02-26T01:55:44.678Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-05-04T08:32:17.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49474 (GCVE-0-2022-49474)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout
Connecting the same socket twice consecutively in sco_sock_connect()
could lead to a race condition where two sco_conn objects are created
but only one is associated with the socket. If the socket is closed
before the SCO connection is established, the timer associated with the
dangling sco_conn object won't be canceled. As the sock object is being
freed, the use-after-free problem happens when the timer callback
function sco_sock_timeout() accesses the socket. Here's the call trace:
dump_stack+0x107/0x163
? refcount_inc+0x1c/
print_address_description.constprop.0+0x1c/0x47e
? refcount_inc+0x1c/0x7b
kasan_report+0x13a/0x173
? refcount_inc+0x1c/0x7b
check_memory_region+0x132/0x139
refcount_inc+0x1c/0x7b
sco_sock_timeout+0xb2/0x1ba
process_one_work+0x739/0xbd1
? cancel_delayed_work+0x13f/0x13f
? __raw_spin_lock_init+0xf0/0xf0
? to_kthread+0x59/0x85
worker_thread+0x593/0x70e
kthread+0x346/0x35a
? drain_workqueue+0x31a/0x31a
? kthread_bind+0x4b/0x4b
ret_from_fork+0x1f/0x30
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 22c66af08230a7030bdb88accffaec3424695631 Version: 0115a66ebb44bd9127ccb58cf43ed23c795eb1f0 Version: bc4b08383046f3282b6fa58cfcef05bd13e52b93 Version: 5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7 Version: 059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75 Version: e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 Version: e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 Version: e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 Version: e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 Version: 98ae477ed1540d3acbbf44d88ee237ad64275158 Version: f0c389e23e2475e5837716a629c81b7a9d90cc94 Version: 0b9da4bde0d59c61b3675bdd80a05a726beb875a |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49474",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:54.463749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9de3dc09e56f8deacd2bdbf4cecb71e11a312405",
"status": "affected",
"version": "22c66af08230a7030bdb88accffaec3424695631",
"versionType": "git"
},
{
"lessThan": "7d61dbd7311ab978d8ddac1749a758de4de00374",
"status": "affected",
"version": "0115a66ebb44bd9127ccb58cf43ed23c795eb1f0",
"versionType": "git"
},
{
"lessThan": "390d82733a953c1fabf3de9c9618091a7a9c90a6",
"status": "affected",
"version": "bc4b08383046f3282b6fa58cfcef05bd13e52b93",
"versionType": "git"
},
{
"lessThan": "6f55fac0af3531cf60d11369454c41f5fc81ab3f",
"status": "affected",
"version": "5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7",
"versionType": "git"
},
{
"lessThan": "36c644c63bfcaee2d3a426f45e89a9cd09799318",
"status": "affected",
"version": "059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75",
"versionType": "git"
},
{
"lessThan": "65d347cb39e2e6bd0c2a745ad7c928998ebb0162",
"status": "affected",
"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59",
"versionType": "git"
},
{
"lessThan": "537f619dea4e3fa8ed1f8f938abffe3615794bcc",
"status": "affected",
"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59",
"versionType": "git"
},
{
"lessThan": "99df16007f4bbf9abfc3478cb17d10f0d7f8906e",
"status": "affected",
"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59",
"versionType": "git"
},
{
"lessThan": "7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2",
"status": "affected",
"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59",
"versionType": "git"
},
{
"status": "affected",
"version": "98ae477ed1540d3acbbf44d88ee237ad64275158",
"versionType": "git"
},
{
"status": "affected",
"version": "f0c389e23e2475e5837716a629c81b7a9d90cc94",
"versionType": "git"
},
{
"status": "affected",
"version": "0b9da4bde0d59c61b3675bdd80a05a726beb875a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "5.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.10.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\n\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won\u0027t be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here\u0027s the call trace:\n\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:51.218Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9de3dc09e56f8deacd2bdbf4cecb71e11a312405"
},
{
"url": "https://git.kernel.org/stable/c/7d61dbd7311ab978d8ddac1749a758de4de00374"
},
{
"url": "https://git.kernel.org/stable/c/390d82733a953c1fabf3de9c9618091a7a9c90a6"
},
{
"url": "https://git.kernel.org/stable/c/6f55fac0af3531cf60d11369454c41f5fc81ab3f"
},
{
"url": "https://git.kernel.org/stable/c/36c644c63bfcaee2d3a426f45e89a9cd09799318"
},
{
"url": "https://git.kernel.org/stable/c/65d347cb39e2e6bd0c2a745ad7c928998ebb0162"
},
{
"url": "https://git.kernel.org/stable/c/537f619dea4e3fa8ed1f8f938abffe3615794bcc"
},
{
"url": "https://git.kernel.org/stable/c/99df16007f4bbf9abfc3478cb17d10f0d7f8906e"
},
{
"url": "https://git.kernel.org/stable/c/7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2"
}
],
"title": "Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49474",
"datePublished": "2025-02-26T02:13:16.679Z",
"dateReserved": "2025-02-26T02:08:31.579Z",
"dateUpdated": "2025-05-04T12:44:51.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49088 (GCVE-0-2022-49088)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe
This node pointer is returned by of_find_compatible_node() with
refcount incremented. Calling of_node_put() to aovid the refcount leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d346c9e86d8685d7cdceddf5b2e9c4376334620c Version: d346c9e86d8685d7cdceddf5b2e9c4376334620c Version: d346c9e86d8685d7cdceddf5b2e9c4376334620c Version: d346c9e86d8685d7cdceddf5b2e9c4376334620c Version: d346c9e86d8685d7cdceddf5b2e9c4376334620c Version: d346c9e86d8685d7cdceddf5b2e9c4376334620c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbe5f4c0dd3475178f17ddd8b8d5044ebeae0be7",
"status": "affected",
"version": "d346c9e86d8685d7cdceddf5b2e9c4376334620c",
"versionType": "git"
},
{
"lessThan": "ebd1e3458dbf6643aa0272da398cb5b537d492b7",
"status": "affected",
"version": "d346c9e86d8685d7cdceddf5b2e9c4376334620c",
"versionType": "git"
},
{
"lessThan": "599874bbc4ed832ccb578d48ac0ae7344382ef43",
"status": "affected",
"version": "d346c9e86d8685d7cdceddf5b2e9c4376334620c",
"versionType": "git"
},
{
"lessThan": "46d120f7c163706d6c31ee00baa0be64c4572b78",
"status": "affected",
"version": "d346c9e86d8685d7cdceddf5b2e9c4376334620c",
"versionType": "git"
},
{
"lessThan": "45fdd98b70142521739615ad1bfb760401863b73",
"status": "affected",
"version": "d346c9e86d8685d7cdceddf5b2e9c4376334620c",
"versionType": "git"
},
{
"lessThan": "2b04bd4f03bba021959ca339314f6739710f0954",
"status": "affected",
"version": "d346c9e86d8685d7cdceddf5b2e9c4376334620c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe\n\nThis node pointer is returned by of_find_compatible_node() with\nrefcount incremented. Calling of_node_put() to aovid the refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:28.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbe5f4c0dd3475178f17ddd8b8d5044ebeae0be7"
},
{
"url": "https://git.kernel.org/stable/c/ebd1e3458dbf6643aa0272da398cb5b537d492b7"
},
{
"url": "https://git.kernel.org/stable/c/599874bbc4ed832ccb578d48ac0ae7344382ef43"
},
{
"url": "https://git.kernel.org/stable/c/46d120f7c163706d6c31ee00baa0be64c4572b78"
},
{
"url": "https://git.kernel.org/stable/c/45fdd98b70142521739615ad1bfb760401863b73"
},
{
"url": "https://git.kernel.org/stable/c/2b04bd4f03bba021959ca339314f6739710f0954"
}
],
"title": "dpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49088",
"datePublished": "2025-02-26T01:54:45.165Z",
"dateReserved": "2025-02-26T01:49:39.248Z",
"dateUpdated": "2025-05-04T08:29:28.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49199 (GCVE-0-2022-49199)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()
This code checks "index" for an upper bound but it does not check for
negatives. Change the type to unsigned to prevent underflows.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/nldev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6dd8669b8299a3a536cd92a7069152a7704da1d",
"status": "affected",
"version": "3c3c1f1416392382faa0238e76a70d7810aab2ef",
"versionType": "git"
},
{
"lessThan": "2a495ef04d5f42e6f00eb2bec1ee9075e3d5a771",
"status": "affected",
"version": "3c3c1f1416392382faa0238e76a70d7810aab2ef",
"versionType": "git"
},
{
"lessThan": "87e0eacb176f9500c2063d140c0a1d7fa51ab8a5",
"status": "affected",
"version": "3c3c1f1416392382faa0238e76a70d7810aab2ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/nldev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()\n\nThis code checks \"index\" for an upper bound but it does not check for\nnegatives. Change the type to unsigned to prevent underflows."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:12.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6dd8669b8299a3a536cd92a7069152a7704da1d"
},
{
"url": "https://git.kernel.org/stable/c/2a495ef04d5f42e6f00eb2bec1ee9075e3d5a771"
},
{
"url": "https://git.kernel.org/stable/c/87e0eacb176f9500c2063d140c0a1d7fa51ab8a5"
}
],
"title": "RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49199",
"datePublished": "2025-02-26T01:55:42.120Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-05-04T08:32:12.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49424 (GCVE-0-2022-49424)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: Fix NULL pointer dereference when printing dev_name
When larbdev is NULL (in the case I hit, the node is incorrectly set
iommus = <&iommu NUM>), it will cause device_link_add() fail and
kernel crashes when we try to print dev_name(larbdev).
Let's fail the probe if a larbdev is NULL to avoid invalid inputs from
dts.
It should work for normal correct setting and avoid the crash caused
by my incorrect setting.
Error log:
[ 18.189042][ T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
...
[ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO)
[ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]
[ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu]
[ 18.346884][ T301] sp : ffffffc00a5635e0
[ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8
[ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38
[ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38
[ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38
[ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000
[ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0
[ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004
[ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420
[ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003
[ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2
[ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00
[ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000
[ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001
[ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005
[ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000
[ 18.360208][ T301] Hardware name: MT6873 (DT)
[ 18.360771][ T301] Call trace:
[ 18.361168][ T301] dump_backtrace+0xf8/0x1f0
[ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c
[ 18.362305][ T301] dump_stack+0x1c/0x2c
[ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump]
[ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump]
[ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8
[ 18.364937][ T301] die+0x16c/0x568
[ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214
[ 18.365402][ T301] do_page_fault+0xb8/0x678
[ 18.366934][ T301] do_translation_fault+0x48/0x64
[ 18.368645][ T301] do_mem_abort+0x68/0x148
[ 18.368652][ T301] el1_abort+0x40/0x64
[ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88
[ 18.368668][ T301] el1h_64_sync+0x68/0x6c
[ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]
...
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c",
"drivers/iommu/mtk_iommu_v1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c3c2734e28d7fac50228c4d2b8896e8695adf304",
"status": "affected",
"version": "77fbe028d5a3f7fc6060c4454ead9510533acd1e",
"versionType": "git"
},
{
"lessThan": "e9c63c0f73a1bbfd02624f5eae7e881df8b6830f",
"status": "affected",
"version": "18ea450ed1b60c1bb336f5efe874f61909ce7bec",
"versionType": "git"
},
{
"lessThan": "8837c2682b9b2eed83e6212bcf79850c593a6fee",
"status": "affected",
"version": "635319a4a7444ca97124d781cd96deb277ff4d40",
"versionType": "git"
},
{
"lessThan": "de78657e16f41417da9332f09c2d67d100096939",
"status": "affected",
"version": "635319a4a7444ca97124d781cd96deb277ff4d40",
"versionType": "git"
},
{
"status": "affected",
"version": "b7bf68272b6ae7c469854e2e054db1db1d158999",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c",
"drivers/iommu/mtk_iommu_v1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix NULL pointer dereference when printing dev_name\n\nWhen larbdev is NULL (in the case I hit, the node is incorrectly set\niommus = \u003c\u0026iommu NUM\u003e), it will cause device_link_add() fail and\nkernel crashes when we try to print dev_name(larbdev).\n\nLet\u0027s fail the probe if a larbdev is NULL to avoid invalid inputs from\ndts.\n\nIt should work for normal correct setting and avoid the crash caused\nby my incorrect setting.\n\nError log:\n[ 18.189042][ T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n...\n[ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO)\n[ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n[ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu]\n[ 18.346884][ T301] sp : ffffffc00a5635e0\n[ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8\n[ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38\n[ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38\n[ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38\n[ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000\n[ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0\n[ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004\n[ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420\n[ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003\n[ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2\n[ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00\n[ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000\n[ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001\n[ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005\n[ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000\n[ 18.360208][ T301] Hardware name: MT6873 (DT)\n[ 18.360771][ T301] Call trace:\n[ 18.361168][ T301] dump_backtrace+0xf8/0x1f0\n[ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c\n[ 18.362305][ T301] dump_stack+0x1c/0x2c\n[ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump]\n[ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump]\n[ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8\n[ 18.364937][ T301] die+0x16c/0x568\n[ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214\n[ 18.365402][ T301] do_page_fault+0xb8/0x678\n[ 18.366934][ T301] do_translation_fault+0x48/0x64\n[ 18.368645][ T301] do_mem_abort+0x68/0x148\n[ 18.368652][ T301] el1_abort+0x40/0x64\n[ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88\n[ 18.368668][ T301] el1h_64_sync+0x68/0x6c\n[ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:40.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c3c2734e28d7fac50228c4d2b8896e8695adf304"
},
{
"url": "https://git.kernel.org/stable/c/e9c63c0f73a1bbfd02624f5eae7e881df8b6830f"
},
{
"url": "https://git.kernel.org/stable/c/8837c2682b9b2eed83e6212bcf79850c593a6fee"
},
{
"url": "https://git.kernel.org/stable/c/de78657e16f41417da9332f09c2d67d100096939"
}
],
"title": "iommu/mediatek: Fix NULL pointer dereference when printing dev_name",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49424",
"datePublished": "2025-02-26T02:12:46.209Z",
"dateReserved": "2025-02-26T02:08:31.569Z",
"dateUpdated": "2025-05-04T12:44:40.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49643 (GCVE-0-2022-49643)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Fix a potential integer overflow in ima_appraise_measurement
When the ima-modsig is enabled, the rc passed to evm_verifyxattr() may be
negative, which may cause the integer overflow problem.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49643",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:55.240399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "388f3df7c3c8b7f2a32b9ae0a9b2f9f6ad3b1b77",
"status": "affected",
"version": "39b07096364a42c516415d5f841069e885234e61",
"versionType": "git"
},
{
"lessThan": "831e190175f10652be93b08436cc7bf2e62e4bb6",
"status": "affected",
"version": "39b07096364a42c516415d5f841069e885234e61",
"versionType": "git"
},
{
"lessThan": "c8d5d81940938b5f6c0f495ca9538e7740416f30",
"status": "affected",
"version": "39b07096364a42c516415d5f841069e885234e61",
"versionType": "git"
},
{
"lessThan": "640cea4c2839a821adfbb703b590a5928abe9286",
"status": "affected",
"version": "39b07096364a42c516415d5f841069e885234e61",
"versionType": "git"
},
{
"lessThan": "d2ee2cfc4aa85ff6a2a3b198a3a524ec54e3d999",
"status": "affected",
"version": "39b07096364a42c516415d5f841069e885234e61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix a potential integer overflow in ima_appraise_measurement\n\nWhen the ima-modsig is enabled, the rc passed to evm_verifyxattr() may be\nnegative, which may cause the integer overflow problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:26.456Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/388f3df7c3c8b7f2a32b9ae0a9b2f9f6ad3b1b77"
},
{
"url": "https://git.kernel.org/stable/c/831e190175f10652be93b08436cc7bf2e62e4bb6"
},
{
"url": "https://git.kernel.org/stable/c/c8d5d81940938b5f6c0f495ca9538e7740416f30"
},
{
"url": "https://git.kernel.org/stable/c/640cea4c2839a821adfbb703b590a5928abe9286"
},
{
"url": "https://git.kernel.org/stable/c/d2ee2cfc4aa85ff6a2a3b198a3a524ec54e3d999"
}
],
"title": "ima: Fix a potential integer overflow in ima_appraise_measurement",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49643",
"datePublished": "2025-02-26T02:23:49.658Z",
"dateReserved": "2025-02-26T02:21:30.431Z",
"dateUpdated": "2025-10-01T19:36:48.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49350 (GCVE-0-2022-49350)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mdio: unexport __init-annotated mdio_bus_init()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the only in-tree call-site,
drivers/net/phy/phy_device.c is never compiled as modular.
(CONFIG_PHYLIB is boolean)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 Version: 90eff9096c01ba90cdae504a6b95ee87fe2556a3 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab64ec2c75683f30ccde9eaaf0761002f901aa12",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "5534bcd7c40299862237c4a8fd9c5031b3db1538",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "6a90a44d53428a3bf01bd80df9ba78b19959270c",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "7759c3222815b945a94b212bc0c6cdec475cfec2",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "59fa94cddf9eef8d8dae587373eed8b8f4eb11d7",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "f5c68137f1191ba3fcf6260ec71b30be2e2bf4c3",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "f2f0f8c18b60ca64ff50892ed899cf1c77864755",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
},
{
"lessThan": "35b42dce619701f1300fb8498dae82c9bb1f0263",
"status": "affected",
"version": "90eff9096c01ba90cdae504a6b95ee87fe2556a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: unexport __init-annotated mdio_bus_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\ndrivers/net/phy/phy_device.c is never compiled as modular.\n(CONFIG_PHYLIB is boolean)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:51.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab64ec2c75683f30ccde9eaaf0761002f901aa12"
},
{
"url": "https://git.kernel.org/stable/c/5534bcd7c40299862237c4a8fd9c5031b3db1538"
},
{
"url": "https://git.kernel.org/stable/c/6a90a44d53428a3bf01bd80df9ba78b19959270c"
},
{
"url": "https://git.kernel.org/stable/c/7759c3222815b945a94b212bc0c6cdec475cfec2"
},
{
"url": "https://git.kernel.org/stable/c/59fa94cddf9eef8d8dae587373eed8b8f4eb11d7"
},
{
"url": "https://git.kernel.org/stable/c/f5c68137f1191ba3fcf6260ec71b30be2e2bf4c3"
},
{
"url": "https://git.kernel.org/stable/c/f2f0f8c18b60ca64ff50892ed899cf1c77864755"
},
{
"url": "https://git.kernel.org/stable/c/35b42dce619701f1300fb8498dae82c9bb1f0263"
}
],
"title": "net: mdio: unexport __init-annotated mdio_bus_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49350",
"datePublished": "2025-02-26T02:11:03.514Z",
"dateReserved": "2025-02-26T02:08:31.544Z",
"dateUpdated": "2025-05-04T08:35:51.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49672 (GCVE-0-2022-49672)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: tun: unlink NAPI from device on destruction
Syzbot found a race between tun file and device destruction.
NAPIs live in struct tun_file which can get destroyed before
the netdev so we have to del them explicitly. The current
code is missing deleting the NAPI if the queue was detached
first.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 943170998b200190f99d3fe7e771437e2c51f319 Version: 943170998b200190f99d3fe7e771437e2c51f319 Version: 943170998b200190f99d3fe7e771437e2c51f319 Version: 943170998b200190f99d3fe7e771437e2c51f319 Version: 943170998b200190f99d3fe7e771437e2c51f319 Version: 943170998b200190f99d3fe7e771437e2c51f319 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82e729aee59acefe135fceffadcbc5b86dd4f1b9",
"status": "affected",
"version": "943170998b200190f99d3fe7e771437e2c51f319",
"versionType": "git"
},
{
"lessThan": "a8cf919022373c97a84fe596bbea544f909c485d",
"status": "affected",
"version": "943170998b200190f99d3fe7e771437e2c51f319",
"versionType": "git"
},
{
"lessThan": "bec1be0a745ab420718217e3e0d9542a75108989",
"status": "affected",
"version": "943170998b200190f99d3fe7e771437e2c51f319",
"versionType": "git"
},
{
"lessThan": "8145f77d38de4f88b8a69e1463f5c09ba189d77c",
"status": "affected",
"version": "943170998b200190f99d3fe7e771437e2c51f319",
"versionType": "git"
},
{
"lessThan": "8661d4b8faa2f7ee7a559969c0a7c57f077b1728",
"status": "affected",
"version": "943170998b200190f99d3fe7e771437e2c51f319",
"versionType": "git"
},
{
"lessThan": "3b9bc84d311104906d2b4995a9a02d7b7ddab2db",
"status": "affected",
"version": "943170998b200190f99d3fe7e771437e2c51f319",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.251",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.204",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: unlink NAPI from device on destruction\n\nSyzbot found a race between tun file and device destruction.\nNAPIs live in struct tun_file which can get destroyed before\nthe netdev so we have to del them explicitly. The current\ncode is missing deleting the NAPI if the queue was detached\nfirst."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:01.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82e729aee59acefe135fceffadcbc5b86dd4f1b9"
},
{
"url": "https://git.kernel.org/stable/c/a8cf919022373c97a84fe596bbea544f909c485d"
},
{
"url": "https://git.kernel.org/stable/c/bec1be0a745ab420718217e3e0d9542a75108989"
},
{
"url": "https://git.kernel.org/stable/c/8145f77d38de4f88b8a69e1463f5c09ba189d77c"
},
{
"url": "https://git.kernel.org/stable/c/8661d4b8faa2f7ee7a559969c0a7c57f077b1728"
},
{
"url": "https://git.kernel.org/stable/c/3b9bc84d311104906d2b4995a9a02d7b7ddab2db"
}
],
"title": "net: tun: unlink NAPI from device on destruction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49672",
"datePublished": "2025-02-26T02:24:05.284Z",
"dateReserved": "2025-02-26T02:21:30.437Z",
"dateUpdated": "2025-05-04T08:43:01.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49406 (GCVE-0-2022-49406)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Fix potential deadlock in blk_ia_range_sysfs_show()
When being read, a sysfs attribute is already protected against removal
with the kobject node active reference counter. As a result, in
blk_ia_range_sysfs_show(), there is no need to take the queue sysfs
lock when reading the value of a range attribute. Using the queue sysfs
lock in this function creates a potential deadlock situation with the
disk removal, something that a lockdep signals with a splat when the
device is removed:
[ 760.703551] Possible unsafe locking scenario:
[ 760.703551]
[ 760.703554] CPU0 CPU1
[ 760.703556] ---- ----
[ 760.703558] lock(&q->sysfs_lock);
[ 760.703565] lock(kn->active#385);
[ 760.703573] lock(&q->sysfs_lock);
[ 760.703579] lock(kn->active#385);
[ 760.703587]
[ 760.703587] *** DEADLOCK ***
Solve this by removing the mutex_lock()/mutex_unlock() calls from
blk_ia_range_sysfs_show().
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:15.505282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:50.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-ia-ranges.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc107c805cde709866b59867ef72b9390199205e",
"status": "affected",
"version": "a2247f19ee1c5ad75ef095cdfb909a3244b88aa8",
"versionType": "git"
},
{
"lessThan": "717b078bc745ba9a262abebed9806a17e8bbb77b",
"status": "affected",
"version": "a2247f19ee1c5ad75ef095cdfb909a3244b88aa8",
"versionType": "git"
},
{
"lessThan": "41e46b3c2aa24f755b2ae9ec4ce931ba5f0d8532",
"status": "affected",
"version": "a2247f19ee1c5ad75ef095cdfb909a3244b88aa8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-ia-ranges.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix potential deadlock in blk_ia_range_sysfs_show()\n\nWhen being read, a sysfs attribute is already protected against removal\nwith the kobject node active reference counter. As a result, in\nblk_ia_range_sysfs_show(), there is no need to take the queue sysfs\nlock when reading the value of a range attribute. Using the queue sysfs\nlock in this function creates a potential deadlock situation with the\ndisk removal, something that a lockdep signals with a splat when the\ndevice is removed:\n\n[ 760.703551] Possible unsafe locking scenario:\n[ 760.703551]\n[ 760.703554] CPU0 CPU1\n[ 760.703556] ---- ----\n[ 760.703558] lock(\u0026q-\u003esysfs_lock);\n[ 760.703565] lock(kn-\u003eactive#385);\n[ 760.703573] lock(\u0026q-\u003esysfs_lock);\n[ 760.703579] lock(kn-\u003eactive#385);\n[ 760.703587]\n[ 760.703587] *** DEADLOCK ***\n\nSolve this by removing the mutex_lock()/mutex_unlock() calls from\nblk_ia_range_sysfs_show()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:59.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc107c805cde709866b59867ef72b9390199205e"
},
{
"url": "https://git.kernel.org/stable/c/717b078bc745ba9a262abebed9806a17e8bbb77b"
},
{
"url": "https://git.kernel.org/stable/c/41e46b3c2aa24f755b2ae9ec4ce931ba5f0d8532"
}
],
"title": "block: Fix potential deadlock in blk_ia_range_sysfs_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49406",
"datePublished": "2025-02-26T02:12:31.086Z",
"dateReserved": "2025-02-26T02:08:31.566Z",
"dateUpdated": "2025-10-01T19:46:50.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49638 (GCVE-0-2022-49638)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp: Fix data-races around sysctl.
While reading icmp sysctl variables, they can be changed concurrently.
So, we need to add READ_ONCE() to avoid data-races.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:34:08.875507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:49.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1740e5922fbb705637ae9fa5203db132fc45f9f6",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "53ecd09ef2fb35fa69667ae8e414ef6b00fd3bf6",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "edeec63b13c252193d626c2a48d7a2f0e7016dc2",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "0cba7ca667ceb06934746ddd9833a25847bde81d",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "e088ceb73c24ab4774da391d54a6426f4bfaefce",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "e2828e8c605853f71267825c9415437c0a93e4f2",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "798c2cf57c63ab39c8aac24d6a3d50f4fa5eeb06",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
},
{
"lessThan": "48d7ee321ea5182c6a70782aa186422a70e67e22",
"status": "affected",
"version": "4cdf507d54525842dfd9f6313fdafba039084046",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.324",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.289",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.253",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.207",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: Fix data-races around sysctl.\n\nWhile reading icmp sysctl variables, they can be changed concurrently.\nSo, we need to add READ_ONCE() to avoid data-races."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:20.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1740e5922fbb705637ae9fa5203db132fc45f9f6"
},
{
"url": "https://git.kernel.org/stable/c/53ecd09ef2fb35fa69667ae8e414ef6b00fd3bf6"
},
{
"url": "https://git.kernel.org/stable/c/edeec63b13c252193d626c2a48d7a2f0e7016dc2"
},
{
"url": "https://git.kernel.org/stable/c/0cba7ca667ceb06934746ddd9833a25847bde81d"
},
{
"url": "https://git.kernel.org/stable/c/e088ceb73c24ab4774da391d54a6426f4bfaefce"
},
{
"url": "https://git.kernel.org/stable/c/e2828e8c605853f71267825c9415437c0a93e4f2"
},
{
"url": "https://git.kernel.org/stable/c/798c2cf57c63ab39c8aac24d6a3d50f4fa5eeb06"
},
{
"url": "https://git.kernel.org/stable/c/48d7ee321ea5182c6a70782aa186422a70e67e22"
}
],
"title": "icmp: Fix data-races around sysctl.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49638",
"datePublished": "2025-02-26T02:23:47.200Z",
"dateReserved": "2025-02-26T02:21:30.429Z",
"dateUpdated": "2025-10-01T19:36:49.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49287 (GCVE-0-2022-49287)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: fix reference counting for struct tpm_chip
The following sequence of operations results in a refcount warning:
1. Open device /dev/tpmrm.
2. Remove module tpm_tis_spi.
3. Write a TPM command to the file descriptor opened at step 1.
------------[ cut here ]------------
WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4
refcount_t: addition on 0; use-after-free.
Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac
sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4
brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes
raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm
snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]
CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2
Hardware name: BCM2711
[<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14)
[<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8)
[<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108)
[<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8)
[<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4)
[<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm])
[<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm])
[<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0)
[<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc)
[<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c)
Exception stack(0xc226bfa8 to 0xc226bff0)
bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000
bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684
bfe0: 0000006c beafe648 0001056c b6eb6944
---[ end trace d4b8409def9b8b1f ]---
The reason for this warning is the attempt to get the chip->dev reference
in tpm_common_write() although the reference counter is already zero.
Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the
extra reference used to prevent a premature zero counter is never taken,
because the required TPM_CHIP_FLAG_TPM2 flag is never set.
Fix this by moving the TPM 2 character device handling from
tpm_chip_alloc() to tpm_add_char_device() which is called at a later point
in time when the flag has been set in case of TPM2.
Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
already introduced function tpm_devs_release() to release the extra
reference but did not implement the required put on chip->devs that results
in the call of this function.
Fix this by putting chip->devs in tpm_chip_unregister().
Finally move the new implementation for the TPM 2 handling into a new
function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the
good case and error cases.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 Version: fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49287",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:50.967565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:34.163Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm.h",
"drivers/char/tpm/tpm2-space.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "473a66f99cb8173c14138c5a5c69bfad04e8f9ac",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
},
{
"lessThan": "cb64bd038beacb4331fe464a36c8b5481e8f51e2",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
},
{
"lessThan": "a27ed2f3695baf15f9b34d2d7a1f9fc105539a81",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
},
{
"lessThan": "290e05f346d1829e849662c97e42d5ad984f5258",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
},
{
"lessThan": "662893b4f6bd466ff9e1cd454c44c26d32d554fe",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
},
{
"lessThan": "2f928c0d5c02dbab49e8c19d98725c822f6fc409",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
},
{
"lessThan": "6e7baf84149fb43950631415de231b3a41915aa3",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
},
{
"lessThan": "7e0438f83dc769465ee663bb5dcf8cc154940712",
"status": "affected",
"version": "fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm.h",
"drivers/char/tpm/tpm2-space.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: fix reference counting for struct tpm_chip\n\nThe following sequence of operations results in a refcount warning:\n\n1. Open device /dev/tpmrm.\n2. Remove module tpm_tis_spi.\n3. Write a TPM command to the file descriptor opened at step 1.\n\n------------[ cut here ]------------\nWARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4\nrefcount_t: addition on 0; use-after-free.\nModules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac\nsha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4\nbrcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes\nraspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm\nsnd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]\nCPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2\nHardware name: BCM2711\n[\u003cc0410c3c\u003e] (unwind_backtrace) from [\u003cc040b580\u003e] (show_stack+0x10/0x14)\n[\u003cc040b580\u003e] (show_stack) from [\u003cc1092174\u003e] (dump_stack+0xc4/0xd8)\n[\u003cc1092174\u003e] (dump_stack) from [\u003cc0445a30\u003e] (__warn+0x104/0x108)\n[\u003cc0445a30\u003e] (__warn) from [\u003cc0445aa8\u003e] (warn_slowpath_fmt+0x74/0xb8)\n[\u003cc0445aa8\u003e] (warn_slowpath_fmt) from [\u003cc08435d0\u003e] (kobject_get+0xa0/0xa4)\n[\u003cc08435d0\u003e] (kobject_get) from [\u003cbf0a715c\u003e] (tpm_try_get_ops+0x14/0x54 [tpm])\n[\u003cbf0a715c\u003e] (tpm_try_get_ops [tpm]) from [\u003cbf0a7d6c\u003e] (tpm_common_write+0x38/0x60 [tpm])\n[\u003cbf0a7d6c\u003e] (tpm_common_write [tpm]) from [\u003cc05a7ac0\u003e] (vfs_write+0xc4/0x3c0)\n[\u003cc05a7ac0\u003e] (vfs_write) from [\u003cc05a7ee4\u003e] (ksys_write+0x58/0xcc)\n[\u003cc05a7ee4\u003e] (ksys_write) from [\u003cc04001a0\u003e] (ret_fast_syscall+0x0/0x4c)\nException stack(0xc226bfa8 to 0xc226bff0)\nbfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000\nbfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684\nbfe0: 0000006c beafe648 0001056c b6eb6944\n---[ end trace d4b8409def9b8b1f ]---\n\nThe reason for this warning is the attempt to get the chip-\u003edev reference\nin tpm_common_write() although the reference counter is already zero.\n\nSince commit 8979b02aaf1d (\"tpm: Fix reference count to main device\") the\nextra reference used to prevent a premature zero counter is never taken,\nbecause the required TPM_CHIP_FLAG_TPM2 flag is never set.\n\nFix this by moving the TPM 2 character device handling from\ntpm_chip_alloc() to tpm_add_char_device() which is called at a later point\nin time when the flag has been set in case of TPM2.\n\nCommit fdc915f7f719 (\"tpm: expose spaces via a device link /dev/tpmrm\u003cn\u003e\")\nalready introduced function tpm_devs_release() to release the extra\nreference but did not implement the required put on chip-\u003edevs that results\nin the call of this function.\n\nFix this by putting chip-\u003edevs in tpm_chip_unregister().\n\nFinally move the new implementation for the TPM 2 handling into a new\nfunction to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the\ngood case and error cases."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:17.839Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/473a66f99cb8173c14138c5a5c69bfad04e8f9ac"
},
{
"url": "https://git.kernel.org/stable/c/cb64bd038beacb4331fe464a36c8b5481e8f51e2"
},
{
"url": "https://git.kernel.org/stable/c/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81"
},
{
"url": "https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258"
},
{
"url": "https://git.kernel.org/stable/c/662893b4f6bd466ff9e1cd454c44c26d32d554fe"
},
{
"url": "https://git.kernel.org/stable/c/2f928c0d5c02dbab49e8c19d98725c822f6fc409"
},
{
"url": "https://git.kernel.org/stable/c/6e7baf84149fb43950631415de231b3a41915aa3"
},
{
"url": "https://git.kernel.org/stable/c/7e0438f83dc769465ee663bb5dcf8cc154940712"
}
],
"title": "tpm: fix reference counting for struct tpm_chip",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49287",
"datePublished": "2025-02-26T01:56:26.059Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:17.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49065 (GCVE-0-2022-49065)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix the svc_deferred_event trace class
Fix a NULL deref crash that occurs when an svc_rqst is deferred
while the sunrpc tracing subsystem is enabled. svc_revisit() sets
dr->xprt to NULL, so it can't be relied upon in the tracepoint to
provide the remote's address.
Unfortunately we can't revert the "svc_deferred_class" hunk in
commit ece200ddd54b ("sunrpc: Save remote presentation address in
svc_xprt for trace events") because there is now a specific check
of event format specifiers for unsafe dereferences. The warning
that check emits is:
event svc_defer_recv has unsafe dereference of argument 1
A "%pISpc" format specifier with a "struct sockaddr *" is indeed
flagged by this check.
Instead, take the brute-force approach used by the svcrdma_qp_error
tracepoint. Convert the dr::addr field into a presentation address
in the TP_fast_assign() arm of the trace event, and store that as
a string. This fix can be backported to -stable kernels.
In the meantime, commit c6ced22997ad ("tracing: Update print fmt
check to handle new __get_sockaddr() macro") is now in v5.18, so
this wonky fix can be replaced with __sockaddr() and friends
properly during the v5.19 merge window.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:41.900091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/sunrpc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "85ee17ca21cf92989e8c923e3ea4514c291e9d38",
"status": "affected",
"version": "ece200ddd54b9ce840cfee554fb812560c545c7d",
"versionType": "git"
},
{
"lessThan": "726ae7300fcc25fefa46d188cc07eb16dc908f9e",
"status": "affected",
"version": "ece200ddd54b9ce840cfee554fb812560c545c7d",
"versionType": "git"
},
{
"lessThan": "c2456f470eea3bd06574d988bf6089e7c3f4c5cc",
"status": "affected",
"version": "ece200ddd54b9ce840cfee554fb812560c545c7d",
"versionType": "git"
},
{
"lessThan": "4d5004451ab2218eab94a30e1841462c9316ba19",
"status": "affected",
"version": "ece200ddd54b9ce840cfee554fb812560c545c7d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/sunrpc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix the svc_deferred_event trace class\n\nFix a NULL deref crash that occurs when an svc_rqst is deferred\nwhile the sunrpc tracing subsystem is enabled. svc_revisit() sets\ndr-\u003exprt to NULL, so it can\u0027t be relied upon in the tracepoint to\nprovide the remote\u0027s address.\n\nUnfortunately we can\u0027t revert the \"svc_deferred_class\" hunk in\ncommit ece200ddd54b (\"sunrpc: Save remote presentation address in\nsvc_xprt for trace events\") because there is now a specific check\nof event format specifiers for unsafe dereferences. The warning\nthat check emits is:\n\n event svc_defer_recv has unsafe dereference of argument 1\n\nA \"%pISpc\" format specifier with a \"struct sockaddr *\" is indeed\nflagged by this check.\n\nInstead, take the brute-force approach used by the svcrdma_qp_error\ntracepoint. Convert the dr::addr field into a presentation address\nin the TP_fast_assign() arm of the trace event, and store that as\na string. This fix can be backported to -stable kernels.\n\nIn the meantime, commit c6ced22997ad (\"tracing: Update print fmt\ncheck to handle new __get_sockaddr() macro\") is now in v5.18, so\nthis wonky fix can be replaced with __sockaddr() and friends\nproperly during the v5.19 merge window."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:59.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/85ee17ca21cf92989e8c923e3ea4514c291e9d38"
},
{
"url": "https://git.kernel.org/stable/c/726ae7300fcc25fefa46d188cc07eb16dc908f9e"
},
{
"url": "https://git.kernel.org/stable/c/c2456f470eea3bd06574d988bf6089e7c3f4c5cc"
},
{
"url": "https://git.kernel.org/stable/c/4d5004451ab2218eab94a30e1841462c9316ba19"
}
],
"title": "SUNRPC: Fix the svc_deferred_event trace class",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49065",
"datePublished": "2025-02-26T01:54:33.881Z",
"dateReserved": "2025-02-26T01:49:39.244Z",
"dateUpdated": "2025-10-01T19:57:06.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49520 (GCVE-0-2022-49520)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall
If a compat process tries to execute an unknown system call above the
__ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the
offending process. Information about the error is printed to dmesg in
compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() ->
arm64_show_signal().
arm64_show_signal() interprets a non-zero value for
current->thread.fault_code as an exception syndrome and displays the
message associated with the ESR_ELx.EC field (bits 31:26).
current->thread.fault_code is set in compat_arm_syscall() ->
arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx
value. This means that the ESR_ELx.EC field has the value that the user set
for the syscall number and the kernel can end up printing bogus exception
messages*. For example, for the syscall number 0x68000000, which evaluates
to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error:
[ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000]
[ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79
[ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT)
[..]
which is misleading, as the bad compat syscall has nothing to do with
pointer authentication.
Stop arm64_show_signal() from printing exception syndrome information by
having compat_arm_syscall() set the ESR_ELx value to 0, as it has no
meaning for an invalid system call number. The example above now becomes:
[ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000]
[ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80
[ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT)
[..]
which although shows less information because the syscall number,
wrongfully advertised as the ESR value, is missing, it is better than
showing plainly wrong information. The syscall number can be easily
obtained with strace.
*A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative
integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END
evaluates to true; the syscall will exit to userspace in this case with the
ENOSYS error code instead of arm64_notify_die() being called.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/sys_compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efd183d988b416fcdf6f7c298a17ced4859ca77d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ad97425d23af3c3b8d4f6a2bb666cb485087c007",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "621916afe8cd4f322eb12759b64a2f938d4e551d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "095e975f8150ccd7f852eb578c1cdbdd2f517c7a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3910ae71cb963fa2b68e684489d4fc3d105afda0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3fed9e551417b84038b15117732ea4505eee386b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/sys_compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall\n\nIf a compat process tries to execute an unknown system call above the\n__ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the\noffending process. Information about the error is printed to dmesg in\ncompat_arm_syscall() -\u003e arm64_notify_die() -\u003e arm64_force_sig_fault() -\u003e\narm64_show_signal().\n\narm64_show_signal() interprets a non-zero value for\ncurrent-\u003ethread.fault_code as an exception syndrome and displays the\nmessage associated with the ESR_ELx.EC field (bits 31:26).\ncurrent-\u003ethread.fault_code is set in compat_arm_syscall() -\u003e\narm64_notify_die() with the bad syscall number instead of a valid ESR_ELx\nvalue. This means that the ESR_ELx.EC field has the value that the user set\nfor the syscall number and the kernel can end up printing bogus exception\nmessages*. For example, for the syscall number 0x68000000, which evaluates\nto ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error:\n\n[ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000]\n[ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79\n[ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT)\n[..]\n\nwhich is misleading, as the bad compat syscall has nothing to do with\npointer authentication.\n\nStop arm64_show_signal() from printing exception syndrome information by\nhaving compat_arm_syscall() set the ESR_ELx value to 0, as it has no\nmeaning for an invalid system call number. The example above now becomes:\n\n[ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000]\n[ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80\n[ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT)\n[..]\n\nwhich although shows less information because the syscall number,\nwrongfully advertised as the ESR value, is missing, it is better than\nshowing plainly wrong information. The syscall number can be easily\nobtained with strace.\n\n*A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative\ninteger in compat_arm_syscal() and the condition scno \u003c __ARM_NR_COMPAT_END\nevaluates to true; the syscall will exit to userspace in this case with the\nENOSYS error code instead of arm64_notify_die() being called."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:41.554Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efd183d988b416fcdf6f7c298a17ced4859ca77d"
},
{
"url": "https://git.kernel.org/stable/c/ad97425d23af3c3b8d4f6a2bb666cb485087c007"
},
{
"url": "https://git.kernel.org/stable/c/621916afe8cd4f322eb12759b64a2f938d4e551d"
},
{
"url": "https://git.kernel.org/stable/c/095e975f8150ccd7f852eb578c1cdbdd2f517c7a"
},
{
"url": "https://git.kernel.org/stable/c/3910ae71cb963fa2b68e684489d4fc3d105afda0"
},
{
"url": "https://git.kernel.org/stable/c/3fed9e551417b84038b15117732ea4505eee386b"
}
],
"title": "arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49520",
"datePublished": "2025-02-26T02:13:46.336Z",
"dateReserved": "2025-02-26T02:08:31.588Z",
"dateUpdated": "2025-05-04T08:39:41.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49559 (GCVE-0-2022-49559)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Drop WARNs that assert a triple fault never "escapes" from L2
Remove WARNs that sanity check that KVM never lets a triple fault for L2
escape and incorrectly end up in L1. In normal operation, the sanity
check is perfectly valid, but it incorrectly assumes that it's impossible
for userspace to induce KVM_REQ_TRIPLE_FAULT without bouncing through
KVM_RUN (which guarantees kvm_check_nested_state() will see and handle
the triple fault).
The WARN can currently be triggered if userspace injects a machine check
while L2 is active and CR4.MCE=0. And a future fix to allow save/restore
of KVM_REQ_TRIPLE_FAULT, e.g. so that a synthesized triple fault isn't
lost on migration, will make it trivially easy for userspace to trigger
the WARN.
Clearing KVM_REQ_TRIPLE_FAULT when forcibly leaving guest mode is
tempting, but wrong, especially if/when the request is saved/restored,
e.g. if userspace restores events (including a triple fault) and then
restores nested state (which may forcibly leave guest mode). Ignoring
the fact that KVM doesn't currently provide the necessary APIs, it's
userspace's responsibility to manage pending events during save/restore.
------------[ cut here ]------------
WARNING: CPU: 7 PID: 1399 at arch/x86/kvm/vmx/nested.c:4522 nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]
Modules linked in: kvm_intel kvm irqbypass
CPU: 7 PID: 1399 Comm: state_test Not tainted 5.17.0-rc3+ #808
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]
Call Trace:
<TASK>
vmx_leave_nested+0x30/0x40 [kvm_intel]
vmx_set_nested_state+0xca/0x3e0 [kvm_intel]
kvm_arch_vcpu_ioctl+0xf49/0x13e0 [kvm]
kvm_vcpu_ioctl+0x4b9/0x660 [kvm]
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
</TASK>
---[ end trace 0000000000000000 ]---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c",
"arch/x86/kvm/vmx/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d3a2aa0976f57320ba89baf9d57fb158dd0cd0d",
"status": "affected",
"version": "cb6a32c2b8777ad31a02e585584d869251a790e3",
"versionType": "git"
},
{
"lessThan": "f476a59d5c86c02a79eef893c6da86735f2977ac",
"status": "affected",
"version": "cb6a32c2b8777ad31a02e585584d869251a790e3",
"versionType": "git"
},
{
"lessThan": "7de373c9b48229e428ecdb8fbde269c5a8617fd2",
"status": "affected",
"version": "cb6a32c2b8777ad31a02e585584d869251a790e3",
"versionType": "git"
},
{
"lessThan": "45846661d10422ce9e22da21f8277540b29eca22",
"status": "affected",
"version": "cb6a32c2b8777ad31a02e585584d869251a790e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/nested.c",
"arch/x86/kvm/vmx/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.45",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Drop WARNs that assert a triple fault never \"escapes\" from L2\n\nRemove WARNs that sanity check that KVM never lets a triple fault for L2\nescape and incorrectly end up in L1. In normal operation, the sanity\ncheck is perfectly valid, but it incorrectly assumes that it\u0027s impossible\nfor userspace to induce KVM_REQ_TRIPLE_FAULT without bouncing through\nKVM_RUN (which guarantees kvm_check_nested_state() will see and handle\nthe triple fault).\n\nThe WARN can currently be triggered if userspace injects a machine check\nwhile L2 is active and CR4.MCE=0. And a future fix to allow save/restore\nof KVM_REQ_TRIPLE_FAULT, e.g. so that a synthesized triple fault isn\u0027t\nlost on migration, will make it trivially easy for userspace to trigger\nthe WARN.\n\nClearing KVM_REQ_TRIPLE_FAULT when forcibly leaving guest mode is\ntempting, but wrong, especially if/when the request is saved/restored,\ne.g. if userspace restores events (including a triple fault) and then\nrestores nested state (which may forcibly leave guest mode). Ignoring\nthe fact that KVM doesn\u0027t currently provide the necessary APIs, it\u0027s\nuserspace\u0027s responsibility to manage pending events during save/restore.\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 1399 at arch/x86/kvm/vmx/nested.c:4522 nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 7 PID: 1399 Comm: state_test Not tainted 5.17.0-rc3+ #808\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]\n Call Trace:\n \u003cTASK\u003e\n vmx_leave_nested+0x30/0x40 [kvm_intel]\n vmx_set_nested_state+0xca/0x3e0 [kvm_intel]\n kvm_arch_vcpu_ioctl+0xf49/0x13e0 [kvm]\n kvm_vcpu_ioctl+0x4b9/0x660 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:32.768Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d3a2aa0976f57320ba89baf9d57fb158dd0cd0d"
},
{
"url": "https://git.kernel.org/stable/c/f476a59d5c86c02a79eef893c6da86735f2977ac"
},
{
"url": "https://git.kernel.org/stable/c/7de373c9b48229e428ecdb8fbde269c5a8617fd2"
},
{
"url": "https://git.kernel.org/stable/c/45846661d10422ce9e22da21f8277540b29eca22"
}
],
"title": "KVM: x86: Drop WARNs that assert a triple fault never \"escapes\" from L2",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49559",
"datePublished": "2025-02-26T02:14:05.059Z",
"dateReserved": "2025-02-26T02:08:31.591Z",
"dateUpdated": "2025-05-04T08:40:32.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49354 (GCVE-0-2022-49354)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe
of_find_device_by_node() takes reference, we should use put_device()
to release it when not need anymore.
Add missing put_device() to avoid refcount leak.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 Version: 43f01da0f2794b464ade2ffe1f780c69d7ce7b75 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49354",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:44.740231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:54.141Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ata/pata_octeon_cf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bd85c5ba1687daf54e3b6907673c3604b1e75cf",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "a4d3e5f1d7d4f8b5e3834fec0f057a762c55806b",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "8d8ad067b90f231b8fdb14acee673ca4012f6045",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "d5a1e7f33c88780b279835d63665d7e38ccb671f",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "19cb3ece14547cb1ca2021798aaf49a3f82643d1",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "888312dc297a8a103f6371ef668c7e04f57a7679",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "c9782e1b21bee4b783a64b2a91e7e71406c21a21",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "fb2cb409b504bb3a69e65a17f3120328c8e50219",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
},
{
"lessThan": "10d6bdf532902be1d8aa5900b3c03c5671612aa2",
"status": "affected",
"version": "43f01da0f2794b464ade2ffe1f780c69d7ce7b75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ata/pata_octeon_cf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe\n\nof_find_device_by_node() takes reference, we should use put_device()\nto release it when not need anymore.\nAdd missing put_device() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:55.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bd85c5ba1687daf54e3b6907673c3604b1e75cf"
},
{
"url": "https://git.kernel.org/stable/c/a4d3e5f1d7d4f8b5e3834fec0f057a762c55806b"
},
{
"url": "https://git.kernel.org/stable/c/8d8ad067b90f231b8fdb14acee673ca4012f6045"
},
{
"url": "https://git.kernel.org/stable/c/d5a1e7f33c88780b279835d63665d7e38ccb671f"
},
{
"url": "https://git.kernel.org/stable/c/19cb3ece14547cb1ca2021798aaf49a3f82643d1"
},
{
"url": "https://git.kernel.org/stable/c/888312dc297a8a103f6371ef668c7e04f57a7679"
},
{
"url": "https://git.kernel.org/stable/c/c9782e1b21bee4b783a64b2a91e7e71406c21a21"
},
{
"url": "https://git.kernel.org/stable/c/fb2cb409b504bb3a69e65a17f3120328c8e50219"
},
{
"url": "https://git.kernel.org/stable/c/10d6bdf532902be1d8aa5900b3c03c5671612aa2"
}
],
"title": "ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49354",
"datePublished": "2025-02-26T02:11:05.466Z",
"dateReserved": "2025-02-26T02:08:31.545Z",
"dateUpdated": "2025-10-01T19:46:54.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49345 (GCVE-0-2022-49345)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: xfrm: unexport __init-annotated xfrm4_protocol_init()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the only in-tree call-site,
net/ipv4/xfrm4_policy.c is never compiled as modular.
(CONFIG_XFRM is boolean)
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 Version: 2f32b51b609faea1e40bb8c5bd305f1351740936 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/xfrm4_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c58d82a1264813e69119c13e9804e2e60b664ad5",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "e53cd3814504b2cadaba4d5a8a07eeea9ddacd03",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "31f3c6a4dcd3260a386e62cef2d5b36e902600a1",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "ef6d2354de238b065d8799c80da4be9a6af18e39",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "be3884d5cd04ccd58294b83a02d70b7c5fca19d3",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "85a055c03691e51499123194a14a0c249cf33227",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "e04d59cfe0c0129df7aba7ef7bb17b96be2a64f2",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "2b253fbc9f7b5db18d716436bdcf8ecef09fd63d",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
},
{
"lessThan": "4a388f08d8784af48f352193d2b72aaf167a57a1",
"status": "affected",
"version": "2f32b51b609faea1e40bb8c5bd305f1351740936",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/xfrm4_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xfrm: unexport __init-annotated xfrm4_protocol_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\nnet/ipv4/xfrm4_policy.c is never compiled as modular.\n(CONFIG_XFRM is boolean)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:44.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c58d82a1264813e69119c13e9804e2e60b664ad5"
},
{
"url": "https://git.kernel.org/stable/c/e53cd3814504b2cadaba4d5a8a07eeea9ddacd03"
},
{
"url": "https://git.kernel.org/stable/c/31f3c6a4dcd3260a386e62cef2d5b36e902600a1"
},
{
"url": "https://git.kernel.org/stable/c/ef6d2354de238b065d8799c80da4be9a6af18e39"
},
{
"url": "https://git.kernel.org/stable/c/be3884d5cd04ccd58294b83a02d70b7c5fca19d3"
},
{
"url": "https://git.kernel.org/stable/c/85a055c03691e51499123194a14a0c249cf33227"
},
{
"url": "https://git.kernel.org/stable/c/e04d59cfe0c0129df7aba7ef7bb17b96be2a64f2"
},
{
"url": "https://git.kernel.org/stable/c/2b253fbc9f7b5db18d716436bdcf8ecef09fd63d"
},
{
"url": "https://git.kernel.org/stable/c/4a388f08d8784af48f352193d2b72aaf167a57a1"
}
],
"title": "net: xfrm: unexport __init-annotated xfrm4_protocol_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49345",
"datePublished": "2025-02-26T02:11:00.976Z",
"dateReserved": "2025-02-26T02:08:31.542Z",
"dateUpdated": "2025-05-04T08:35:44.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57999 (GCVE-0-2024-57999)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-05-04 10:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW
Power Hypervisor can possibily allocate MMIO window intersecting with
Dynamic DMA Window (DDW) range, which is over 32-bit addressing.
These MMIO pages needs to be marked as reserved so that IOMMU doesn't map
DMA buffers in this range.
The current code is not marking these pages correctly which is resulting
in LPAR to OOPS while booting. The stack is at below
BUG: Unable to handle kernel data access on read at 0xc00800005cd40000
Faulting instruction address: 0xc00000000005cdac
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod
Supported: Yes, External
CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b
Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries
Workqueue: events work_for_cpu_fn
NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000
REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default)
MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24228448 XER: 00000001
CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0
GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800
GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000
GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff
GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000
GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800
GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b
GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8
GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800
NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100
LR [c00000000005e830] iommu_init_table+0x80/0x1e0
Call Trace:
[c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)
[c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40
[c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230
[c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90
[c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80
[c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]
[c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110
[c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60
[c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620
[c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620
[c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150
[c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18
There are 2 issues in the code
1. The index is "int" while the address is "unsigned long". This results in
negative value when setting the bitmap.
2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit
address). MMIO address needs to be page shifted as well.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/iommu.c",
"arch/powerpc/platforms/pseries/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7043d58ecd1381674f5b2c894deb6986a1a4896b",
"status": "affected",
"version": "3c33066a21903076722a2881556a92aa3cd7d359",
"versionType": "git"
},
{
"lessThan": "d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9",
"status": "affected",
"version": "3c33066a21903076722a2881556a92aa3cd7d359",
"versionType": "git"
},
{
"lessThan": "8f70caad82e9c088ed93b4fea48d941ab6441886",
"status": "affected",
"version": "3c33066a21903076722a2881556a92aa3cd7d359",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/iommu.c",
"arch/powerpc/platforms/pseries/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW\n\nPower Hypervisor can possibily allocate MMIO window intersecting with\nDynamic DMA Window (DDW) range, which is over 32-bit addressing.\n\nThese MMIO pages needs to be marked as reserved so that IOMMU doesn\u0027t map\nDMA buffers in this range.\n\nThe current code is not marking these pages correctly which is resulting\nin LPAR to OOPS while booting. The stack is at below\n\nBUG: Unable to handle kernel data access on read at 0xc00800005cd40000\nFaulting instruction address: 0xc00000000005cdac\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod\nSupported: Yes, External\nCPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b\nHardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries\nWorkqueue: events work_for_cpu_fn\nNIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000\nREGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default)\nMSR: 800000000280b033 \u003cSF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e CR: 24228448 XER: 00000001\nCFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0\nGPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800\nGPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000\nGPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff\nGPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000\nGPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800\nGPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b\nGPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8\nGPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800\nNIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100\nLR [c00000000005e830] iommu_init_table+0x80/0x1e0\nCall Trace:\n[c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)\n[c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40\n[c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230\n[c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90\n[c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80\n[c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]\n[c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110\n[c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60\n[c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620\n[c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620\n[c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150\n[c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18\n\nThere are 2 issues in the code\n\n1. The index is \"int\" while the address is \"unsigned long\". This results in\n negative value when setting the bitmap.\n\n2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit\n address). MMIO address needs to be page shifted as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:04.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7043d58ecd1381674f5b2c894deb6986a1a4896b"
},
{
"url": "https://git.kernel.org/stable/c/d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9"
},
{
"url": "https://git.kernel.org/stable/c/8f70caad82e9c088ed93b4fea48d941ab6441886"
}
],
"title": "powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57999",
"datePublished": "2025-02-27T02:07:18.570Z",
"dateReserved": "2025-02-27T02:04:28.915Z",
"dateUpdated": "2025-05-04T10:08:04.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49329 (GCVE-0-2022-49329)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vduse: Fix NULL pointer dereference on sysfs access
The control device has no drvdata. So we will get a
NULL pointer dereference when accessing control
device's msg_timeout attribute via sysfs:
[ 132.841881][ T3644] BUG: kernel NULL pointer dereference, address: 00000000000000f8
[ 132.850619][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271)
[ 132.869447][ T3644] dev_attr_show (drivers/base/core.c:2094)
[ 132.870215][ T3644] sysfs_kf_seq_show (fs/sysfs/file.c:59)
[ 132.871164][ T3644] ? device_remove_bin_file (drivers/base/core.c:2088)
[ 132.872082][ T3644] kernfs_seq_show (fs/kernfs/file.c:164)
[ 132.872838][ T3644] seq_read_iter (fs/seq_file.c:230)
[ 132.873578][ T3644] ? __vmalloc_area_node (mm/vmalloc.c:3041)
[ 132.874532][ T3644] kernfs_fop_read_iter (fs/kernfs/file.c:238)
[ 132.875513][ T3644] __kernel_read (fs/read_write.c:440 (discriminator 1))
[ 132.876319][ T3644] kernel_read (fs/read_write.c:459)
[ 132.877129][ T3644] kernel_read_file (fs/kernel_read_file.c:94)
[ 132.877978][ T3644] kernel_read_file_from_fd (include/linux/file.h:45 fs/kernel_read_file.c:186)
[ 132.879019][ T3644] __do_sys_finit_module (kernel/module.c:4207)
[ 132.879930][ T3644] __ia32_sys_finit_module (kernel/module.c:4189)
[ 132.880930][ T3644] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)
[ 132.881847][ T3644] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419)
To fix it, don't create the unneeded attribute for
control device anymore.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:43:23.093738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:55.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_user/vduse_dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a7a81f4835dfda11f39fdd27586da14331896eb",
"status": "affected",
"version": "c8a6153b6c59d95c0e091f053f6f180952ade91e",
"versionType": "git"
},
{
"lessThan": "30fd1b56621e187346f65d01fe34870634b15188",
"status": "affected",
"version": "c8a6153b6c59d95c0e091f053f6f180952ade91e",
"versionType": "git"
},
{
"lessThan": "b22fdee17ec62604060fb0fda5e1414b634666e1",
"status": "affected",
"version": "c8a6153b6c59d95c0e091f053f6f180952ade91e",
"versionType": "git"
},
{
"lessThan": "b27ee76c74dc831d6e092eaebc2dfc9c0beed1c9",
"status": "affected",
"version": "c8a6153b6c59d95c0e091f053f6f180952ade91e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_user/vduse_dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: Fix NULL pointer dereference on sysfs access\n\nThe control device has no drvdata. So we will get a\nNULL pointer dereference when accessing control\ndevice\u0027s msg_timeout attribute via sysfs:\n\n[ 132.841881][ T3644] BUG: kernel NULL pointer dereference, address: 00000000000000f8\n[ 132.850619][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271)\n[ 132.869447][ T3644] dev_attr_show (drivers/base/core.c:2094)\n[ 132.870215][ T3644] sysfs_kf_seq_show (fs/sysfs/file.c:59)\n[ 132.871164][ T3644] ? device_remove_bin_file (drivers/base/core.c:2088)\n[ 132.872082][ T3644] kernfs_seq_show (fs/kernfs/file.c:164)\n[ 132.872838][ T3644] seq_read_iter (fs/seq_file.c:230)\n[ 132.873578][ T3644] ? __vmalloc_area_node (mm/vmalloc.c:3041)\n[ 132.874532][ T3644] kernfs_fop_read_iter (fs/kernfs/file.c:238)\n[ 132.875513][ T3644] __kernel_read (fs/read_write.c:440 (discriminator 1))\n[ 132.876319][ T3644] kernel_read (fs/read_write.c:459)\n[ 132.877129][ T3644] kernel_read_file (fs/kernel_read_file.c:94)\n[ 132.877978][ T3644] kernel_read_file_from_fd (include/linux/file.h:45 fs/kernel_read_file.c:186)\n[ 132.879019][ T3644] __do_sys_finit_module (kernel/module.c:4207)\n[ 132.879930][ T3644] __ia32_sys_finit_module (kernel/module.c:4189)\n[ 132.880930][ T3644] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)\n[ 132.881847][ T3644] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419)\n\nTo fix it, don\u0027t create the unneeded attribute for\ncontrol device anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:19.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a7a81f4835dfda11f39fdd27586da14331896eb"
},
{
"url": "https://git.kernel.org/stable/c/30fd1b56621e187346f65d01fe34870634b15188"
},
{
"url": "https://git.kernel.org/stable/c/b22fdee17ec62604060fb0fda5e1414b634666e1"
},
{
"url": "https://git.kernel.org/stable/c/b27ee76c74dc831d6e092eaebc2dfc9c0beed1c9"
}
],
"title": "vduse: Fix NULL pointer dereference on sysfs access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49329",
"datePublished": "2025-02-26T02:10:50.073Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-10-01T19:46:55.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58072 (GCVE-0-2024-58072)
Vulnerability from cvelistv5
Published
2025-03-06 15:54
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtlwifi: remove unused check_buddy_priv
Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global
list of private data structures.
Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match
vendor version 2013.02.07") started adding the private data to that list at
probe time and added a hook, check_buddy_priv to find the private data from
a similar device.
However, that function was never used.
Besides, though there is a lock for that list, it is never used. And when
the probe fails, the private data is never removed from the list. This
would cause a second probe to access freed memory.
Remove the unused hook, structures and members, which will prevent the
potential race condition on the list and its corruption during a second
probe when probe fails.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 26634c4b1868323f49f8cd24c3493b57819867fd Version: 26634c4b1868323f49f8cd24c3493b57819867fd Version: 26634c4b1868323f49f8cd24c3493b57819867fd Version: 26634c4b1868323f49f8cd24c3493b57819867fd Version: 26634c4b1868323f49f8cd24c3493b57819867fd Version: 26634c4b1868323f49f8cd24c3493b57819867fd Version: 26634c4b1868323f49f8cd24c3493b57819867fd Version: 26634c4b1868323f49f8cd24c3493b57819867fd |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:08.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/base.c",
"drivers/net/wireless/realtek/rtlwifi/base.h",
"drivers/net/wireless/realtek/rtlwifi/pci.c",
"drivers/net/wireless/realtek/rtlwifi/wifi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f801e754efa21bd61b3cc15ec7565696165b272f",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
},
{
"lessThan": "1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
},
{
"lessThan": "8e2fcc68fbaab3ad9f5671fee2be0956134b740a",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
},
{
"lessThan": "1e39b0486cdb496cdfba3bc89886150e46acf6f4",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
},
{
"lessThan": "465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
},
{
"lessThan": "543e3e9f2e9e47ded774c74e680f28a0ca362aee",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
},
{
"lessThan": "006e803af7408c3fc815b0654fc5ab43d34f0154",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
},
{
"lessThan": "2fdac64c3c35858aa8ac5caa70b232e03456e120",
"status": "affected",
"version": "26634c4b1868323f49f8cd24c3493b57819867fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/base.c",
"drivers/net/wireless/realtek/rtlwifi/base.h",
"drivers/net/wireless/realtek/rtlwifi/pci.c",
"drivers/net/wireless/realtek/rtlwifi/wifi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: remove unused check_buddy_priv\n\nCommit 2461c7d60f9f (\"rtlwifi: Update header file\") introduced a global\nlist of private data structures.\n\nLater on, commit 26634c4b1868 (\"rtlwifi Modify existing bits to match\nvendor version 2013.02.07\") started adding the private data to that list at\nprobe time and added a hook, check_buddy_priv to find the private data from\na similar device.\n\nHowever, that function was never used.\n\nBesides, though there is a lock for that list, it is never used. And when\nthe probe fails, the private data is never removed from the list. This\nwould cause a second probe to access freed memory.\n\nRemove the unused hook, structures and members, which will prevent the\npotential race condition on the list and its corruption during a second\nprobe when probe fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:20.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f801e754efa21bd61b3cc15ec7565696165b272f"
},
{
"url": "https://git.kernel.org/stable/c/1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9"
},
{
"url": "https://git.kernel.org/stable/c/8e2fcc68fbaab3ad9f5671fee2be0956134b740a"
},
{
"url": "https://git.kernel.org/stable/c/1e39b0486cdb496cdfba3bc89886150e46acf6f4"
},
{
"url": "https://git.kernel.org/stable/c/465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1"
},
{
"url": "https://git.kernel.org/stable/c/543e3e9f2e9e47ded774c74e680f28a0ca362aee"
},
{
"url": "https://git.kernel.org/stable/c/006e803af7408c3fc815b0654fc5ab43d34f0154"
},
{
"url": "https://git.kernel.org/stable/c/2fdac64c3c35858aa8ac5caa70b232e03456e120"
}
],
"title": "wifi: rtlwifi: remove unused check_buddy_priv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58072",
"datePublished": "2025-03-06T15:54:11.665Z",
"dateReserved": "2025-03-06T15:52:09.182Z",
"dateUpdated": "2025-11-03T19:34:08.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49061 (GCVE-0-2022-49061)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
When using a fixed-link, the altr_tse_pcs driver crashes
due to null-pointer dereference as no phy_device is provided to
tse_pcs_fix_mac_speed function. Fix this by adding a check for
phy_dev before calling the tse_pcs_fix_mac_speed() function.
Also clean up the tse_pcs_fix_mac_speed function a bit. There is
no need to check for splitter_base and sgmii_adapter_base
because the driver will fail if these 2 variables are not
derived from the device tree.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:50.480131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c",
"drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h",
"drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e59fdf9547c4f948d1d917ec7ffa5fb5ac53bdb",
"status": "affected",
"version": "fb3bbdb859891e6bc27fd1afb3a07319f82c2ee4",
"versionType": "git"
},
{
"lessThan": "08d5e3e954537931c8da7428034808d202e98299",
"status": "affected",
"version": "fb3bbdb859891e6bc27fd1afb3a07319f82c2ee4",
"versionType": "git"
},
{
"lessThan": "62a48383ebe2e159fd68425dd3e16d4c6bd6599a",
"status": "affected",
"version": "fb3bbdb859891e6bc27fd1afb3a07319f82c2ee4",
"versionType": "git"
},
{
"lessThan": "6c020f05253df04c3480b586fe188a3582740049",
"status": "affected",
"version": "fb3bbdb859891e6bc27fd1afb3a07319f82c2ee4",
"versionType": "git"
},
{
"lessThan": "a6aaa00324240967272b451bfa772547bd576ee6",
"status": "affected",
"version": "fb3bbdb859891e6bc27fd1afb3a07319f82c2ee4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c",
"drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h",
"drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link\n\nWhen using a fixed-link, the altr_tse_pcs driver crashes\ndue to null-pointer dereference as no phy_device is provided to\ntse_pcs_fix_mac_speed function. Fix this by adding a check for\nphy_dev before calling the tse_pcs_fix_mac_speed() function.\n\nAlso clean up the tse_pcs_fix_mac_speed function a bit. There is\nno need to check for splitter_base and sgmii_adapter_base\nbecause the driver will fail if these 2 variables are not\nderived from the device tree."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:54.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e59fdf9547c4f948d1d917ec7ffa5fb5ac53bdb"
},
{
"url": "https://git.kernel.org/stable/c/08d5e3e954537931c8da7428034808d202e98299"
},
{
"url": "https://git.kernel.org/stable/c/62a48383ebe2e159fd68425dd3e16d4c6bd6599a"
},
{
"url": "https://git.kernel.org/stable/c/6c020f05253df04c3480b586fe188a3582740049"
},
{
"url": "https://git.kernel.org/stable/c/a6aaa00324240967272b451bfa772547bd576ee6"
}
],
"title": "net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49061",
"datePublished": "2025-02-26T01:54:31.142Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-10-01T19:57:06.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49375 (GCVE-0-2022-49375)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtc: mt6397: check return value after calling platform_get_resource()
It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 Version: fc2979118f3f5193475cb53d5df7bdaa7e358a42 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:01.932196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:52.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-mt6397.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3867f0bbb94773d41e789257abec0d14f37da217",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "79fa3f5758d8712df0678df98161f948fc4370e5",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "6ecd4d5c28408df36a1a6f0b1973f633c949ac1f",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "d77f28c1bc9d3043a52069fe42e4a26fbf961ebd",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "82bfea344e8f7e9a0e0b1bf9af27552baa756620",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "865051de2d9eaa50630e055b73921ceaf3c4a7fc",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "58a729c55ce3a432eb827fdaa24c7909cd3b0a6b",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "da38e86d6cf6dd3bc65c602d998f357145aa1a0b",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
},
{
"lessThan": "d3b43eb505bffb8e4cdf6800c15660c001553fe6",
"status": "affected",
"version": "fc2979118f3f5193475cb53d5df7bdaa7e358a42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rtc/rtc-mt6397.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.318",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: mt6397: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:20.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3867f0bbb94773d41e789257abec0d14f37da217"
},
{
"url": "https://git.kernel.org/stable/c/79fa3f5758d8712df0678df98161f948fc4370e5"
},
{
"url": "https://git.kernel.org/stable/c/6ecd4d5c28408df36a1a6f0b1973f633c949ac1f"
},
{
"url": "https://git.kernel.org/stable/c/d77f28c1bc9d3043a52069fe42e4a26fbf961ebd"
},
{
"url": "https://git.kernel.org/stable/c/82bfea344e8f7e9a0e0b1bf9af27552baa756620"
},
{
"url": "https://git.kernel.org/stable/c/865051de2d9eaa50630e055b73921ceaf3c4a7fc"
},
{
"url": "https://git.kernel.org/stable/c/58a729c55ce3a432eb827fdaa24c7909cd3b0a6b"
},
{
"url": "https://git.kernel.org/stable/c/da38e86d6cf6dd3bc65c602d998f357145aa1a0b"
},
{
"url": "https://git.kernel.org/stable/c/d3b43eb505bffb8e4cdf6800c15660c001553fe6"
}
],
"title": "rtc: mt6397: check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49375",
"datePublished": "2025-02-26T02:11:15.627Z",
"dateReserved": "2025-02-26T02:08:31.557Z",
"dateUpdated": "2025-10-01T19:46:52.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57834 (GCVE-0-2024-57834)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]
If dvb->mux is not initialized successfully by vidtv_mux_init() in the
vidtv_start_streaming(), it will trigger null pointer dereference about mux
in vidtv_mux_stop_thread().
Adjust the timing of streaming initialization and check it before
stopping it.
[1]
KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471
Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8
RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125
RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128
RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188
R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710
FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]
vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252
dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000
dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486
dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559
dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
__fput+0x3f8/0xb60 fs/file_table.c:450
task_work_run+0x14e/0x250 kernel/task_work.c:239
get_signal+0x1d3/0x2610 kernel/signal.c:2790
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905 Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905 Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905 Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905 Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905 Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905 Version: f90cf6079bf67988f8b1ad1ade70fc89d0080905 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:45.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_bridge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52d3512f9a7a52ef92864679b1e8e8aa16202c6a",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "59a707ad952eb2ea8d59457d662b6f4138f17b08",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "86307e443c5844f38e1b98e2c51a4195c55576cd",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "2c5601b99d79d196fe4a37159e3dfb38e778ea18",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "95432a37778c9c5dd105b7b9f19e9695c9e166cf",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "904a8323cc8afa7eb9ce3e67303a2b3f2f787306",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "1221989555db711578a327a9367f1be46500cb48",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_bridge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread\n\nsyzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]\n\nIf dvb-\u003emux is not initialized successfully by vidtv_mux_init() in the\nvidtv_start_streaming(), it will trigger null pointer dereference about mux\nin vidtv_mux_stop_thread().\n\nAdjust the timing of streaming initialization and check it before\nstopping it.\n\n[1]\nKASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]\nCPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nRIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471\nCode: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8\nRSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125\nRDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128\nRBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188\nR13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710\nFS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]\n vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252\n dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000\n dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486\n dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3f8/0xb60 fs/file_table.c:450\n task_work_run+0x14e/0x250 kernel/task_work.c:239\n get_signal+0x1d3/0x2610 kernel/signal.c:2790\n arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218\n do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:05:18.306Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52d3512f9a7a52ef92864679b1e8e8aa16202c6a"
},
{
"url": "https://git.kernel.org/stable/c/59a707ad952eb2ea8d59457d662b6f4138f17b08"
},
{
"url": "https://git.kernel.org/stable/c/86307e443c5844f38e1b98e2c51a4195c55576cd"
},
{
"url": "https://git.kernel.org/stable/c/2c5601b99d79d196fe4a37159e3dfb38e778ea18"
},
{
"url": "https://git.kernel.org/stable/c/95432a37778c9c5dd105b7b9f19e9695c9e166cf"
},
{
"url": "https://git.kernel.org/stable/c/904a8323cc8afa7eb9ce3e67303a2b3f2f787306"
},
{
"url": "https://git.kernel.org/stable/c/1221989555db711578a327a9367f1be46500cb48"
}
],
"title": "media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57834",
"datePublished": "2025-02-27T02:18:09.085Z",
"dateReserved": "2025-02-27T02:16:34.111Z",
"dateUpdated": "2025-11-03T19:32:45.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57974 (GCVE-0-2024-57974)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-05-04 10:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: Deal with race between UDP socket address change and rehash
If a UDP socket changes its local address while it's receiving
datagrams, as a result of connect(), there is a period during which
a lookup operation might fail to find it, after the address is changed
but before the secondary hash (port and address) and the four-tuple
hash (local and remote ports and addresses) are updated.
Secondary hash chains were introduced by commit 30fff9231fad ("udp:
bind() optimisation") and, as a result, a rehash operation became
needed to make a bound socket reachable again after a connect().
This operation was introduced by commit 719f835853a9 ("udp: add
rehash on connect()") which isn't however a complete fix: the
socket will be found once the rehashing completes, but not while
it's pending.
This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a
client sending datagrams to it. After the server receives the first
datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to
the address of the sender, in order to set up a directed flow.
Now, if the client, running on a different CPU thread, happens to
send a (subsequent) datagram while the server's socket changes its
address, but is not rehashed yet, this will result in a failed
lookup and a port unreachable error delivered to the client, as
apparent from the following reproducer:
LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4))
dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in
while :; do
taskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc &
sleep 0.1 || sleep 1
taskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null
wait
done
where the client will eventually get ECONNREFUSED on a write()
(typically the second or third one of a given iteration):
2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused
This issue was first observed as a seldom failure in Podman's tests
checking UDP functionality while using pasta(1) to connect the
container's network namespace, which leads us to a reproducer with
the lookup error resulting in an ICMP packet on a tap device:
LOCAL_ADDR="$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == "global").local')"
while :; do
./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc &
sleep 0.2 || sleep 1
socat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null
wait
cmp tmp.in tmp.out
done
Once this fails:
tmp.in tmp.out differ: char 8193, line 29
we can finally have a look at what's going on:
$ tshark -r pasta.pcap
1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2
2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164
6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55
7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable)
9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096
12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0
On the third datagram received, the network namespace of the container
initiates an ARP lookup to deliver the ICMP message.
In another variant of this reproducer, starting the client with:
strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c",
"net/ipv6/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f8344fce91c5766d368edb0ad80142eacd805c7",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
},
{
"lessThan": "d65d3bf309b2649d27b24efd0d8784da2d81f2a6",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
},
{
"lessThan": "a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c",
"net/ipv6/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Deal with race between UDP socket address change and rehash\n\nIf a UDP socket changes its local address while it\u0027s receiving\ndatagrams, as a result of connect(), there is a period during which\na lookup operation might fail to find it, after the address is changed\nbut before the secondary hash (port and address) and the four-tuple\nhash (local and remote ports and addresses) are updated.\n\nSecondary hash chains were introduced by commit 30fff9231fad (\"udp:\nbind() optimisation\") and, as a result, a rehash operation became\nneeded to make a bound socket reachable again after a connect().\n\nThis operation was introduced by commit 719f835853a9 (\"udp: add\nrehash on connect()\") which isn\u0027t however a complete fix: the\nsocket will be found once the rehashing completes, but not while\nit\u0027s pending.\n\nThis is noticeable with a socat(1) server in UDP4-LISTEN mode, and a\nclient sending datagrams to it. After the server receives the first\ndatagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to\nthe address of the sender, in order to set up a directed flow.\n\nNow, if the client, running on a different CPU thread, happens to\nsend a (subsequent) datagram while the server\u0027s socket changes its\naddress, but is not rehashed yet, this will result in a failed\nlookup and a port unreachable error delivered to the client, as\napparent from the following reproducer:\n\n LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4))\n dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in\n\n while :; do\n \ttaskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc \u0026\n \tsleep 0.1 || sleep 1\n \ttaskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null\n \twait\n done\n\nwhere the client will eventually get ECONNREFUSED on a write()\n(typically the second or third one of a given iteration):\n\n 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused\n\nThis issue was first observed as a seldom failure in Podman\u0027s tests\nchecking UDP functionality while using pasta(1) to connect the\ncontainer\u0027s network namespace, which leads us to a reproducer with\nthe lookup error resulting in an ICMP packet on a tap device:\n\n LOCAL_ADDR=\"$(ip -j -4 addr show|jq -rM \u0027.[] | .addr_info[0] | select(.scope == \"global\").local\u0027)\"\n\n while :; do\n \t./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc \u0026\n \tsleep 0.2 || sleep 1\n \tsocat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null\n \twait\n \tcmp tmp.in tmp.out\n done\n\nOnce this fails:\n\n tmp.in tmp.out differ: char 8193, line 29\n\nwe can finally have a look at what\u0027s going on:\n\n $ tshark -r pasta.pcap\n 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2\n 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164\n 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55\n 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable)\n 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096\n 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0\n\nOn the third datagram received, the network namespace of the container\ninitiates an ARP lookup to deliver the ICMP message.\n\nIn another variant of this reproducer, starting the client with:\n\n strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:29.082Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f8344fce91c5766d368edb0ad80142eacd805c7"
},
{
"url": "https://git.kernel.org/stable/c/d65d3bf309b2649d27b24efd0d8784da2d81f2a6"
},
{
"url": "https://git.kernel.org/stable/c/a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c"
}
],
"title": "udp: Deal with race between UDP socket address change and rehash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57974",
"datePublished": "2025-02-27T02:07:02.973Z",
"dateReserved": "2025-02-27T02:04:28.912Z",
"dateUpdated": "2025-05-04T10:07:29.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49410 (GCVE-0-2022-49410)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix potential double free in create_var_ref()
In create_var_ref(), init_var_ref() is called to initialize the fields
of variable ref_field, which is allocated in the previous function call
to create_hist_field(). Function init_var_ref() allocates the
corresponding fields such as ref_field->system, but frees these fields
when the function encounters an error. The caller later calls
destroy_hist_field() to conduct error handling, which frees the fields
and the variable itself. This results in double free of the fields which
are already freed in the previous function.
Fix this by storing NULL to the corresponding fields when they are freed
in init_var_ref().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 Version: 067fe038e70f6e64960d26a79c4df5f1413d0f13 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:12.408852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:50.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f8b383f83cb573152c577eca1ef101e89995b72a",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "c27f744ceefadc7bbeb14233b6abc150ced617d2",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "058cb6d86b9789377216c936506b346aaa1eb581",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "37443b3508b8cce6832f8d25cb4550b2f7801f50",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "4fdfb15e08598711dbf50daf56a33965232daf0e",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "bd83ff3bbfb003832481c9bff999d12385f396ae",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
},
{
"lessThan": "99696a2592bca641eb88cc9a80c90e591afebd0f",
"status": "affected",
"version": "067fe038e70f6e64960d26a79c4df5f1413d0f13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential double free in create_var_ref()\n\nIn create_var_ref(), init_var_ref() is called to initialize the fields\nof variable ref_field, which is allocated in the previous function call\nto create_hist_field(). Function init_var_ref() allocates the\ncorresponding fields such as ref_field-\u003esystem, but frees these fields\nwhen the function encounters an error. The caller later calls\ndestroy_hist_field() to conduct error handling, which frees the fields\nand the variable itself. This results in double free of the fields which\nare already freed in the previous function.\n\nFix this by storing NULL to the corresponding fields when they are freed\nin init_var_ref()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:04.855Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f8b383f83cb573152c577eca1ef101e89995b72a"
},
{
"url": "https://git.kernel.org/stable/c/c27f744ceefadc7bbeb14233b6abc150ced617d2"
},
{
"url": "https://git.kernel.org/stable/c/058cb6d86b9789377216c936506b346aaa1eb581"
},
{
"url": "https://git.kernel.org/stable/c/37443b3508b8cce6832f8d25cb4550b2f7801f50"
},
{
"url": "https://git.kernel.org/stable/c/4fdfb15e08598711dbf50daf56a33965232daf0e"
},
{
"url": "https://git.kernel.org/stable/c/bd83ff3bbfb003832481c9bff999d12385f396ae"
},
{
"url": "https://git.kernel.org/stable/c/99696a2592bca641eb88cc9a80c90e591afebd0f"
}
],
"title": "tracing: Fix potential double free in create_var_ref()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49410",
"datePublished": "2025-02-26T02:12:33.124Z",
"dateReserved": "2025-02-26T02:08:31.567Z",
"dateUpdated": "2025-10-01T19:46:50.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49510 (GCVE-0-2022-49510)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/omap: fix NULL but dereferenced coccicheck error
Fix the following coccicheck warning:
./drivers/gpu/drm/omapdrm/omap_overlay.c:89:22-25: ERROR: r_ovl is NULL
but dereferenced.
Here should be ovl->idx rather than r_ovl->idx.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:22.520760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:42.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/omapdrm/omap_overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2507be660310bb9bcca918f81f49b8bba07e462",
"status": "affected",
"version": "e02b5cc9e898ad6f223a69df63397beae60390ff",
"versionType": "git"
},
{
"lessThan": "08d9a75eab594ca508a440db7c73064498d26687",
"status": "affected",
"version": "e02b5cc9e898ad6f223a69df63397beae60390ff",
"versionType": "git"
},
{
"lessThan": "8f2a3970c969d0d8d7289a4c65edcedafc16fd92",
"status": "affected",
"version": "e02b5cc9e898ad6f223a69df63397beae60390ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/omapdrm/omap_overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/omap: fix NULL but dereferenced coccicheck error\n\nFix the following coccicheck warning:\n./drivers/gpu/drm/omapdrm/omap_overlay.c:89:22-25: ERROR: r_ovl is NULL\nbut dereferenced.\n\nHere should be ovl-\u003eidx rather than r_ovl-\u003eidx."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:29.345Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2507be660310bb9bcca918f81f49b8bba07e462"
},
{
"url": "https://git.kernel.org/stable/c/08d9a75eab594ca508a440db7c73064498d26687"
},
{
"url": "https://git.kernel.org/stable/c/8f2a3970c969d0d8d7289a4c65edcedafc16fd92"
}
],
"title": "drm/omap: fix NULL but dereferenced coccicheck error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49510",
"datePublished": "2025-02-26T02:13:40.777Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-10-01T19:46:42.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49200 (GCVE-0-2022-49200)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt
Fix the following kernel oops in btmtksdio_interrrupt
[ 14.339134] btmtksdio_interrupt+0x28/0x54
[ 14.339139] process_sdio_pending_irqs+0x68/0x1a0
[ 14.339144] sdio_irq_work+0x40/0x70
[ 14.339154] process_one_work+0x184/0x39c
[ 14.339160] worker_thread+0x228/0x3e8
[ 14.339168] kthread+0x148/0x3ac
[ 14.339176] ret_from_fork+0x10/0x30
That happened because hdev->power_on is already called before
sdio_set_drvdata which btmtksdio_interrupt handler relies on is not
properly set up.
The details are shown as the below: hci_register_dev would run
queue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI
workqueue_struct to complete the power-on sequeunce and thus hci_power_on
may run before sdio_set_drvdata is done in btmtksdio_probe.
The hci_dev_do_open in hci_power_on would initialize the device and enable
the interrupt and thus it is possible that btmtksdio_interrupt is being
called right before sdio_set_drvdata is filled out.
When btmtksdio_interrupt is being called and sdio_set_drvdata is not filled
, the kernel oops is going to happen because btmtksdio_interrupt access an
uninitialized pointer.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9aebfd4a2200ab8075e44379c758bccefdc589bb Version: 9aebfd4a2200ab8075e44379c758bccefdc589bb Version: 9aebfd4a2200ab8075e44379c758bccefdc589bb Version: 9aebfd4a2200ab8075e44379c758bccefdc589bb Version: 9aebfd4a2200ab8075e44379c758bccefdc589bb Version: 9aebfd4a2200ab8075e44379c758bccefdc589bb |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btmtksdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "874eca93966a786eace87fa6dfb206c2dd9519b1",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "70a6cf749d9ff9f463490248322e5343199bc267",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "770a97d3f34b801de1b04737b43e02c55118c41a",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "4d3d1f2c35a19988d3c5f0ee86038b525e830840",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "6d7be5afbb41c918d2f12f857f8c7efa50500be2",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
},
{
"lessThan": "b062a0b9c1dc1ff63094337dccfe1568d5b62023",
"status": "affected",
"version": "9aebfd4a2200ab8075e44379c758bccefdc589bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btmtksdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt\n\nFix the following kernel oops in btmtksdio_interrrupt\n\n[ 14.339134] btmtksdio_interrupt+0x28/0x54\n[ 14.339139] process_sdio_pending_irqs+0x68/0x1a0\n[ 14.339144] sdio_irq_work+0x40/0x70\n[ 14.339154] process_one_work+0x184/0x39c\n[ 14.339160] worker_thread+0x228/0x3e8\n[ 14.339168] kthread+0x148/0x3ac\n[ 14.339176] ret_from_fork+0x10/0x30\n\nThat happened because hdev-\u003epower_on is already called before\nsdio_set_drvdata which btmtksdio_interrupt handler relies on is not\nproperly set up.\n\nThe details are shown as the below: hci_register_dev would run\nqueue_work(hdev-\u003ereq_workqueue, \u0026hdev-\u003epower_on) as WQ_HIGHPRI\nworkqueue_struct to complete the power-on sequeunce and thus hci_power_on\nmay run before sdio_set_drvdata is done in btmtksdio_probe.\n\nThe hci_dev_do_open in hci_power_on would initialize the device and enable\nthe interrupt and thus it is possible that btmtksdio_interrupt is being\ncalled right before sdio_set_drvdata is filled out.\n\nWhen btmtksdio_interrupt is being called and sdio_set_drvdata is not filled\n, the kernel oops is going to happen because btmtksdio_interrupt access an\nuninitialized pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:13.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/874eca93966a786eace87fa6dfb206c2dd9519b1"
},
{
"url": "https://git.kernel.org/stable/c/70a6cf749d9ff9f463490248322e5343199bc267"
},
{
"url": "https://git.kernel.org/stable/c/770a97d3f34b801de1b04737b43e02c55118c41a"
},
{
"url": "https://git.kernel.org/stable/c/4d3d1f2c35a19988d3c5f0ee86038b525e830840"
},
{
"url": "https://git.kernel.org/stable/c/6d7be5afbb41c918d2f12f857f8c7efa50500be2"
},
{
"url": "https://git.kernel.org/stable/c/b062a0b9c1dc1ff63094337dccfe1568d5b62023"
}
],
"title": "Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49200",
"datePublished": "2025-02-26T01:55:42.758Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-05-04T08:32:13.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21865 (GCVE-0-2025-21865)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
Brad Spengler reported the list_del() corruption splat in
gtp_net_exit_batch_rtnl(). [0]
Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns
dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()
to destroy devices in each netns as done in geneve and ip tunnels.
However, this could trigger ->dellink() twice for the same device during
->exit_batch_rtnl().
Say we have two netns A & B and gtp device B that resides in netns B but
whose UDP socket is in netns A.
1. cleanup_net() processes netns A and then B.
2. gtp_net_exit_batch_rtnl() finds the device B while iterating
netns A's gn->gtp_dev_list and calls ->dellink().
[ device B is not yet unlinked from netns B
as unregister_netdevice_many() has not been called. ]
3. gtp_net_exit_batch_rtnl() finds the device B while iterating
netns B's for_each_netdev() and calls ->dellink().
gtp_dellink() cleans up the device's hash table, unlinks the dev from
gn->gtp_dev_list, and calls unregister_netdevice_queue().
Basically, calling gtp_dellink() multiple times is fine unless
CONFIG_DEBUG_LIST is enabled.
Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and
delegate the destruction to default_device_exit_batch() as done
in bareudp.
[0]:
list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1
Tainted: [T]=RANDSTRUCT
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58
Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60
RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283
RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054
RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000
RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32
R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4
R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08
RBX: kasan shadow of 0x0
RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554
RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58
RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71
RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]
RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]
R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]
R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]
R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]
FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0
Stack:
0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00
ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005
0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d
Call Trace:
<TASK>
[<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28
[<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28
[<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c986380c1d5274c4d5e935addc807d6791cc23eb Version: 5f1678346109ff3a6d229d33437fcba3cce9209d Version: 036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3 Version: efec287cbac92ac6ee8312a89221854760e13b34 Version: bb11f992f5a475bc68ef959f17a55306f0328495 Version: 86f73d4ab2f27deeff22ba9336ad103d94f12ac7 Version: eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 Version: eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:29.794279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:37.011Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:21.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/gtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f86fb07db65a470d0c11f79da551bd9466357dc",
"status": "affected",
"version": "c986380c1d5274c4d5e935addc807d6791cc23eb",
"versionType": "git"
},
{
"lessThan": "33eb925c0c26e86ca540a08254806512bf911f22",
"status": "affected",
"version": "5f1678346109ff3a6d229d33437fcba3cce9209d",
"versionType": "git"
},
{
"lessThan": "cb15bb1bde0ba97cbbed9508e45210dcafec3657",
"status": "affected",
"version": "036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3",
"versionType": "git"
},
{
"lessThan": "b70fa591b066d52b141fc430ffdee35b6cc87a66",
"status": "affected",
"version": "efec287cbac92ac6ee8312a89221854760e13b34",
"versionType": "git"
},
{
"lessThan": "9d03e7e37187ae140e716377599493987fb20c5b",
"status": "affected",
"version": "bb11f992f5a475bc68ef959f17a55306f0328495",
"versionType": "git"
},
{
"lessThan": "ff81b14010362f6188ca26fec22ff05e4da45595",
"status": "affected",
"version": "86f73d4ab2f27deeff22ba9336ad103d94f12ac7",
"versionType": "git"
},
{
"lessThan": "37e7644b961600ef0beb01d3970c3034a62913af",
"status": "affected",
"version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1",
"versionType": "git"
},
{
"lessThan": "4ccacf86491d33d2486b62d4d44864d7101b299d",
"status": "affected",
"version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/gtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.4.290",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10.234",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "6.1.127",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "6.6.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.12.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket\u0027s netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger -\u003edellink() twice for the same device during\n-\u003eexit_batch_rtnl().\n\nSay we have two netns A \u0026 B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n 1. cleanup_net() processes netns A and then B.\n\n 2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns A\u0027s gn-\u003egtp_dev_list and calls -\u003edellink().\n\n [ device B is not yet unlinked from netns B\n as unregister_netdevice_many() has not been called. ]\n\n 3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns B\u0027s for_each_netdev() and calls -\u003edellink().\n\ngtp_dellink() cleans up the device\u0027s hash table, unlinks the dev from\ngn-\u003egtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet\u0027s remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00-\u003enext (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[\u003cffffffff84947381\u003e] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc \u003c0f\u003e 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n \u003cTASK\u003e\n [\u003cffffffff8a0c360d\u003e] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] list_del include/linux/list.h:262 [inl\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:48.497Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc"
},
{
"url": "https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22"
},
{
"url": "https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657"
},
{
"url": "https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66"
},
{
"url": "https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b"
},
{
"url": "https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595"
},
{
"url": "https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af"
},
{
"url": "https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d"
}
],
"title": "gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21865",
"datePublished": "2025-03-12T09:42:21.901Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-11-03T19:38:21.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49312 (GCVE-0-2022-49312)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8712: fix a potential memory leak in r871xu_drv_init()
In r871xu_drv_init(), if r8712_init_drv_sw() fails, then the memory
allocated by r8712_alloc_io_queue() in r8712_usb_dvobj_init() is not
properly released as there is no action will be performed by
r8712_usb_dvobj_deinit().
To properly release it, we should call r8712_free_io_queue() in
r8712_usb_dvobj_deinit().
Besides, in r871xu_dev_remove(), r8712_usb_dvobj_deinit() will be called
by r871x_dev_unload() under condition `padapter->bup` and
r8712_free_io_queue() is called by r8712_free_drv_sw().
However, r8712_usb_dvobj_deinit() does not rely on `padapter->bup` and
calling r8712_free_io_queue() in r8712_free_drv_sw() is negative for
better understading the code.
So I move r8712_usb_dvobj_deinit() into r871xu_dev_remove(), and remove
r8712_free_io_queue() from r8712_free_drv_sw().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:14.240096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:57.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/os_intfs.c",
"drivers/staging/rtl8712/usb_intf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a89a92efc342dd7c44b6056da87debc598f9c73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8eb42d6d10f8fe509117859defddf9e72b4fa4d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "205e039fead72e87ad2838f5e649a4c4834f648b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a2882b8baad068d21c99fb2ab5a85a2bdbd5b834",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7288ff561de650d4139fab80e9cb0da9b5b32434",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/os_intfs.c",
"drivers/staging/rtl8712/usb_intf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix a potential memory leak in r871xu_drv_init()\n\nIn r871xu_drv_init(), if r8712_init_drv_sw() fails, then the memory\nallocated by r8712_alloc_io_queue() in r8712_usb_dvobj_init() is not\nproperly released as there is no action will be performed by\nr8712_usb_dvobj_deinit().\nTo properly release it, we should call r8712_free_io_queue() in\nr8712_usb_dvobj_deinit().\n\nBesides, in r871xu_dev_remove(), r8712_usb_dvobj_deinit() will be called\nby r871x_dev_unload() under condition `padapter-\u003ebup` and\nr8712_free_io_queue() is called by r8712_free_drv_sw().\nHowever, r8712_usb_dvobj_deinit() does not rely on `padapter-\u003ebup` and\ncalling r8712_free_io_queue() in r8712_free_drv_sw() is negative for\nbetter understading the code.\nSo I move r8712_usb_dvobj_deinit() into r871xu_dev_remove(), and remove\nr8712_free_io_queue() from r8712_free_drv_sw()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:57.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a89a92efc342dd7c44b6056da87debc598f9c73"
},
{
"url": "https://git.kernel.org/stable/c/8eb42d6d10f8fe509117859defddf9e72b4fa4d0"
},
{
"url": "https://git.kernel.org/stable/c/205e039fead72e87ad2838f5e649a4c4834f648b"
},
{
"url": "https://git.kernel.org/stable/c/a2882b8baad068d21c99fb2ab5a85a2bdbd5b834"
},
{
"url": "https://git.kernel.org/stable/c/7288ff561de650d4139fab80e9cb0da9b5b32434"
}
],
"title": "staging: rtl8712: fix a potential memory leak in r871xu_drv_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49312",
"datePublished": "2025-02-26T02:10:41.627Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-10-01T19:46:57.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49665 (GCVE-0-2022-49665)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: thinkpad_acpi: Fix a memory leak of EFCH MMIO resource
Unlike release_mem_region(), a call to release_resource() does not
free the resource, so it has to be freed explicitly to avoid a memory
leak.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/thinkpad_acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3884bf75fa044c73e843d95dd71a424e80ebb095",
"status": "affected",
"version": "455cd867b85b53fd3602345f9b8a8facc551adc9",
"versionType": "git"
},
{
"lessThan": "d2f33f0c3ad7b0d5262d9b986f1353265fad7a08",
"status": "affected",
"version": "455cd867b85b53fd3602345f9b8a8facc551adc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/thinkpad_acpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: thinkpad_acpi: Fix a memory leak of EFCH MMIO resource\n\nUnlike release_mem_region(), a call to release_resource() does not\nfree the resource, so it has to be freed explicitly to avoid a memory\nleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:52.227Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3884bf75fa044c73e843d95dd71a424e80ebb095"
},
{
"url": "https://git.kernel.org/stable/c/d2f33f0c3ad7b0d5262d9b986f1353265fad7a08"
}
],
"title": "platform/x86: thinkpad_acpi: Fix a memory leak of EFCH MMIO resource",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49665",
"datePublished": "2025-02-26T02:24:00.496Z",
"dateReserved": "2025-02-26T02:21:30.436Z",
"dateUpdated": "2025-05-04T08:42:52.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21864 (GCVE-0-2025-21864)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: drop secpath at the same time as we currently drop dst
Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while
running tests that boil down to:
- create a pair of netns
- run a basic TCP test over ipcomp6
- delete the pair of netns
The xfrm_state found on spi_byaddr was not deleted at the time we
delete the netns, because we still have a reference on it. This
lingering reference comes from a secpath (which holds a ref on the
xfrm_state), which is still attached to an skb. This skb is not
leaked, it ends up on sk_receive_queue and then gets defer-free'd by
skb_attempt_defer_free.
The problem happens when we defer freeing an skb (push it on one CPU's
defer_list), and don't flush that list before the netns is deleted. In
that case, we still have a reference on the xfrm_state that we don't
expect at this point.
We already drop the skb's dst in the TCP receive path when it's no
longer needed, so let's also drop the secpath. At this point,
tcp_filter has already called into the LSM hooks that may require the
secpath, so it should not be needed anymore. However, in some of those
places, the MPTCP extension has just been attached to the skb, so we
cannot simply drop all extensions.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:34.148914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:37.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:20.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h",
"net/ipv4/tcp_fastopen.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87858bbf21da239ace300d61dd209907995c0491",
"status": "affected",
"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
"versionType": "git"
},
{
"lessThan": "f1d5e6a5e468308af7759cf5276779d3155c5e98",
"status": "affected",
"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
"versionType": "git"
},
{
"lessThan": "cd34a07f744451e2ecf9005bb7d24d0b2fb83656",
"status": "affected",
"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
"versionType": "git"
},
{
"lessThan": "69cafd9413084cd5012cf5d7c7ec6f3d493726d9",
"status": "affected",
"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
"versionType": "git"
},
{
"lessThan": "9b6412e6979f6f9e0632075f8f008937b5cd4efd",
"status": "affected",
"version": "68822bdf76f10c3dc80609d4e2cdc1e847429086",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h",
"net/ipv4/tcp_fastopen.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: drop secpath at the same time as we currently drop dst\n\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n - create a pair of netns\n - run a basic TCP test over ipcomp6\n - delete the pair of netns\n\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free\u0027d by\nskb_attempt_defer_free.\n\nThe problem happens when we defer freeing an skb (push it on one CPU\u0027s\ndefer_list), and don\u0027t flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don\u0027t\nexpect at this point.\n\nWe already drop the skb\u0027s dst in the TCP receive path when it\u0027s no\nlonger needed, so let\u0027s also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:47.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87858bbf21da239ace300d61dd209907995c0491"
},
{
"url": "https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf5276779d3155c5e98"
},
{
"url": "https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb7d24d0b2fb83656"
},
{
"url": "https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9"
},
{
"url": "https://git.kernel.org/stable/c/9b6412e6979f6f9e0632075f8f008937b5cd4efd"
}
],
"title": "tcp: drop secpath at the same time as we currently drop dst",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21864",
"datePublished": "2025-03-12T09:42:21.223Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-11-03T19:38:20.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49627 (GCVE-0-2022-49627)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Fix potential memory leak in ima_init_crypto()
On failure to allocate the SHA1 tfm, IMA fails to initialize and exits
without freeing the ima_algo_array. Add the missing kfree() for
ima_algo_array to avoid the potential memory leak.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:43.524429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:06.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1d9702ceb4a091da6bee380627596d1fba09274",
"status": "affected",
"version": "6d94809af6b0830c4dfcad661535a5939bcb8a7d",
"versionType": "git"
},
{
"lessThan": "601ae26aa2802a4c10c94d7388a99eabdbefab2b",
"status": "affected",
"version": "6d94809af6b0830c4dfcad661535a5939bcb8a7d",
"versionType": "git"
},
{
"lessThan": "830de9667b3ada0a75a3f098dfc7159709fe397b",
"status": "affected",
"version": "6d94809af6b0830c4dfcad661535a5939bcb8a7d",
"versionType": "git"
},
{
"lessThan": "067d2521874135267e681c19d42761c601d503d6",
"status": "affected",
"version": "6d94809af6b0830c4dfcad661535a5939bcb8a7d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.132",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.56",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.13",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix potential memory leak in ima_init_crypto()\n\nOn failure to allocate the SHA1 tfm, IMA fails to initialize and exits\nwithout freeing the ima_algo_array. Add the missing kfree() for\nima_algo_array to avoid the potential memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:06.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1d9702ceb4a091da6bee380627596d1fba09274"
},
{
"url": "https://git.kernel.org/stable/c/601ae26aa2802a4c10c94d7388a99eabdbefab2b"
},
{
"url": "https://git.kernel.org/stable/c/830de9667b3ada0a75a3f098dfc7159709fe397b"
},
{
"url": "https://git.kernel.org/stable/c/067d2521874135267e681c19d42761c601d503d6"
}
],
"title": "ima: Fix potential memory leak in ima_init_crypto()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49627",
"datePublished": "2025-02-26T02:23:41.763Z",
"dateReserved": "2025-02-26T02:21:30.421Z",
"dateUpdated": "2025-10-01T20:17:06.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57986 (GCVE-0-2024-57986)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections
A report in 2019 by the syzbot fuzzer was found to be connected to two
errors in the HID core associated with Resolution Multipliers. One of
the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop
in hid_apply_multiplier."), but the other has not been fixed.
This error arises because hid_apply_multipler() assumes that every
Resolution Multiplier control is contained in a Logical Collection,
i.e., there's no way the routine can ever set multiplier_collection to
NULL. This is in spite of the fact that the function starts with a
big comment saying:
* "The Resolution Multiplier control must be contained in the same
* Logical Collection as the control(s) to which it is to be applied.
...
* If no Logical Collection is
* defined, the Resolution Multiplier is associated with all
* controls in the report."
* HID Usage Table, v1.12, Section 4.3.1, p30
*
* Thus, search from the current collection upwards until we find a
* logical collection...
The comment and the code overlook the possibility that none of the
collections found may be a Logical Collection.
The fix is to set the multiplier_collection pointer to NULL if the
collection found isn't a Logical Collection.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc Version: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:04.819Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a002e4029230d9a6be89f869b2328b258612f5c",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
},
{
"lessThan": "05dd7d10675b540b8b7b31035c0a8abb6e6f3b88",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
},
{
"lessThan": "a32ea3f982b389ea43a41ce77b6fb70d74006d9b",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
},
{
"lessThan": "bebf542e8d7c44a18a95f306b1b5dc160c823506",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
},
{
"lessThan": "ed3d3883476423f337aac0f22c521819b3f1e970",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
},
{
"lessThan": "ebaeca33d32c8bdb705a8c88267737a456f354b1",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
},
{
"lessThan": "a5498f1f864ea26f4c613c77f54409c776a95a90",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
},
{
"lessThan": "64f2657b579343cf923aa933f08074e6258eb07b",
"status": "affected",
"version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Fix assumption that Resolution Multipliers must be in Logical Collections\n\nA report in 2019 by the syzbot fuzzer was found to be connected to two\nerrors in the HID core associated with Resolution Multipliers. One of\nthe errors was fixed by commit ea427a222d8b (\"HID: core: Fix deadloop\nin hid_apply_multiplier.\"), but the other has not been fixed.\n\nThis error arises because hid_apply_multipler() assumes that every\nResolution Multiplier control is contained in a Logical Collection,\ni.e., there\u0027s no way the routine can ever set multiplier_collection to\nNULL. This is in spite of the fact that the function starts with a\nbig comment saying:\n\n\t * \"The Resolution Multiplier control must be contained in the same\n\t * Logical Collection as the control(s) to which it is to be applied.\n\t ...\n\t * If no Logical Collection is\n\t * defined, the Resolution Multiplier is associated with all\n\t * controls in the report.\"\n\t * HID Usage Table, v1.12, Section 4.3.1, p30\n\t *\n\t * Thus, search from the current collection upwards until we find a\n\t * logical collection...\n\nThe comment and the code overlook the possibility that none of the\ncollections found may be a Logical Collection.\n\nThe fix is to set the multiplier_collection pointer to NULL if the\ncollection found isn\u0027t a Logical Collection."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:45.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a002e4029230d9a6be89f869b2328b258612f5c"
},
{
"url": "https://git.kernel.org/stable/c/05dd7d10675b540b8b7b31035c0a8abb6e6f3b88"
},
{
"url": "https://git.kernel.org/stable/c/a32ea3f982b389ea43a41ce77b6fb70d74006d9b"
},
{
"url": "https://git.kernel.org/stable/c/bebf542e8d7c44a18a95f306b1b5dc160c823506"
},
{
"url": "https://git.kernel.org/stable/c/ed3d3883476423f337aac0f22c521819b3f1e970"
},
{
"url": "https://git.kernel.org/stable/c/ebaeca33d32c8bdb705a8c88267737a456f354b1"
},
{
"url": "https://git.kernel.org/stable/c/a5498f1f864ea26f4c613c77f54409c776a95a90"
},
{
"url": "https://git.kernel.org/stable/c/64f2657b579343cf923aa933f08074e6258eb07b"
}
],
"title": "HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57986",
"datePublished": "2025-02-27T02:07:10.621Z",
"dateReserved": "2025-02-27T02:04:28.913Z",
"dateUpdated": "2025-11-03T19:33:04.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21888 (GCVE-0-2025-21888)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix a WARN during dereg_mr for DM type
Memory regions (MR) of type DM (device memory) do not have an associated
umem.
In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code
incorrectly takes the wrong branch, attempting to call
dma_unmap_single() on a DMA address that is not mapped.
This results in a WARN [1], as shown below.
The issue is resolved by properly accounting for the DM type and
ensuring the correct branch is selected in mlx5_free_priv_descs().
[1]
WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90
Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core
CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00
RSP: 0018:ffffc90001913a10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __warn+0x84/0x190
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0xf8/0x1c0
? handle_bug+0x55/0x90
? exc_invalid_op+0x13/0x60
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
dma_unmap_page_attrs+0xe6/0x290
mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]
__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]
? _raw_spin_unlock_irq+0x24/0x40
? wait_for_completion+0xfe/0x130
? rdma_restrack_put+0x63/0xe0 [ib_core]
ib_dereg_mr_user+0x5f/0x120 [ib_core]
? lock_release+0xc6/0x280
destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]
uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]
uobj_destroy+0x3f/0x70 [ib_uverbs]
ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]
? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]
? lock_acquire+0xc1/0x2f0
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]
? lock_release+0xc6/0x280
ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
__x64_sys_ioctl+0x1b0/0xa70
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f537adaf17b
Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b
RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003
RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270
R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190
R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bd34bdd468e93a779c403de3cf7d43ee633b3e0",
"status": "affected",
"version": "f18ec422311767738ef4033b61e91cae07163b22",
"versionType": "git"
},
{
"lessThan": "f1298cad47ae29828c5c5be77e733ccfcaef6a7f",
"status": "affected",
"version": "f18ec422311767738ef4033b61e91cae07163b22",
"versionType": "git"
},
{
"lessThan": "abc7b3f1f056d69a8f11d6dceecc0c9549ace770",
"status": "affected",
"version": "f18ec422311767738ef4033b61e91cae07163b22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a WARN during dereg_mr for DM type\n\nMemory regions (MR) of type DM (device memory) do not have an associated\numem.\n\nIn the __mlx5_ib_dereg_mr() -\u003e mlx5_free_priv_descs() flow, the code\nincorrectly takes the wrong branch, attempting to call\ndma_unmap_single() on a DMA address that is not mapped.\n\nThis results in a WARN [1], as shown below.\n\nThe issue is resolved by properly accounting for the DM type and\nensuring the correct branch is selected in mlx5_free_priv_descs().\n\n[1]\nWARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90\nModules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\nCPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:iommu_dma_unmap_page+0x79/0x90\nCode: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff \u003c0f\u003e 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00\nRSP: 0018:ffffc90001913a10 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n? __warn+0x84/0x190\n? iommu_dma_unmap_page+0x79/0x90\n? report_bug+0xf8/0x1c0\n? handle_bug+0x55/0x90\n? exc_invalid_op+0x13/0x60\n? asm_exc_invalid_op+0x16/0x20\n? iommu_dma_unmap_page+0x79/0x90\ndma_unmap_page_attrs+0xe6/0x290\nmlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f537adaf17b\nCode: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b\nRDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270\nR10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190\nR13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:23.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bd34bdd468e93a779c403de3cf7d43ee633b3e0"
},
{
"url": "https://git.kernel.org/stable/c/f1298cad47ae29828c5c5be77e733ccfcaef6a7f"
},
{
"url": "https://git.kernel.org/stable/c/abc7b3f1f056d69a8f11d6dceecc0c9549ace770"
}
],
"title": "RDMA/mlx5: Fix a WARN during dereg_mr for DM type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21888",
"datePublished": "2025-03-27T14:57:15.141Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:23.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49291 (GCVE-0-2022-49291)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
Currently we have neither proper check nor protection against the
concurrent calls of PCM hw_params and hw_free ioctls, which may result
in a UAF. Since the existing PCM stream lock can't be used for
protecting the whole ioctl operations, we need a new mutex to protect
those racy calls.
This patch introduced a new mutex, runtime->buffer_mutex, and applies
it to both hw_params and hw_free ioctl code paths. Along with it, the
both functions are slightly modified (the mmap_count check is moved
into the state-check block) for code simplicity.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:45.856077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/sound/pcm.h",
"sound/core/pcm.c",
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a42aa926843acca96c0dfbde2e835b8137f2f092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9cb6c40a6ebe4a0cfc9d6a181958211682cffea9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fbeb492694ce0441053de57699e1e2b7bc148a69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f6947f5f5208f6ebd4d76a82a4757e2839a23f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33061d0fba51d2bf70a2ef9645f703c33fe8e438",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0090c13cbbdffd7da079ac56f80373a9a1be0bf8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bbf82d9f961414d6c76a08f7f843ea068e0ab7b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "92ee3c60ec9fe64404dc035e7c41277d74aa26cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/sound/pcm.h",
"sound/core/pcm.c",
"sound/core/pcm_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.193",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.193",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix races among concurrent hw_params and hw_free calls\n\nCurrently we have neither proper check nor protection against the\nconcurrent calls of PCM hw_params and hw_free ioctls, which may result\nin a UAF. Since the existing PCM stream lock can\u0027t be used for\nprotecting the whole ioctl operations, we need a new mutex to protect\nthose racy calls.\n\nThis patch introduced a new mutex, runtime-\u003ebuffer_mutex, and applies\nit to both hw_params and hw_free ioctl code paths. Along with it, the\nboth functions are slightly modified (the mmap_count check is moved\ninto the state-check block) for code simplicity."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:22.432Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a42aa926843acca96c0dfbde2e835b8137f2f092"
},
{
"url": "https://git.kernel.org/stable/c/9cb6c40a6ebe4a0cfc9d6a181958211682cffea9"
},
{
"url": "https://git.kernel.org/stable/c/fbeb492694ce0441053de57699e1e2b7bc148a69"
},
{
"url": "https://git.kernel.org/stable/c/0f6947f5f5208f6ebd4d76a82a4757e2839a23f8"
},
{
"url": "https://git.kernel.org/stable/c/33061d0fba51d2bf70a2ef9645f703c33fe8e438"
},
{
"url": "https://git.kernel.org/stable/c/0090c13cbbdffd7da079ac56f80373a9a1be0bf8"
},
{
"url": "https://git.kernel.org/stable/c/1bbf82d9f961414d6c76a08f7f843ea068e0ab7b"
},
{
"url": "https://git.kernel.org/stable/c/92ee3c60ec9fe64404dc035e7c41277d74aa26cb"
}
],
"title": "ALSA: pcm: Fix races among concurrent hw_params and hw_free calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49291",
"datePublished": "2025-02-26T01:56:27.986Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:22.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53008 (GCVE-0-2023-53008)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential memory leaks in session setup
Make sure to free cifs_ses::auth_key.response before allocating it as
we might end up leaking memory in reconnect or mounting.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:08:03.037548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:03.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsencrypt.c",
"fs/cifs/sess.c",
"fs/cifs/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "893d45394dbe4b5cbf3723c19e2ccc8b93a6ac9b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fe58d977ee05da5bb89ef5dc4f5bf2dc15db46f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsencrypt.c",
"fs/cifs/sess.c",
"fs/cifs/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential memory leaks in session setup\n\nMake sure to free cifs_ses::auth_key.response before allocating it as\nwe might end up leaking memory in reconnect or mounting."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:29.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/893d45394dbe4b5cbf3723c19e2ccc8b93a6ac9b"
},
{
"url": "https://git.kernel.org/stable/c/2fe58d977ee05da5bb89ef5dc4f5bf2dc15db46f"
}
],
"title": "cifs: fix potential memory leaks in session setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53008",
"datePublished": "2025-03-27T16:43:38.718Z",
"dateReserved": "2025-03-27T16:40:15.746Z",
"dateUpdated": "2025-10-01T20:17:03.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49512 (GCVE-0-2022-49512)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: denali: Use managed device resources
All of the resources used by this driver has managed interfaces, so use
them. Otherwise we will get the following splat:
[ 4.472703] denali-nand-pci 0000:00:05.0: timeout while waiting for irq 0x1000
[ 4.474071] denali-nand-pci: probe of 0000:00:05.0 failed with error -5
[ 4.473538] nand: No NAND device found
[ 4.474068] BUG: unable to handle page fault for address: ffffc90005000410
[ 4.475169] #PF: supervisor write access in kernel mode
[ 4.475579] #PF: error_code(0x0002) - not-present page
[ 4.478362] RIP: 0010:iowrite32+0x9/0x50
[ 4.486068] Call Trace:
[ 4.486269] <IRQ>
[ 4.486443] denali_isr+0x15b/0x300 [denali]
[ 4.486788] ? denali_direct_write+0x50/0x50 [denali]
[ 4.487189] __handle_irq_event_percpu+0x161/0x3b0
[ 4.487571] handle_irq_event+0x7d/0x1b0
[ 4.487884] handle_fasteoi_irq+0x2b0/0x770
[ 4.488219] __common_interrupt+0xc8/0x1b0
[ 4.488549] common_interrupt+0x9a/0xc0
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/denali_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c68daf4a368cd9e63ae5a2145c9e4a6f838c166",
"status": "affected",
"version": "93db446a424cee9387b532995e6b516667079555",
"versionType": "git"
},
{
"lessThan": "3830dbdfb9a4aec680e43ed80b9f23db7a88eac9",
"status": "affected",
"version": "93db446a424cee9387b532995e6b516667079555",
"versionType": "git"
},
{
"lessThan": "87149cf9186201a63f0e0b93d9fa93d480bcb771",
"status": "affected",
"version": "93db446a424cee9387b532995e6b516667079555",
"versionType": "git"
},
{
"lessThan": "efea1dd176edd17c8252051b7de6957f06efc394",
"status": "affected",
"version": "93db446a424cee9387b532995e6b516667079555",
"versionType": "git"
},
{
"lessThan": "3a745b51cddafade99aaea1b93aad31e9614e230",
"status": "affected",
"version": "93db446a424cee9387b532995e6b516667079555",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/denali_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: denali: Use managed device resources\n\nAll of the resources used by this driver has managed interfaces, so use\nthem. Otherwise we will get the following splat:\n\n[ 4.472703] denali-nand-pci 0000:00:05.0: timeout while waiting for irq 0x1000\n[ 4.474071] denali-nand-pci: probe of 0000:00:05.0 failed with error -5\n[ 4.473538] nand: No NAND device found\n[ 4.474068] BUG: unable to handle page fault for address: ffffc90005000410\n[ 4.475169] #PF: supervisor write access in kernel mode\n[ 4.475579] #PF: error_code(0x0002) - not-present page\n[ 4.478362] RIP: 0010:iowrite32+0x9/0x50\n[ 4.486068] Call Trace:\n[ 4.486269] \u003cIRQ\u003e\n[ 4.486443] denali_isr+0x15b/0x300 [denali]\n[ 4.486788] ? denali_direct_write+0x50/0x50 [denali]\n[ 4.487189] __handle_irq_event_percpu+0x161/0x3b0\n[ 4.487571] handle_irq_event+0x7d/0x1b0\n[ 4.487884] handle_fasteoi_irq+0x2b0/0x770\n[ 4.488219] __common_interrupt+0xc8/0x1b0\n[ 4.488549] common_interrupt+0x9a/0xc0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:31.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c68daf4a368cd9e63ae5a2145c9e4a6f838c166"
},
{
"url": "https://git.kernel.org/stable/c/3830dbdfb9a4aec680e43ed80b9f23db7a88eac9"
},
{
"url": "https://git.kernel.org/stable/c/87149cf9186201a63f0e0b93d9fa93d480bcb771"
},
{
"url": "https://git.kernel.org/stable/c/efea1dd176edd17c8252051b7de6957f06efc394"
},
{
"url": "https://git.kernel.org/stable/c/3a745b51cddafade99aaea1b93aad31e9614e230"
}
],
"title": "mtd: rawnand: denali: Use managed device resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49512",
"datePublished": "2025-02-26T02:13:42.128Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-05-04T08:39:31.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49100 (GCVE-0-2022-49100)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_console: eliminate anonymous module_init & module_exit
Eliminate anonymous module_init() and module_exit(), which can lead to
confusion or ambiguity when reading System.map, crashes/oops/bugs,
or an initcall_debug log.
Give each of these init and exit functions unique driver-specific
names to eliminate the anonymous names.
Example 1: (System.map)
ffffffff832fc78c t init
ffffffff832fc79e t init
ffffffff832fc8f8 t init
Example 2: (initcall_debug log)
calling init+0x0/0x12 @ 1
initcall init+0x0/0x12 returned 0 after 15 usecs
calling init+0x0/0x60 @ 1
initcall init+0x0/0x60 returned 0 after 2 usecs
calling init+0x0/0x9a @ 1
initcall init+0x0/0x9a returned 0 after 74 usecs
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/virtio_console.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93e3d88321d2274fa4e26b006e19cc10fec331c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7deaddb704713608e0ae559e27185581b9af71a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f3d824bd70a1303464d5e93ee3e7afe7832fe89",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3504b0a177208eda85bf472bbf7c9aa77d2b8343",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c69b442125bf009fce26e15aa5616caf8a3673c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "44c2d5fbe7b2bd1f8cb114d608a591a73a5d4ae6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3fd5dee7404ce40c79cba468bb2510115639d975",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71612aee09ecea3475f8751dc841d75a011b1fd0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fefb8a2a941338d871e2d83fbd65fbfa068857bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/virtio_console.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_console: eliminate anonymous module_init \u0026 module_exit\n\nEliminate anonymous module_init() and module_exit(), which can lead to\nconfusion or ambiguity when reading System.map, crashes/oops/bugs,\nor an initcall_debug log.\n\nGive each of these init and exit functions unique driver-specific\nnames to eliminate the anonymous names.\n\nExample 1: (System.map)\n ffffffff832fc78c t init\n ffffffff832fc79e t init\n ffffffff832fc8f8 t init\n\nExample 2: (initcall_debug log)\n calling init+0x0/0x12 @ 1\n initcall init+0x0/0x12 returned 0 after 15 usecs\n calling init+0x0/0x60 @ 1\n initcall init+0x0/0x60 returned 0 after 2 usecs\n calling init+0x0/0x9a @ 1\n initcall init+0x0/0x9a returned 0 after 74 usecs"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:53.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93e3d88321d2274fa4e26b006e19cc10fec331c2"
},
{
"url": "https://git.kernel.org/stable/c/7deaddb704713608e0ae559e27185581b9af71a0"
},
{
"url": "https://git.kernel.org/stable/c/0f3d824bd70a1303464d5e93ee3e7afe7832fe89"
},
{
"url": "https://git.kernel.org/stable/c/3504b0a177208eda85bf472bbf7c9aa77d2b8343"
},
{
"url": "https://git.kernel.org/stable/c/c69b442125bf009fce26e15aa5616caf8a3673c3"
},
{
"url": "https://git.kernel.org/stable/c/44c2d5fbe7b2bd1f8cb114d608a591a73a5d4ae6"
},
{
"url": "https://git.kernel.org/stable/c/3fd5dee7404ce40c79cba468bb2510115639d975"
},
{
"url": "https://git.kernel.org/stable/c/71612aee09ecea3475f8751dc841d75a011b1fd0"
},
{
"url": "https://git.kernel.org/stable/c/fefb8a2a941338d871e2d83fbd65fbfa068857bd"
}
],
"title": "virtio_console: eliminate anonymous module_init \u0026 module_exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49100",
"datePublished": "2025-02-26T01:54:51.044Z",
"dateReserved": "2025-02-26T01:49:39.250Z",
"dateUpdated": "2025-05-04T08:29:53.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49053 (GCVE-0-2022-49053)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-21 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcmu: Fix possible page UAF
tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not
take refcount properly and just returns page pointer. When
tcmu_try_get_data_page() returns, the returned page may have been freed by
tcmu_blocks_release().
We need to get_page() under cmdr_lock to avoid concurrent
tcmu_blocks_release().
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da Version: 141685a39151aea95eb56562d2953e919c6c73da |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:25.641949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:30.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7c5d79e50be6e06b669141e3db1f977a0dd4e8e",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "fb7a5115422fbd6a4d505e8844f1ef5529f10489",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "aec36b98a1bbaa84bfd8299a306e4c12314af626",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "a9564d84ed9f6ee71017d062d0d2182154294a4b",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
},
{
"lessThan": "a6968f7a367f128d120447360734344d5a3d5336",
"status": "affected",
"version": "141685a39151aea95eb56562d2953e919c6c73da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcmu: Fix possible page UAF\n\ntcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not\ntake refcount properly and just returns page pointer. When\ntcmu_try_get_data_page() returns, the returned page may have been freed by\ntcmu_blocks_release().\n\nWe need to get_page() under cmdr_lock to avoid concurrent\ntcmu_blocks_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:44:03.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7c5d79e50be6e06b669141e3db1f977a0dd4e8e"
},
{
"url": "https://git.kernel.org/stable/c/e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed"
},
{
"url": "https://git.kernel.org/stable/c/fb7a5115422fbd6a4d505e8844f1ef5529f10489"
},
{
"url": "https://git.kernel.org/stable/c/aec36b98a1bbaa84bfd8299a306e4c12314af626"
},
{
"url": "https://git.kernel.org/stable/c/b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322"
},
{
"url": "https://git.kernel.org/stable/c/a9564d84ed9f6ee71017d062d0d2182154294a4b"
},
{
"url": "https://git.kernel.org/stable/c/a6968f7a367f128d120447360734344d5a3d5336"
}
],
"title": "scsi: target: tcmu: Fix possible page UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49053",
"datePublished": "2025-02-26T01:54:26.806Z",
"dateReserved": "2025-02-26T01:49:39.242Z",
"dateUpdated": "2025-05-21T08:44:03.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49533 (GCVE-0-2022-49533)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ath11k: Change max no of active probe SSID and BSSID to fw capability
The maximum number of SSIDs in a for active probe requests is currently
reported as 16 (WLAN_SCAN_PARAMS_MAX_SSID) when registering the driver.
The scan_req_params structure only has the capacity to hold 10 SSIDs.
This leads to a buffer overflow which can be triggered from
wpa_supplicant in userspace. When copying the SSIDs into the
scan_req_params structure in the ath11k_mac_op_hw_scan route, it can
overwrite the extraie pointer.
Firmware supports 16 ssid * 4 bssid, for each ssid 4 bssid combo probe
request will be sent, so totally 64 probe requests supported. So
set both max ssid and bssid to 16 and 4 respectively. Remove the
redundant macros of ssid and bssid.
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01300-QCAHKSWPL_SILICONZ-1
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/wmi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "210505788f1d243232e21ef660efcd4838890ce8",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "ec5dfa1d66f2f71a48dab027d26a9fa78eb0f58f",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "50dc9ce9f80554a88e33b73c30851acf2be36ed3",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/wmi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: Change max no of active probe SSID and BSSID to fw capability\n\nThe maximum number of SSIDs in a for active probe requests is currently\nreported as 16 (WLAN_SCAN_PARAMS_MAX_SSID) when registering the driver.\nThe scan_req_params structure only has the capacity to hold 10 SSIDs.\nThis leads to a buffer overflow which can be triggered from\nwpa_supplicant in userspace. When copying the SSIDs into the\nscan_req_params structure in the ath11k_mac_op_hw_scan route, it can\noverwrite the extraie pointer.\n\nFirmware supports 16 ssid * 4 bssid, for each ssid 4 bssid combo probe\nrequest will be sent, so totally 64 probe requests supported. So\nset both max ssid and bssid to 16 and 4 respectively. Remove the\nredundant macros of ssid and bssid.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01300-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:58.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/210505788f1d243232e21ef660efcd4838890ce8"
},
{
"url": "https://git.kernel.org/stable/c/ec5dfa1d66f2f71a48dab027d26a9fa78eb0f58f"
},
{
"url": "https://git.kernel.org/stable/c/50dc9ce9f80554a88e33b73c30851acf2be36ed3"
}
],
"title": "ath11k: Change max no of active probe SSID and BSSID to fw capability",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49533",
"datePublished": "2025-02-26T02:13:52.495Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-05-04T08:39:58.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57947 (GCVE-0-2024-57947)
Vulnerability from cvelistv5
Published
2025-01-23 13:54
Modified
2025-05-04 10:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_set_pipapo: fix initial map fill
The initial buffer has to be inited to all-ones, but it must restrict
it to the size of the first field, not the total field size.
After each round in the map search step, the result and the fill map
are swapped, so if we have a set where f->bsize of the first element
is smaller than m->bsize_max, those one-bits are leaked into future
rounds result map.
This makes pipapo find an incorrect matching results for sets where
first field size is not the largest.
Followup patch adds a test case to nft_concat_range.sh selftest script.
Thanks to Stefano Brivio for pointing out that we need to zero out
the remainder explicitly, only correcting memset() argument isn't enough.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_pipapo.h",
"net/netfilter/nft_set_pipapo_avx2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "957a4d1c4c5849e4515c9fb4db21bf85318103dc",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "9625c46ce6fd4f922595a4b32b1de5066d70464f",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "69b6a67f7052905e928d75a0c5871de50e686986",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "8058c88ac0df21239daee54b5934d5c80ca9685f",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "791a615b7ad2258c560f91852be54b0480837c93",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_pipapo.h",
"net/netfilter/nft_set_pipapo_avx2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.165",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.103",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.44",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_set_pipapo: fix initial map fill\n\nThe initial buffer has to be inited to all-ones, but it must restrict\nit to the size of the first field, not the total field size.\n\nAfter each round in the map search step, the result and the fill map\nare swapped, so if we have a set where f-\u003ebsize of the first element\nis smaller than m-\u003ebsize_max, those one-bits are leaked into future\nrounds result map.\n\nThis makes pipapo find an incorrect matching results for sets where\nfirst field size is not the largest.\n\nFollowup patch adds a test case to nft_concat_range.sh selftest script.\n\nThanks to Stefano Brivio for pointing out that we need to zero out\nthe remainder explicitly, only correcting memset() argument isn\u0027t enough."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:07:17.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/957a4d1c4c5849e4515c9fb4db21bf85318103dc"
},
{
"url": "https://git.kernel.org/stable/c/9625c46ce6fd4f922595a4b32b1de5066d70464f"
},
{
"url": "https://git.kernel.org/stable/c/69b6a67f7052905e928d75a0c5871de50e686986"
},
{
"url": "https://git.kernel.org/stable/c/8058c88ac0df21239daee54b5934d5c80ca9685f"
},
{
"url": "https://git.kernel.org/stable/c/791a615b7ad2258c560f91852be54b0480837c93"
}
],
"title": "netfilter: nf_set_pipapo: fix initial map fill",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57947",
"datePublished": "2025-01-23T13:54:20.267Z",
"dateReserved": "2025-01-19T11:50:08.380Z",
"dateUpdated": "2025-05-04T10:07:17.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52992 (GCVE-0-2023-52992)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-09-03 12:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Skip task with pid=1 in send_signal_common()
The following kernel panic can be triggered when a task with pid=1 attaches
a prog that attempts to send killing signal to itself, also see [1] for more
details:
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
CPU: 3 PID: 1 Comm: systemd Not tainted 6.1.0-09652-g59fe41b5255f #148
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x100/0x178 lib/dump_stack.c:106
panic+0x2c4/0x60f kernel/panic.c:275
do_exit.cold+0x63/0xe4 kernel/exit.c:789
do_group_exit+0xd4/0x2a0 kernel/exit.c:950
get_signal+0x2460/0x2600 kernel/signal.c:2858
arch_do_signal_or_restart+0x78/0x5d0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
So skip task with pid=1 in bpf_send_signal_common() to avoid the panic.
[1] https://lore.kernel.org/bpf/20221222043507.33037-1-sunhao.th@gmail.com
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4923160393b06a34759a11b17930d71e06f396f2",
"status": "affected",
"version": "8b401f9ed2441ad9e219953927a842d24ed051fc",
"versionType": "git"
},
{
"lessThan": "a1c0263f1eb4deee132e11e52ee6982435460d81",
"status": "affected",
"version": "8b401f9ed2441ad9e219953927a842d24ed051fc",
"versionType": "git"
},
{
"lessThan": "0dfef503133565fa0bcf3268d8eeb5b181191a65",
"status": "affected",
"version": "8b401f9ed2441ad9e219953927a842d24ed051fc",
"versionType": "git"
},
{
"lessThan": "1283a01b6e19d05f7ed49584ea653947245cd41e",
"status": "affected",
"version": "8b401f9ed2441ad9e219953927a842d24ed051fc",
"versionType": "git"
},
{
"lessThan": "a3d81bc1eaef48e34dd0b9b48eefed9e02a06451",
"status": "affected",
"version": "8b401f9ed2441ad9e219953927a842d24ed051fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.167",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.92",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.10",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Skip task with pid=1 in send_signal_common()\n\nThe following kernel panic can be triggered when a task with pid=1 attaches\na prog that attempts to send killing signal to itself, also see [1] for more\ndetails:\n\n Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n CPU: 3 PID: 1 Comm: systemd Not tainted 6.1.0-09652-g59fe41b5255f #148\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x100/0x178 lib/dump_stack.c:106\n panic+0x2c4/0x60f kernel/panic.c:275\n do_exit.cold+0x63/0xe4 kernel/exit.c:789\n do_group_exit+0xd4/0x2a0 kernel/exit.c:950\n get_signal+0x2460/0x2600 kernel/signal.c:2858\n arch_do_signal_or_restart+0x78/0x5d0 arch/x86/kernel/signal.c:306\n exit_to_user_mode_loop kernel/entry/common.c:168 [inline]\n exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\n do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nSo skip task with pid=1 in bpf_send_signal_common() to avoid the panic.\n\n [1] https://lore.kernel.org/bpf/20221222043507.33037-1-sunhao.th@gmail.com"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:59:10.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4923160393b06a34759a11b17930d71e06f396f2"
},
{
"url": "https://git.kernel.org/stable/c/a1c0263f1eb4deee132e11e52ee6982435460d81"
},
{
"url": "https://git.kernel.org/stable/c/0dfef503133565fa0bcf3268d8eeb5b181191a65"
},
{
"url": "https://git.kernel.org/stable/c/1283a01b6e19d05f7ed49584ea653947245cd41e"
},
{
"url": "https://git.kernel.org/stable/c/a3d81bc1eaef48e34dd0b9b48eefed9e02a06451"
}
],
"title": "bpf: Skip task with pid=1 in send_signal_common()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52992",
"datePublished": "2025-03-27T16:43:27.618Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-09-03T12:59:10.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49339 (GCVE-0-2022-49339)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: unexport __init-annotated seg6_hmac_init()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the caller (net/ipv6/seg6.c)
and the callee (net/ipv6/seg6_hmac.c) belong to the same module.
It seems an internal function call in ipv6.ko.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c Version: bf355b8d2c30a289232042cacc1cfaea4923936c |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64aef8efe96c1616142c4476a05731306fc4494e",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "ab8b2c2de273ec1d698a18e399896a6febb5cda0",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "317260b3eb6384a05a8af212308fa50f3b2e8290",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "5d9c1b081ad28c852a97e10dd75412546497694a",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "1084716f76c8045eadf92a9d9a62641f3c8d8c90",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "3e6de5037148c5a93a436b1e8d2edad3dac11755",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "9ba4416b831eeb4d185e88e73488d1d21288e63a",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
},
{
"lessThan": "5801f064e35181c71857a80ff18af4dbec3c5f5c",
"status": "affected",
"version": "bf355b8d2c30a289232042cacc1cfaea4923936c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_hmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: unexport __init-annotated seg6_hmac_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the caller (net/ipv6/seg6.c)\nand the callee (net/ipv6/seg6_hmac.c) belong to the same module.\nIt seems an internal function call in ipv6.ko."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:37.695Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64aef8efe96c1616142c4476a05731306fc4494e"
},
{
"url": "https://git.kernel.org/stable/c/ab8b2c2de273ec1d698a18e399896a6febb5cda0"
},
{
"url": "https://git.kernel.org/stable/c/317260b3eb6384a05a8af212308fa50f3b2e8290"
},
{
"url": "https://git.kernel.org/stable/c/5d9c1b081ad28c852a97e10dd75412546497694a"
},
{
"url": "https://git.kernel.org/stable/c/1084716f76c8045eadf92a9d9a62641f3c8d8c90"
},
{
"url": "https://git.kernel.org/stable/c/3e6de5037148c5a93a436b1e8d2edad3dac11755"
},
{
"url": "https://git.kernel.org/stable/c/9ba4416b831eeb4d185e88e73488d1d21288e63a"
},
{
"url": "https://git.kernel.org/stable/c/5801f064e35181c71857a80ff18af4dbec3c5f5c"
}
],
"title": "net: ipv6: unexport __init-annotated seg6_hmac_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49339",
"datePublished": "2025-02-26T02:10:56.704Z",
"dateReserved": "2025-02-26T02:08:31.541Z",
"dateUpdated": "2025-05-04T08:35:37.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52935 (GCVE-0-2023-52935)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-11-03 17:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: fix ->anon_vma race
If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires
it to be locked.
Page table traversal is allowed under any one of the mmap lock, the
anon_vma lock (if the VMA is associated with an anon_vma), and the
mapping lock (if the VMA is associated with a mapping); and so to be
able to remove page tables, we must hold all three of them.
retract_page_tables() bails out if an ->anon_vma is attached, but does
this check before holding the mmap lock (as the comment above the check
explains).
If we racily merged an existing ->anon_vma (shared with a child
process) from a neighboring VMA, subsequent rmap traversals on pages
belonging to the child will be able to see the page tables that we are
concurrently removing while assuming that nothing else can access them.
Repeat the ->anon_vma check once we hold the mmap lock to ensure that
there really is no concurrent page table access.
Hitting this bug causes a lockdep warning in collapse_and_free_pmd(),
in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)".
It can also lead to use-after-free access.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:40.271006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:31:05.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/khugepaged.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "352fbf61ce776fef18dca6a68680a6cd943dac95",
"status": "affected",
"version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
"versionType": "git"
},
{
"lessThan": "cee956ab1efbd858b4ca61c8b474af5aa24b29a6",
"status": "affected",
"version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
"versionType": "git"
},
{
"lessThan": "abdf3c33918185c3e8ffeb09ed3e334b3d7df47c",
"status": "affected",
"version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
"versionType": "git"
},
{
"lessThan": "acb08187b5a83cdb9ac4112fae9e18cf983b0128",
"status": "affected",
"version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
"versionType": "git"
},
{
"lessThan": "023f47a8250c6bdb4aebe744db4bf7f73414028b",
"status": "affected",
"version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/khugepaged.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: fix -\u003eanon_vma race\n\nIf an -\u003eanon_vma is attached to the VMA, collapse_and_free_pmd() requires\nit to be locked.\n\nPage table traversal is allowed under any one of the mmap lock, the\nanon_vma lock (if the VMA is associated with an anon_vma), and the\nmapping lock (if the VMA is associated with a mapping); and so to be\nable to remove page tables, we must hold all three of them. \nretract_page_tables() bails out if an -\u003eanon_vma is attached, but does\nthis check before holding the mmap lock (as the comment above the check\nexplains).\n\nIf we racily merged an existing -\u003eanon_vma (shared with a child\nprocess) from a neighboring VMA, subsequent rmap traversals on pages\nbelonging to the child will be able to see the page tables that we are\nconcurrently removing while assuming that nothing else can access them.\n\nRepeat the -\u003eanon_vma check once we hold the mmap lock to ensure that\nthere really is no concurrent page table access.\n\nHitting this bug causes a lockdep warning in collapse_and_free_pmd(),\nin the line \"lockdep_assert_held_write(\u0026vma-\u003eanon_vma-\u003eroot-\u003erwsem)\". \nIt can also lead to use-after-free access."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:05:44.962Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/352fbf61ce776fef18dca6a68680a6cd943dac95"
},
{
"url": "https://git.kernel.org/stable/c/cee956ab1efbd858b4ca61c8b474af5aa24b29a6"
},
{
"url": "https://git.kernel.org/stable/c/abdf3c33918185c3e8ffeb09ed3e334b3d7df47c"
},
{
"url": "https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128"
},
{
"url": "https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b"
}
],
"title": "mm/khugepaged: fix -\u003eanon_vma race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52935",
"datePublished": "2025-03-27T16:37:15.505Z",
"dateReserved": "2024-08-21T06:07:11.020Z",
"dateUpdated": "2025-11-03T17:31:05.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-42307 (GCVE-0-2024-42307)
Vulnerability from cvelistv5
Published
2024-08-17 09:09
Modified
2025-11-03 22:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path
Dan Carpenter reported a Smack static checker warning:
fs/smb/client/cifsfs.c:1981 init_cifs()
error: we previously assumed 'serverclose_wq' could be null (see line 1895)
The patch which introduced the serverclose workqueue used the wrong
oredering in error paths in init_cifs() for freeing it on errors.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:10:12.002656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:27.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:04:16.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6018971710fdc7739f8655c1540832b4bb903671",
"status": "affected",
"version": "8c99dfb49bdc17edffc7ff3d46b400c8c291686c",
"versionType": "git"
},
{
"lessThan": "160235efb4f9b55212dedff5de0094c606c4b303",
"status": "affected",
"version": "6f17163b9339fac92023a1d9bef22128db3b9a4b",
"versionType": "git"
},
{
"lessThan": "3739d711246d8fbc95ff73dbdace9741cdce4777",
"status": "affected",
"version": "173217bd73365867378b5e75a86f0049e1069ee8",
"versionType": "git"
},
{
"lessThan": "193cc89ea0ca1da311877d2b4bb5e9f03bcc82a2",
"status": "affected",
"version": "173217bd73365867378b5e75a86f0049e1069ee8",
"versionType": "git"
},
{
"status": "affected",
"version": "40a5d14c9d3b585d55d3209fb5efe202dcaac926",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.103",
"versionStartIncluding": "6.1.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.44",
"versionStartIncluding": "6.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.3",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential null pointer use in destroy_workqueue in init_cifs error path\n\nDan Carpenter reported a Smack static checker warning:\n fs/smb/client/cifsfs.c:1981 init_cifs()\n error: we previously assumed \u0027serverclose_wq\u0027 could be null (see line 1895)\n\nThe patch which introduced the serverclose workqueue used the wrong\noredering in error paths in init_cifs() for freeing it on errors."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:58:04.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6018971710fdc7739f8655c1540832b4bb903671"
},
{
"url": "https://git.kernel.org/stable/c/160235efb4f9b55212dedff5de0094c606c4b303"
},
{
"url": "https://git.kernel.org/stable/c/3739d711246d8fbc95ff73dbdace9741cdce4777"
},
{
"url": "https://git.kernel.org/stable/c/193cc89ea0ca1da311877d2b4bb5e9f03bcc82a2"
}
],
"title": "cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42307",
"datePublished": "2024-08-17T09:09:12.613Z",
"dateReserved": "2024-07-30T07:40:12.273Z",
"dateUpdated": "2025-11-03T22:04:16.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49262 (GCVE-0-2022-49262)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: octeontx2 - remove CONFIG_DM_CRYPT check
No issues were found while using the driver with dm-crypt enabled. So
CONFIG_DM_CRYPT check in the driver can be removed.
This also fixes the NULL pointer dereference in driver release if
CONFIG_DM_CRYPT is enabled.
...
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
...
Call trace:
crypto_unregister_alg+0x68/0xfc
crypto_unregister_skciphers+0x44/0x60
otx2_cpt_crypto_exit+0x100/0x1a0
otx2_cptvf_remove+0xf8/0x200
pci_device_remove+0x3c/0xd4
__device_release_driver+0x188/0x234
device_release_driver+0x2c/0x4c
...
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6374086f249295121384bfaa7cdcc8d461146f0",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
},
{
"lessThan": "a462214866eebbca87e13ff6d73092b1c4895624",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
},
{
"lessThan": "a1bf728f3388ac3a2c2dffa57e25622e90b9f6f2",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
},
{
"lessThan": "2d841af23ae8f398c85dd1ff2dc24b5ec8ba4569",
"status": "affected",
"version": "6f03f0e8b6c8a82d8e740ff3a87ed407ad423243",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: octeontx2 - remove CONFIG_DM_CRYPT check\n\nNo issues were found while using the driver with dm-crypt enabled. So\nCONFIG_DM_CRYPT check in the driver can be removed.\n\nThis also fixes the NULL pointer dereference in driver release if\nCONFIG_DM_CRYPT is enabled.\n\n...\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n...\nCall trace:\n crypto_unregister_alg+0x68/0xfc\n crypto_unregister_skciphers+0x44/0x60\n otx2_cpt_crypto_exit+0x100/0x1a0\n otx2_cptvf_remove+0xf8/0x200\n pci_device_remove+0x3c/0xd4\n __device_release_driver+0x188/0x234\n device_release_driver+0x2c/0x4c\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:37.249Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6374086f249295121384bfaa7cdcc8d461146f0"
},
{
"url": "https://git.kernel.org/stable/c/a462214866eebbca87e13ff6d73092b1c4895624"
},
{
"url": "https://git.kernel.org/stable/c/a1bf728f3388ac3a2c2dffa57e25622e90b9f6f2"
},
{
"url": "https://git.kernel.org/stable/c/2d841af23ae8f398c85dd1ff2dc24b5ec8ba4569"
}
],
"title": "crypto: octeontx2 - remove CONFIG_DM_CRYPT check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49262",
"datePublished": "2025-02-26T01:56:13.566Z",
"dateReserved": "2025-02-26T01:49:39.296Z",
"dateUpdated": "2025-05-04T08:33:37.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49498 (GCVE-0-2022-49498)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: Check for null pointer of pointer substream before dereferencing it
Pointer substream is being dereferenced on the assignment of pointer card
before substream is being null checked with the macro PCM_RUNTIME_CHECK.
Although PCM_RUNTIME_CHECK calls BUG_ON, it still is useful to perform the
the pointer check before card is assigned.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 95b30a4312545f2dde9db12bf6a425f35d5a0d77 Version: d4cfb30fce03093ad944e0b44bd8f40bdad5330e Version: d4cfb30fce03093ad944e0b44bd8f40bdad5330e Version: d4cfb30fce03093ad944e0b44bd8f40bdad5330e Version: d4cfb30fce03093ad944e0b44bd8f40bdad5330e Version: d4cfb30fce03093ad944e0b44bd8f40bdad5330e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49498",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:38:39.304232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:43.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2421a196cb0911ea95aec1050a0b830464c8fa6",
"status": "affected",
"version": "95b30a4312545f2dde9db12bf6a425f35d5a0d77",
"versionType": "git"
},
{
"lessThan": "f2c68c52898f623fe84518da4606538d193b0cca",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "7784d22f81a29df2ec57ca90d54f93a35cbcd1a2",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "1f2e28857be1e5c7db39bbc221332215fc5467e3",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "b41ef7ad9238c22aa2e142f5ce4ce1a1a0d48123",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "011b559be832194f992f73d6c0d5485f5925a10b",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Check for null pointer of pointer substream before dereferencing it\n\nPointer substream is being dereferenced on the assignment of pointer card\nbefore substream is being null checked with the macro PCM_RUNTIME_CHECK.\nAlthough PCM_RUNTIME_CHECK calls BUG_ON, it still is useful to perform the\nthe pointer check before card is assigned."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:12.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2421a196cb0911ea95aec1050a0b830464c8fa6"
},
{
"url": "https://git.kernel.org/stable/c/f2c68c52898f623fe84518da4606538d193b0cca"
},
{
"url": "https://git.kernel.org/stable/c/7784d22f81a29df2ec57ca90d54f93a35cbcd1a2"
},
{
"url": "https://git.kernel.org/stable/c/1f2e28857be1e5c7db39bbc221332215fc5467e3"
},
{
"url": "https://git.kernel.org/stable/c/b41ef7ad9238c22aa2e142f5ce4ce1a1a0d48123"
},
{
"url": "https://git.kernel.org/stable/c/011b559be832194f992f73d6c0d5485f5925a10b"
}
],
"title": "ALSA: pcm: Check for null pointer of pointer substream before dereferencing it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49498",
"datePublished": "2025-02-26T02:13:32.895Z",
"dateReserved": "2025-02-26T02:08:31.586Z",
"dateUpdated": "2025-10-01T19:46:43.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49688 (GCVE-0-2022-49688)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 12:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix dynamic root getattr
The recent patch to make afs_getattr consult the server didn't account
for the pseudo-inodes employed by the dynamic root-type afs superblock
not having a volume or a server to access, and thus an oops occurs if
such a directory is stat'd.
Fix this by checking to see if the vnode->volume pointer actually points
anywhere before following it in afs_getattr().
This can be tested by stat'ing a directory in /afs. It may be
sufficient just to do "ls /afs" and the oops looks something like:
BUG: kernel NULL pointer dereference, address: 0000000000000020
...
RIP: 0010:afs_getattr+0x8b/0x14b
...
Call Trace:
<TASK>
vfs_statx+0x79/0xf5
vfs_fstatat+0x49/0x62
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b76ea7c06b24dcf97ea3379b6957d5b99c346ea0 Version: dba1941f5bc3de6b460685155b89ae1182824fc8 Version: 61a4cc41e5c1b77d05a12798f8032050aa75f3c8 Version: 94bf8bfb009fad247d02f12e4c443411c8445412 Version: 2aeb8c86d49967552394d5e723f87454cb53f501 Version: 2aeb8c86d49967552394d5e723f87454cb53f501 Version: 9e655a8b874d7c56e02938ddb221b16e293793df |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65c24caf1b9f5b08397c6e805ec24ebc390c6e4d",
"status": "affected",
"version": "b76ea7c06b24dcf97ea3379b6957d5b99c346ea0",
"versionType": "git"
},
{
"lessThan": "e3a232e5767051483ffad4cef7d0a89d292a192b",
"status": "affected",
"version": "dba1941f5bc3de6b460685155b89ae1182824fc8",
"versionType": "git"
},
{
"lessThan": "7b564e3254b7db5fbfbf11a824627a6c31b932b4",
"status": "affected",
"version": "61a4cc41e5c1b77d05a12798f8032050aa75f3c8",
"versionType": "git"
},
{
"lessThan": "2b2bba96526f25f2eba74ecadb031de2e05a83ce",
"status": "affected",
"version": "94bf8bfb009fad247d02f12e4c443411c8445412",
"versionType": "git"
},
{
"lessThan": "7844ceada44eca740d31beb3d97b8511b1ca0a9b",
"status": "affected",
"version": "2aeb8c86d49967552394d5e723f87454cb53f501",
"versionType": "git"
},
{
"lessThan": "cb78d1b5efffe4cf97e16766329dd7358aed3deb",
"status": "affected",
"version": "2aeb8c86d49967552394d5e723f87454cb53f501",
"versionType": "git"
},
{
"status": "affected",
"version": "9e655a8b874d7c56e02938ddb221b16e293793df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/afs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.250",
"versionStartIncluding": "4.19.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.202",
"versionStartIncluding": "5.4.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.127",
"versionStartIncluding": "5.10.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.15.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix dynamic root getattr\n\nThe recent patch to make afs_getattr consult the server didn\u0027t account\nfor the pseudo-inodes employed by the dynamic root-type afs superblock\nnot having a volume or a server to access, and thus an oops occurs if\nsuch a directory is stat\u0027d.\n\nFix this by checking to see if the vnode-\u003evolume pointer actually points\nanywhere before following it in afs_getattr().\n\nThis can be tested by stat\u0027ing a directory in /afs. It may be\nsufficient just to do \"ls /afs\" and the oops looks something like:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n ...\n RIP: 0010:afs_getattr+0x8b/0x14b\n ...\n Call Trace:\n \u003cTASK\u003e\n vfs_statx+0x79/0xf5\n vfs_fstatat+0x49/0x62"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:07.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65c24caf1b9f5b08397c6e805ec24ebc390c6e4d"
},
{
"url": "https://git.kernel.org/stable/c/e3a232e5767051483ffad4cef7d0a89d292a192b"
},
{
"url": "https://git.kernel.org/stable/c/7b564e3254b7db5fbfbf11a824627a6c31b932b4"
},
{
"url": "https://git.kernel.org/stable/c/2b2bba96526f25f2eba74ecadb031de2e05a83ce"
},
{
"url": "https://git.kernel.org/stable/c/7844ceada44eca740d31beb3d97b8511b1ca0a9b"
},
{
"url": "https://git.kernel.org/stable/c/cb78d1b5efffe4cf97e16766329dd7358aed3deb"
}
],
"title": "afs: Fix dynamic root getattr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49688",
"datePublished": "2025-02-26T02:24:13.686Z",
"dateReserved": "2025-02-26T02:21:30.442Z",
"dateUpdated": "2025-05-04T12:45:07.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21857 (GCVE-0-2025-21857)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-10-01 19:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_api: fix error handling causing NULL dereference
tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can
return 1 if the allocation succeeded after wrapping. This was treated as
an error, with value 1 returned to caller tcf_exts_init_ex() which sets
exts->actions to NULL and returns 1 to caller fl_change().
fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()
which calls tcf_action_init() with exts->actions as argument, where it
is dereferenced.
Example trace:
BUG: kernel NULL pointer dereference, address: 0000000000000000
CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1
RIP: 0010:tcf_action_init+0x1f8/0x2c0
Call Trace:
tcf_action_init+0x1f8/0x2c0
tcf_exts_validate_ex+0x175/0x190
fl_change+0x537/0x1120 [cls_flower]
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21857",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:55.274904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:38.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de4b679aa3b4da7ec34f639df068b914f20e3c3c",
"status": "affected",
"version": "80cd22c35c9001fe72bf614d29439de41933deca",
"versionType": "git"
},
{
"lessThan": "3e4c56cf41876ef2a82f0877fe2a67648f8632b8",
"status": "affected",
"version": "80cd22c35c9001fe72bf614d29439de41933deca",
"versionType": "git"
},
{
"lessThan": "3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a",
"status": "affected",
"version": "80cd22c35c9001fe72bf614d29439de41933deca",
"versionType": "git"
},
{
"lessThan": "071ed42cff4fcdd89025d966d48eabef59913bf2",
"status": "affected",
"version": "80cd22c35c9001fe72bf614d29439de41933deca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_api: fix error handling causing NULL dereference\n\ntcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can\nreturn 1 if the allocation succeeded after wrapping. This was treated as\nan error, with value 1 returned to caller tcf_exts_init_ex() which sets\nexts-\u003eactions to NULL and returns 1 to caller fl_change().\n\nfl_change() treats err == 1 as success, calling tcf_exts_validate_ex()\nwhich calls tcf_action_init() with exts-\u003eactions as argument, where it\nis dereferenced.\n\nExample trace:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1\nRIP: 0010:tcf_action_init+0x1f8/0x2c0\nCall Trace:\n tcf_action_init+0x1f8/0x2c0\n tcf_exts_validate_ex+0x175/0x190\n fl_change+0x537/0x1120 [cls_flower]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:39.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de4b679aa3b4da7ec34f639df068b914f20e3c3c"
},
{
"url": "https://git.kernel.org/stable/c/3e4c56cf41876ef2a82f0877fe2a67648f8632b8"
},
{
"url": "https://git.kernel.org/stable/c/3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a"
},
{
"url": "https://git.kernel.org/stable/c/071ed42cff4fcdd89025d966d48eabef59913bf2"
}
],
"title": "net/sched: cls_api: fix error handling causing NULL dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21857",
"datePublished": "2025-03-12T09:42:10.622Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-10-01T19:26:38.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2977 (GCVE-0-2022-2977)
Vulnerability from cvelistv5
Published
2022-09-14 00:00
Modified
2024-08-03 00:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Linux kernel |
Version: Linux kernel versions prior to 5.18 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d8e7007dc7c4d7c8366739bbcd3f5e51dcd470f"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230214-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Linux kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Linux kernel versions prior to 5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-14T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d8e7007dc7c4d7c8366739bbcd3f5e51dcd470f"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230214-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-2977",
"datePublished": "2022-09-14T00:00:00",
"dateReserved": "2022-08-24T00:00:00",
"dateUpdated": "2024-08-03T00:52:59.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49241 (GCVE-0-2022-49241)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error path.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:45.814796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:02.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/sam9x5_wm8731.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90ac679aa6a01841da90ec5a4aaa4b5e0badddf0",
"status": "affected",
"version": "fdbcb3cba54b29a37dfe42acdc0e72c543e0807d",
"versionType": "git"
},
{
"lessThan": "f589063b585ac6dd2081bde6c145411cf48d8d92",
"status": "affected",
"version": "fdbcb3cba54b29a37dfe42acdc0e72c543e0807d",
"versionType": "git"
},
{
"lessThan": "14228225091a0854b1de23e5b4fe8bdeeca9683b",
"status": "affected",
"version": "fdbcb3cba54b29a37dfe42acdc0e72c543e0807d",
"versionType": "git"
},
{
"lessThan": "f43ad5dc43240289f4cf13c16cc506f4f7087931",
"status": "affected",
"version": "fdbcb3cba54b29a37dfe42acdc0e72c543e0807d",
"versionType": "git"
},
{
"lessThan": "740dc3e846537c3743da98bf106f376023fd085c",
"status": "affected",
"version": "fdbcb3cba54b29a37dfe42acdc0e72c543e0807d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/sam9x5_wm8731.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:10.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90ac679aa6a01841da90ec5a4aaa4b5e0badddf0"
},
{
"url": "https://git.kernel.org/stable/c/f589063b585ac6dd2081bde6c145411cf48d8d92"
},
{
"url": "https://git.kernel.org/stable/c/14228225091a0854b1de23e5b4fe8bdeeca9683b"
},
{
"url": "https://git.kernel.org/stable/c/f43ad5dc43240289f4cf13c16cc506f4f7087931"
},
{
"url": "https://git.kernel.org/stable/c/740dc3e846537c3743da98bf106f376023fd085c"
}
],
"title": "ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49241",
"datePublished": "2025-02-26T01:56:03.303Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-10-01T19:47:02.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49487 (GCVE-0-2022-49487)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe()
It will cause null-ptr-deref when using 'res', if platform_get_resource()
returns NULL, so move using 'res' after devm_ioremap_resource() that
will check it to avoid null-ptr-deref.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:39:03.321140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:44.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/intel-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5b1e419cdb6dd8709eb05ed34039a3ded8e6003",
"status": "affected",
"version": "0b1039f016e8a37c779a4aee362cb2100ebb1cfd",
"versionType": "git"
},
{
"lessThan": "daa5166450b447415aeeaac0199e445bae7bd0f2",
"status": "affected",
"version": "0b1039f016e8a37c779a4aee362cb2100ebb1cfd",
"versionType": "git"
},
{
"lessThan": "f8e262eb7575a4a2412f30f7a1b293875aceba80",
"status": "affected",
"version": "0b1039f016e8a37c779a4aee362cb2100ebb1cfd",
"versionType": "git"
},
{
"lessThan": "ddf66aefd685fd46500b9917333e1b1e118276dc",
"status": "affected",
"version": "0b1039f016e8a37c779a4aee362cb2100ebb1cfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/intel-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:38:57.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5b1e419cdb6dd8709eb05ed34039a3ded8e6003"
},
{
"url": "https://git.kernel.org/stable/c/daa5166450b447415aeeaac0199e445bae7bd0f2"
},
{
"url": "https://git.kernel.org/stable/c/f8e262eb7575a4a2412f30f7a1b293875aceba80"
},
{
"url": "https://git.kernel.org/stable/c/ddf66aefd685fd46500b9917333e1b1e118276dc"
}
],
"title": "mtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49487",
"datePublished": "2025-02-26T02:13:25.464Z",
"dateReserved": "2025-02-26T02:08:31.583Z",
"dateUpdated": "2025-10-01T19:46:44.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2201 (GCVE-0-2024-2201)
Vulnerability from cvelistv5
Published
2024-12-19 20:28
Modified
2025-01-09 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-2201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:51:54.984364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T16:40:32.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "See advisory \"x86: Native Branch History Injection\""
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1423",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T20:29:32.134Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/155143"
},
{
"url": "https://github.com/vusec/inspectre-gadget?tab=readme-ov-file"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/05/07/7"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-456.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QKNCPX7CJUK4I6BRGABAUQK2DMQZUCA/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5OK6MH75S7YWD34EWW7QIZTS627RIE3/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYAZ7P6YFJ2E3FHKAGIKHWS46KYMMTZH/"
},
{
"url": "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.htm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-2201",
"x_generator": {
"engine": "VINCE 3.0.11",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2024-2201"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-2201",
"datePublished": "2024-12-19T20:28:31.596Z",
"dateReserved": "2024-03-05T19:12:39.649Z",
"dateUpdated": "2025-01-09T16:40:32.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49060 (GCVE-0-2022-49060)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
dev_name() was called with dev.parent as argument but without to
NULL-check it before.
Solve this by checking the pointer before the call to dev_name().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:49:56.005527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:06.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a05f5e26cb8bb4d07e0595545fcad1bb406f0085",
"status": "affected",
"version": "af5f60c7e3d593c2fa31b9a62c16eae75f074de3",
"versionType": "git"
},
{
"lessThan": "35b91e49bc80ca944a8679c3b139ddaf2f8eea0f",
"status": "affected",
"version": "af5f60c7e3d593c2fa31b9a62c16eae75f074de3",
"versionType": "git"
},
{
"lessThan": "3a523807f01455fe9a0c1a433f27cd4411ee400f",
"status": "affected",
"version": "af5f60c7e3d593c2fa31b9a62c16eae75f074de3",
"versionType": "git"
},
{
"lessThan": "22025513ced3d599ee8b24169141c95cf2467a4a",
"status": "affected",
"version": "af5f60c7e3d593c2fa31b9a62c16eae75f074de3",
"versionType": "git"
},
{
"lessThan": "d22f4f977236f97e01255a80bca2ea93a8094fc8",
"status": "affected",
"version": "af5f60c7e3d593c2fa31b9a62c16eae75f074de3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix NULL pointer dereference in smc_pnet_find_ib()\n\ndev_name() was called with dev.parent as argument but without to\nNULL-check it before.\nSolve this by checking the pointer before the call to dev_name()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:53.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a05f5e26cb8bb4d07e0595545fcad1bb406f0085"
},
{
"url": "https://git.kernel.org/stable/c/35b91e49bc80ca944a8679c3b139ddaf2f8eea0f"
},
{
"url": "https://git.kernel.org/stable/c/3a523807f01455fe9a0c1a433f27cd4411ee400f"
},
{
"url": "https://git.kernel.org/stable/c/22025513ced3d599ee8b24169141c95cf2467a4a"
},
{
"url": "https://git.kernel.org/stable/c/d22f4f977236f97e01255a80bca2ea93a8094fc8"
}
],
"title": "net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49060",
"datePublished": "2025-02-26T01:54:30.482Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-10-01T19:57:06.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49333 (GCVE-0-2022-49333)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: E-Switch, pair only capable devices
OFFLOADS paring using devcom is possible only on devices
that support LAG. Filter based on lag capabilities.
This fixes an issue where mlx5_get_next_phys_dev() was
called without holding the interface lock.
This issue was found when commit
bc4c2f2e0179 ("net/mlx5: Lag, filter non compatible devices")
added an assert that verifies the interface lock is held.
WARNING: CPU: 9 PID: 1706 at drivers/net/ethernet/mellanox/mlx5/core/dev.c:642 mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]
Modules linked in: mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core overlay fuse [last unloaded: mlx5_core]
CPU: 9 PID: 1706 Comm: devlink Not tainted 5.18.0-rc7+ #11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]
Code: 02 00 75 48 48 8b 85 80 04 00 00 5d c3 31 c0 5d c3 be ff ff ff ff 48 c7 c7 08 41 5b a0 e8 36 87 28 e3 85 c0 0f 85 6f ff ff ff <0f> 0b e9 68 ff ff ff 48 c7 c7 0c 91 cc 84 e8 cb 36 6f e1 e9 4d ff
RSP: 0018:ffff88811bf47458 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88811b398000 RCX: 0000000000000001
RDX: 0000000080000000 RSI: ffffffffa05b4108 RDI: ffff88812daaaa78
RBP: ffff88812d050380 R08: 0000000000000001 R09: ffff88811d6b3437
R10: 0000000000000001 R11: 00000000fddd3581 R12: ffff88815238c000
R13: ffff88812d050380 R14: ffff8881018aa7e0 R15: ffff88811d6b3428
FS: 00007fc82e18ae80(0000) GS:ffff88842e080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9630d1b421 CR3: 0000000149802004 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mlx5_esw_offloads_devcom_event+0x99/0x3b0 [mlx5_core]
mlx5_devcom_send_event+0x167/0x1d0 [mlx5_core]
esw_offloads_enable+0x1153/0x1500 [mlx5_core]
? mlx5_esw_offloads_controller_valid+0x170/0x170 [mlx5_core]
? wait_for_completion_io_timeout+0x20/0x20
? mlx5_rescan_drivers_locked+0x318/0x810 [mlx5_core]
mlx5_eswitch_enable_locked+0x586/0xc50 [mlx5_core]
? mlx5_eswitch_disable_pf_vf_vports+0x1d0/0x1d0 [mlx5_core]
? mlx5_esw_try_lock+0x1b/0xb0 [mlx5_core]
? mlx5_eswitch_enable+0x270/0x270 [mlx5_core]
? __debugfs_create_file+0x260/0x3e0
mlx5_devlink_eswitch_mode_set+0x27e/0x870 [mlx5_core]
? mutex_lock_io_nested+0x12c0/0x12c0
? esw_offloads_disable+0x250/0x250 [mlx5_core]
? devlink_nl_cmd_trap_get_dumpit+0x470/0x470
? rcu_read_lock_sched_held+0x3f/0x70
devlink_nl_cmd_eswitch_set_doit+0x217/0x620
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/dev.c",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c",
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h",
"drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cef0b7eb044bb8cfdaff4c1db55a8fd442f6bc9",
"status": "affected",
"version": "dd3fddb82780bfa24124834edd90bbc63bd689cc",
"versionType": "git"
},
{
"lessThan": "cdbcdddb8076a09aa6ddaf20fd911fc787dca0e5",
"status": "affected",
"version": "dd3fddb82780bfa24124834edd90bbc63bd689cc",
"versionType": "git"
},
{
"lessThan": "3008e6a0049361e731b803c60fe8f3ab44e1d73f",
"status": "affected",
"version": "dd3fddb82780bfa24124834edd90bbc63bd689cc",
"versionType": "git"
},
{
"status": "affected",
"version": "4d253ea99fbac316cbe4bafaf36087b592c2cd49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/dev.c",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c",
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h",
"drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-Switch, pair only capable devices\n\nOFFLOADS paring using devcom is possible only on devices\nthat support LAG. Filter based on lag capabilities.\n\nThis fixes an issue where mlx5_get_next_phys_dev() was\ncalled without holding the interface lock.\n\nThis issue was found when commit\nbc4c2f2e0179 (\"net/mlx5: Lag, filter non compatible devices\")\nadded an assert that verifies the interface lock is held.\n\nWARNING: CPU: 9 PID: 1706 at drivers/net/ethernet/mellanox/mlx5/core/dev.c:642 mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nModules linked in: mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core overlay fuse [last unloaded: mlx5_core]\nCPU: 9 PID: 1706 Comm: devlink Not tainted 5.18.0-rc7+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nCode: 02 00 75 48 48 8b 85 80 04 00 00 5d c3 31 c0 5d c3 be ff ff ff ff 48 c7 c7 08 41 5b a0 e8 36 87 28 e3 85 c0 0f 85 6f ff ff ff \u003c0f\u003e 0b e9 68 ff ff ff 48 c7 c7 0c 91 cc 84 e8 cb 36 6f e1 e9 4d ff\nRSP: 0018:ffff88811bf47458 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88811b398000 RCX: 0000000000000001\nRDX: 0000000080000000 RSI: ffffffffa05b4108 RDI: ffff88812daaaa78\nRBP: ffff88812d050380 R08: 0000000000000001 R09: ffff88811d6b3437\nR10: 0000000000000001 R11: 00000000fddd3581 R12: ffff88815238c000\nR13: ffff88812d050380 R14: ffff8881018aa7e0 R15: ffff88811d6b3428\nFS: 00007fc82e18ae80(0000) GS:ffff88842e080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9630d1b421 CR3: 0000000149802004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n mlx5_esw_offloads_devcom_event+0x99/0x3b0 [mlx5_core]\n mlx5_devcom_send_event+0x167/0x1d0 [mlx5_core]\n esw_offloads_enable+0x1153/0x1500 [mlx5_core]\n ? mlx5_esw_offloads_controller_valid+0x170/0x170 [mlx5_core]\n ? wait_for_completion_io_timeout+0x20/0x20\n ? mlx5_rescan_drivers_locked+0x318/0x810 [mlx5_core]\n mlx5_eswitch_enable_locked+0x586/0xc50 [mlx5_core]\n ? mlx5_eswitch_disable_pf_vf_vports+0x1d0/0x1d0 [mlx5_core]\n ? mlx5_esw_try_lock+0x1b/0xb0 [mlx5_core]\n ? mlx5_eswitch_enable+0x270/0x270 [mlx5_core]\n ? __debugfs_create_file+0x260/0x3e0\n mlx5_devlink_eswitch_mode_set+0x27e/0x870 [mlx5_core]\n ? mutex_lock_io_nested+0x12c0/0x12c0\n ? esw_offloads_disable+0x250/0x250 [mlx5_core]\n ? devlink_nl_cmd_trap_get_dumpit+0x470/0x470\n ? rcu_read_lock_sched_held+0x3f/0x70\n devlink_nl_cmd_eswitch_set_doit+0x217/0x620"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:26.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cef0b7eb044bb8cfdaff4c1db55a8fd442f6bc9"
},
{
"url": "https://git.kernel.org/stable/c/cdbcdddb8076a09aa6ddaf20fd911fc787dca0e5"
},
{
"url": "https://git.kernel.org/stable/c/3008e6a0049361e731b803c60fe8f3ab44e1d73f"
}
],
"title": "net/mlx5: E-Switch, pair only capable devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49333",
"datePublished": "2025-02-26T02:10:52.081Z",
"dateReserved": "2025-02-26T02:08:31.539Z",
"dateUpdated": "2025-05-04T12:44:26.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58063 (GCVE-0-2024-58063)
Vulnerability from cvelistv5
Published
2025-03-06 15:54
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtlwifi: fix memory leaks and invalid access at probe error path
Deinitialize at reverse order when probe fails.
When init_sw_vars fails, rtl_deinit_core should not be called, specially
now that it destroys the rtl_wq workqueue.
And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be
leaked.
Remove pci_set_drvdata call as it will already be cleaned up by the core
driver code and could lead to memory leaks too. cf. commit 8d450935ae7f
("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and
commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory").
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d Version: 0c8173385e549f95cd80c3fff5aab87b4f881d8d |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:28:06.599973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:37.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:58.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
},
{
"lessThan": "455e0f40b5352186a9095f2135d5c89255e7c39a",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
},
{
"lessThan": "b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
},
{
"lessThan": "ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
},
{
"lessThan": "624cea89a0865a2bc3e00182a6b0f954a94328b4",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
},
{
"lessThan": "32acebca0a51f5e372536bfdc0d7d332ab749013",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
},
{
"lessThan": "6b76bab5c257463302c9e97f5d84d524457468eb",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
},
{
"lessThan": "e7ceefbfd8d447abc8aca8ab993a942803522c06",
"status": "affected",
"version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: fix memory leaks and invalid access at probe error path\n\nDeinitialize at reverse order when probe fails.\n\nWhen init_sw_vars fails, rtl_deinit_core should not be called, specially\nnow that it destroys the rtl_wq workqueue.\n\nAnd call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be\nleaked.\n\nRemove pci_set_drvdata call as it will already be cleaned up by the core\ndriver code and could lead to memory leaks too. cf. commit 8d450935ae7f\n(\"wireless: rtlwifi: remove unnecessary pci_set_drvdata()\") and\ncommit 3d86b93064c7 (\"rtlwifi: Fix PCI probe error path orphaned memory\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:07.007Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df"
},
{
"url": "https://git.kernel.org/stable/c/455e0f40b5352186a9095f2135d5c89255e7c39a"
},
{
"url": "https://git.kernel.org/stable/c/b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7"
},
{
"url": "https://git.kernel.org/stable/c/ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47"
},
{
"url": "https://git.kernel.org/stable/c/624cea89a0865a2bc3e00182a6b0f954a94328b4"
},
{
"url": "https://git.kernel.org/stable/c/32acebca0a51f5e372536bfdc0d7d332ab749013"
},
{
"url": "https://git.kernel.org/stable/c/6b76bab5c257463302c9e97f5d84d524457468eb"
},
{
"url": "https://git.kernel.org/stable/c/e7ceefbfd8d447abc8aca8ab993a942803522c06"
}
],
"title": "wifi: rtlwifi: fix memory leaks and invalid access at probe error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58063",
"datePublished": "2025-03-06T15:54:05.258Z",
"dateReserved": "2025-03-06T15:52:09.181Z",
"dateUpdated": "2025-11-03T19:33:58.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21735 (GCVE-0-2025-21735)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: nci: Add bounds checking in nci_hci_create_pipe()
The "pipe" variable is a u8 which comes from the network. If it's more
than 127, then it results in memory corruption in the caller,
nci_hci_connect_gate().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f Version: a1b0b9415817c14d207921582f269d03f848b69f |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:40.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/hci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd249109d266f1d52548c46634a15b71656e0d44",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "674e17c5933779a8bf5c15d596fdfcb5ccdebbc2",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "10b3f947b609713e04022101f492d288a014ddfa",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "d5a461c315e5ff92657f84d8ba50caa5abf5c22a",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "2ae4bade5a64d126bd18eb66bd419005c5550218",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "59c7ed20217c0939862fbf8145bc49d5b3a13f4f",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
},
{
"lessThan": "110b43ef05342d5a11284cc8b21582b698b4ef1c",
"status": "affected",
"version": "a1b0b9415817c14d207921582f269d03f848b69f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/hci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: Add bounds checking in nci_hci_create_pipe()\n\nThe \"pipe\" variable is a u8 which comes from the network. If it\u0027s more\nthan 127, then it results in memory corruption in the caller,\nnci_hci_connect_gate()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:02.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd249109d266f1d52548c46634a15b71656e0d44"
},
{
"url": "https://git.kernel.org/stable/c/674e17c5933779a8bf5c15d596fdfcb5ccdebbc2"
},
{
"url": "https://git.kernel.org/stable/c/10b3f947b609713e04022101f492d288a014ddfa"
},
{
"url": "https://git.kernel.org/stable/c/d5a461c315e5ff92657f84d8ba50caa5abf5c22a"
},
{
"url": "https://git.kernel.org/stable/c/172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e"
},
{
"url": "https://git.kernel.org/stable/c/2ae4bade5a64d126bd18eb66bd419005c5550218"
},
{
"url": "https://git.kernel.org/stable/c/59c7ed20217c0939862fbf8145bc49d5b3a13f4f"
},
{
"url": "https://git.kernel.org/stable/c/110b43ef05342d5a11284cc8b21582b698b4ef1c"
}
],
"title": "NFC: nci: Add bounds checking in nci_hci_create_pipe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21735",
"datePublished": "2025-02-27T02:12:12.202Z",
"dateReserved": "2024-12-29T08:45:45.756Z",
"dateUpdated": "2025-11-03T19:36:40.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50056 (GCVE-0-2024-50056)
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2025-11-03 19:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c
Fix potential dereferencing of ERR_PTR() in find_format_by_pix()
and uvc_v4l2_enum_format().
Fix the following smatch errors:
drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()
error: 'fmtdesc' dereferencing possible ERR_PTR()
drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()
error: 'fmtdesc' dereferencing possible ERR_PTR()
Also, fix similar issue in uvc_v4l2_try_format() for potential
dereferencing of ERR_PTR().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:23:29.014877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:28:42.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:31:37.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/uvc_v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "03fa71e97e9bb116993ec1d51b8a6fe776db0984",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "72a68d2bede3284b95ee93a5ab3a81758bba95b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cedeb36c3ff4acd0f3d09918dfd8ed1df05efdd6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a7bb96b18864225a694e3887ac2733159489e4b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/uvc_v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c\n\nFix potential dereferencing of ERR_PTR() in find_format_by_pix()\nand uvc_v4l2_enum_format().\n\nFix the following smatch errors:\n\ndrivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()\nerror: \u0027fmtdesc\u0027 dereferencing possible ERR_PTR()\n\ndrivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()\nerror: \u0027fmtdesc\u0027 dereferencing possible ERR_PTR()\n\nAlso, fix similar issue in uvc_v4l2_try_format() for potential\ndereferencing of ERR_PTR()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:44:51.970Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/03fa71e97e9bb116993ec1d51b8a6fe776db0984"
},
{
"url": "https://git.kernel.org/stable/c/72a68d2bede3284b95ee93a5ab3a81758bba95b0"
},
{
"url": "https://git.kernel.org/stable/c/cedeb36c3ff4acd0f3d09918dfd8ed1df05efdd6"
},
{
"url": "https://git.kernel.org/stable/c/a7bb96b18864225a694e3887ac2733159489e4b0"
}
],
"title": "usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50056",
"datePublished": "2024-10-21T19:39:47.131Z",
"dateReserved": "2024-10-21T19:36:19.938Z",
"dateUpdated": "2025-11-03T19:31:37.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58019 (GCVE-0-2024-58019)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 10:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvkm/gsp: correctly advance the read pointer of GSP message queue
A GSP event message consists three parts: message header, RPC header,
message body. GSP calculates the number of pages to write from the
total size of a GSP message. This behavior can be observed from the
movement of the write pointer.
However, nvkm takes only the size of RPC header and message body as
the message size when advancing the read pointer. When handling a
two-page GSP message in the non rollback case, It wrongly takes the
message body of the previous message as the message header of the next
message. As the "message length" tends to be zero, in the calculation of
size needs to be copied (0 - size of (message header)), the size needs to
be copied will be "0xffffffxx". It also triggers a kernel panic due to a
NULL pointer error.
[ 547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00 ........@.......
[ 547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................
[ 547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ................
[ 547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................
[ 547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0
[ 547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0
[ 547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020
[ 547.669485] #PF: supervisor read access in kernel mode
[ 547.674624] #PF: error_code(0x0000) - not-present page
[ 547.679755] PGD 0 P4D 0
[ 547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G E 6.9.0-rc6+ #1
[ 547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022
[ 547.702626] Workqueue: events r535_gsp_msgq_work [nvkm]
[ 547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm]
[ 547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 <8b> 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05
[ 547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203
[ 547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f
[ 547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010
[ 547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0
[ 547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000
[ 547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000
[ 547.772958] FS: 0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000
[ 547.781035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0
[ 547.793896] PKRU: 55555554
[ 547.796600] Call Trace:
[ 547.799046] <TASK>
[ 547.801152] ? __die+0x20/0x70
[ 547.804211] ? page_fault_oops+0x75/0x170
[ 547.808221] ? print_hex_dump+0x100/0x160
[ 547.812226] ? exc_page_fault+0x64/0x150
[ 547.816152] ? asm_exc_page_fault+0x22/0x30
[ 547.820341] ? r535_gsp_msg_recv+0x87/0x230 [nvkm]
[ 547.825184] r535_gsp_msgq_work+0x42/0x50 [nvkm]
[ 547.829845] process_one_work+0x196/0x3d0
[ 547.833861] worker_thread+0x2fc/0x410
[ 547.837613] ? __pfx_worker_thread+0x10/0x10
[ 547.841885] kthread+0xdf/0x110
[ 547.845031] ? __pfx_kthread+0x10/0x10
[ 547.848775] ret_from_fork+0x30/0x50
[ 547.852354] ? __pfx_kthread+0x10/0x10
[ 547.856097] ret_from_fork_asm+0x1a/0x30
[ 547.860019] </TASK>
[ 547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5185e63b45ea39339ed83f269e2ddfafb07e70d9",
"status": "affected",
"version": "176fdcbddfd288408ce8571c1760ad618d962096",
"versionType": "git"
},
{
"lessThan": "67c9cf82f50236d9c000333b26b4f95eb2c3e1b2",
"status": "affected",
"version": "176fdcbddfd288408ce8571c1760ad618d962096",
"versionType": "git"
},
{
"lessThan": "8d9beb4aebc02c4bd09e1d39c9c5f1c68c786dbc",
"status": "affected",
"version": "176fdcbddfd288408ce8571c1760ad618d962096",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvkm/gsp: correctly advance the read pointer of GSP message queue\n\nA GSP event message consists three parts: message header, RPC header,\nmessage body. GSP calculates the number of pages to write from the\ntotal size of a GSP message. This behavior can be observed from the\nmovement of the write pointer.\n\nHowever, nvkm takes only the size of RPC header and message body as\nthe message size when advancing the read pointer. When handling a\ntwo-page GSP message in the non rollback case, It wrongly takes the\nmessage body of the previous message as the message header of the next\nmessage. As the \"message length\" tends to be zero, in the calculation of\nsize needs to be copied (0 - size of (message header)), the size needs to\nbe copied will be \"0xffffffxx\". It also triggers a kernel panic due to a\nNULL pointer error.\n\n[ 547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00 ........@.......\n[ 547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................\n[ 547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ................\n[ 547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................\n[ 547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[ 547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[ 547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020\n[ 547.669485] #PF: supervisor read access in kernel mode\n[ 547.674624] #PF: error_code(0x0000) - not-present page\n[ 547.679755] PGD 0 P4D 0\n[ 547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G E 6.9.0-rc6+ #1\n[ 547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022\n[ 547.702626] Workqueue: events r535_gsp_msgq_work [nvkm]\n[ 547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[ 547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 \u003c8b\u003e 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05\n[ 547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203\n[ 547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f\n[ 547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010\n[ 547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0\n[ 547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000\n[ 547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000\n[ 547.772958] FS: 0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000\n[ 547.781035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0\n[ 547.793896] PKRU: 55555554\n[ 547.796600] Call Trace:\n[ 547.799046] \u003cTASK\u003e\n[ 547.801152] ? __die+0x20/0x70\n[ 547.804211] ? page_fault_oops+0x75/0x170\n[ 547.808221] ? print_hex_dump+0x100/0x160\n[ 547.812226] ? exc_page_fault+0x64/0x150\n[ 547.816152] ? asm_exc_page_fault+0x22/0x30\n[ 547.820341] ? r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[ 547.825184] r535_gsp_msgq_work+0x42/0x50 [nvkm]\n[ 547.829845] process_one_work+0x196/0x3d0\n[ 547.833861] worker_thread+0x2fc/0x410\n[ 547.837613] ? __pfx_worker_thread+0x10/0x10\n[ 547.841885] kthread+0xdf/0x110\n[ 547.845031] ? __pfx_kthread+0x10/0x10\n[ 547.848775] ret_from_fork+0x30/0x50\n[ 547.852354] ? __pfx_kthread+0x10/0x10\n[ 547.856097] ret_from_fork_asm+0x1a/0x30\n[ 547.860019] \u003c/TASK\u003e\n[ 547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:08:35.181Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5185e63b45ea39339ed83f269e2ddfafb07e70d9"
},
{
"url": "https://git.kernel.org/stable/c/67c9cf82f50236d9c000333b26b4f95eb2c3e1b2"
},
{
"url": "https://git.kernel.org/stable/c/8d9beb4aebc02c4bd09e1d39c9c5f1c68c786dbc"
}
],
"title": "nvkm/gsp: correctly advance the read pointer of GSP message queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58019",
"datePublished": "2025-02-27T02:12:10.109Z",
"dateReserved": "2025-02-27T02:10:48.228Z",
"dateUpdated": "2025-05-04T10:08:35.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0168 (GCVE-0-2022-0168)
Vulnerability from cvelistv5
Published
2022-08-26 17:25
Modified
2024-08-02 23:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - - NULL Pointer Dereference
Summary
A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2037386"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0168"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6f5e358452479fa8a773b5c6ccc9e4ec5a20880"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Affects v5.4\u20135.12, v5.13-rc+HEAD"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service (DOS) issue was found in the Linux kernel\u2019s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 - NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-26T17:25:46",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2037386"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0168"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6f5e358452479fa8a773b5c6ccc9e4ec5a20880"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0168",
"datePublished": "2022-08-26T17:25:46",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49247 (GCVE-0-2022-49247)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED
If the callback 'start_streaming' fails, then all
queued buffers in the driver should be returned with
state 'VB2_BUF_STATE_QUEUED'. Currently, they are
returned with 'VB2_BUF_STATE_ERROR' which is wrong.
Fix this. This also fixes the warning:
[ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common]
[ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6
[ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14
[ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT)
[ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common]
[ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common]
[ 65.592395] sp : ffff800012bc3ad0
[ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8
[ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612
[ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0
[ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff
[ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78
[ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce
[ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228
[ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78
[ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880
[ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0
[ 65.598940] Call trace:
[ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common]
[ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common]
[ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2]
[ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2]
[ 65.601103] v4l_streamon+0x3c/0x50 [videodev]
[ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev]
[ 65.601977] video_usercopy+0x320/0x828 [videodev]
[ 65.602419] video_ioctl2+0x3c/0x58 [videodev]
[ 65.602830] v4l2_ioctl+0x60/0x90 [videodev]
[ 65.603227] __arm64_sys_ioctl+0xa8/0xe0
[ 65.603576] invoke_syscall+0x54/0x118
[ 65.603911] el0_svc_common.constprop.3+0x84/0x100
[ 65.604332] do_el0_svc+0x34/0xa0
[ 65.604625] el0_svc+0x1c/0x50
[ 65.604897] el0t_64_sync_handler+0x88/0xb0
[ 65.605264] el0t_64_sync+0x16c/0x170
[ 65.605587] ---[ end trace 578e0ba07742170d ]---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8ac456495a33d9466076fea94594181ceefb76d9 Version: 8ac456495a33d9466076fea94594181ceefb76d9 Version: 8ac456495a33d9466076fea94594181ceefb76d9 Version: 8ac456495a33d9466076fea94594181ceefb76d9 Version: 8ac456495a33d9466076fea94594181ceefb76d9 Version: 8ac456495a33d9466076fea94594181ceefb76d9 Version: 8ac456495a33d9466076fea94594181ceefb76d9 Version: 8ac456495a33d9466076fea94594181ceefb76d9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/stk1160/stk1160-core.c",
"drivers/media/usb/stk1160/stk1160-v4l.c",
"drivers/media/usb/stk1160/stk1160.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "03054f22d5abd80ad89547512c2bfbfb2714d3ed",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
},
{
"lessThan": "f04a520a422222fc921bf035dc67414c500a286a",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
},
{
"lessThan": "3cc050df73e3d973f1870a8dc0e177e77670bc7f",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
},
{
"lessThan": "4d68603cc4382174bc1e7d532e10675c48c6b257",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
},
{
"lessThan": "a09e9882800fdfc5aab93f77c3f0132071d2191b",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
},
{
"lessThan": "2874122ca4ca74adec72d6d6bf8828228ec20f15",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
},
{
"lessThan": "f66e6fd1488d26229f11d86616de1b658c70fa8a",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
},
{
"lessThan": "fbe04b49a54e31f4321d632270207f0e6304cd16",
"status": "affected",
"version": "8ac456495a33d9466076fea94594181ceefb76d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/stk1160/stk1160-core.c",
"drivers/media/usb/stk1160/stk1160-v4l.c",
"drivers/media/usb/stk1160/stk1160.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED\n\nIf the callback \u0027start_streaming\u0027 fails, then all\nqueued buffers in the driver should be returned with\nstate \u0027VB2_BUF_STATE_QUEUED\u0027. Currently, they are\nreturned with \u0027VB2_BUF_STATE_ERROR\u0027 which is wrong.\nFix this. This also fixes the warning:\n\n[ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common]\n[ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6\n[ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14\n[ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT)\n[ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common]\n[ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common]\n[ 65.592395] sp : ffff800012bc3ad0\n[ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8\n[ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612\n[ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0\n[ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff\n[ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78\n[ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce\n[ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228\n[ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78\n[ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880\n[ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0\n[ 65.598940] Call trace:\n[ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common]\n[ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common]\n[ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2]\n[ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2]\n[ 65.601103] v4l_streamon+0x3c/0x50 [videodev]\n[ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev]\n[ 65.601977] video_usercopy+0x320/0x828 [videodev]\n[ 65.602419] video_ioctl2+0x3c/0x58 [videodev]\n[ 65.602830] v4l2_ioctl+0x60/0x90 [videodev]\n[ 65.603227] __arm64_sys_ioctl+0xa8/0xe0\n[ 65.603576] invoke_syscall+0x54/0x118\n[ 65.603911] el0_svc_common.constprop.3+0x84/0x100\n[ 65.604332] do_el0_svc+0x34/0xa0\n[ 65.604625] el0_svc+0x1c/0x50\n[ 65.604897] el0t_64_sync_handler+0x88/0xb0\n[ 65.605264] el0t_64_sync+0x16c/0x170\n[ 65.605587] ---[ end trace 578e0ba07742170d ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:17.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/03054f22d5abd80ad89547512c2bfbfb2714d3ed"
},
{
"url": "https://git.kernel.org/stable/c/f04a520a422222fc921bf035dc67414c500a286a"
},
{
"url": "https://git.kernel.org/stable/c/3cc050df73e3d973f1870a8dc0e177e77670bc7f"
},
{
"url": "https://git.kernel.org/stable/c/4d68603cc4382174bc1e7d532e10675c48c6b257"
},
{
"url": "https://git.kernel.org/stable/c/a09e9882800fdfc5aab93f77c3f0132071d2191b"
},
{
"url": "https://git.kernel.org/stable/c/2874122ca4ca74adec72d6d6bf8828228ec20f15"
},
{
"url": "https://git.kernel.org/stable/c/f66e6fd1488d26229f11d86616de1b658c70fa8a"
},
{
"url": "https://git.kernel.org/stable/c/fbe04b49a54e31f4321d632270207f0e6304cd16"
}
],
"title": "media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49247",
"datePublished": "2025-02-26T01:56:06.224Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:17.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49277 (GCVE-0-2022-49277)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jffs2: fix memory leak in jffs2_do_mount_fs
If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,
we can observe the following kmemleak report:
--------------------------------------------
unreferenced object 0xffff88811b25a640 (size 64):
comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffa493be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffa5423a06>] jffs2_sum_init+0x86/0x130
[<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
[<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
[...]
unreferenced object 0xffff88812c760000 (size 65536):
comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
hex dump (first 32 bytes):
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
backtrace:
[<ffffffffa493a449>] __kmalloc+0x6b9/0x910
[<ffffffffa5423a57>] jffs2_sum_init+0xd7/0x130
[<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
[<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
[...]
--------------------------------------------
This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 Version: e631ddba588783edd521c5a89f7b2902772fb691 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:30.429397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:01.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jffs2/build.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a9d8184458562e6bf2f40d0e677fc85e2dd3834",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "9a0f6610c7daedd2eace430beeb08a8b7ac80699",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "dbe0d0521eaa6a3d235517319266c539bb5c5112",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "0978e9af4559a171ac7a74a1b3ef21804b0a0fa9",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "607d3aab7349f18e0d9dba4100d09d16fe27caca",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "4392e8aeebc5a4f8073620bccba7de1b1f6d7c88",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "5f34310d1376ca5b2ed798258def2c2ab3cc6699",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "c94128470e6fe53d9bd9d16d2d3271813f9d37af",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
},
{
"lessThan": "d051cef784de4d54835f6b6836d98a8f6935772c",
"status": "affected",
"version": "e631ddba588783edd521c5a89f7b2902772fb691",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jffs2/build.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_do_mount_fs\n\nIf jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,\nwe can observe the following kmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff88811b25a640 (size 64):\n comm \"mount\", pid 691, jiffies 4294957728 (age 71.952s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffffa493be24\u003e] kmem_cache_alloc_trace+0x584/0x880\n [\u003cffffffffa5423a06\u003e] jffs2_sum_init+0x86/0x130\n [\u003cffffffffa5400e58\u003e] jffs2_do_mount_fs+0x798/0xac0\n [\u003cffffffffa540acf3\u003e] jffs2_do_fill_super+0x383/0xc30\n [\u003cffffffffa540c00a\u003e] jffs2_fill_super+0x2ea/0x4c0\n [...]\nunreferenced object 0xffff88812c760000 (size 65536):\n comm \"mount\", pid 691, jiffies 4294957728 (age 71.952s)\n hex dump (first 32 bytes):\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n backtrace:\n [\u003cffffffffa493a449\u003e] __kmalloc+0x6b9/0x910\n [\u003cffffffffa5423a57\u003e] jffs2_sum_init+0xd7/0x130\n [\u003cffffffffa5400e58\u003e] jffs2_do_mount_fs+0x798/0xac0\n [\u003cffffffffa540acf3\u003e] jffs2_do_fill_super+0x383/0xc30\n [\u003cffffffffa540c00a\u003e] jffs2_fill_super+0x2ea/0x4c0\n [...]\n--------------------------------------------\n\nThis is because the resources allocated in jffs2_sum_init() are not\nreleased. Call jffs2_sum_exit() to release these resources to solve\nthe problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:00.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a9d8184458562e6bf2f40d0e677fc85e2dd3834"
},
{
"url": "https://git.kernel.org/stable/c/9a0f6610c7daedd2eace430beeb08a8b7ac80699"
},
{
"url": "https://git.kernel.org/stable/c/dbe0d0521eaa6a3d235517319266c539bb5c5112"
},
{
"url": "https://git.kernel.org/stable/c/0978e9af4559a171ac7a74a1b3ef21804b0a0fa9"
},
{
"url": "https://git.kernel.org/stable/c/607d3aab7349f18e0d9dba4100d09d16fe27caca"
},
{
"url": "https://git.kernel.org/stable/c/4392e8aeebc5a4f8073620bccba7de1b1f6d7c88"
},
{
"url": "https://git.kernel.org/stable/c/5f34310d1376ca5b2ed798258def2c2ab3cc6699"
},
{
"url": "https://git.kernel.org/stable/c/c94128470e6fe53d9bd9d16d2d3271813f9d37af"
},
{
"url": "https://git.kernel.org/stable/c/d051cef784de4d54835f6b6836d98a8f6935772c"
}
],
"title": "jffs2: fix memory leak in jffs2_do_mount_fs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49277",
"datePublished": "2025-02-26T01:56:21.037Z",
"dateReserved": "2025-02-26T01:49:39.298Z",
"dateUpdated": "2025-10-01T19:47:01.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49176 (GCVE-0-2022-49176)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bfq: fix use-after-free in bfq_dispatch_request
KASAN reports a use-after-free report when doing normal scsi-mq test
[69832.239032] ==================================================================
[69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0
[69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155
[69832.244656]
[69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8
[69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[69832.249069] Workqueue: kblockd blk_mq_run_work_fn
[69832.250022] Call Trace:
[69832.250541] dump_stack+0x9b/0xce
[69832.251232] ? bfq_dispatch_request+0x1045/0x44b0
[69832.252243] print_address_description.constprop.6+0x3e/0x60
[69832.253381] ? __cpuidle_text_end+0x5/0x5
[69832.254211] ? vprintk_func+0x6b/0x120
[69832.254994] ? bfq_dispatch_request+0x1045/0x44b0
[69832.255952] ? bfq_dispatch_request+0x1045/0x44b0
[69832.256914] kasan_report.cold.9+0x22/0x3a
[69832.257753] ? bfq_dispatch_request+0x1045/0x44b0
[69832.258755] check_memory_region+0x1c1/0x1e0
[69832.260248] bfq_dispatch_request+0x1045/0x44b0
[69832.261181] ? bfq_bfqq_expire+0x2440/0x2440
[69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170
[69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830
[69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100
[69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0
[69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570
[69832.267147] ? __switch_to+0x5f4/0xee0
[69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140
[69832.268946] __blk_mq_run_hw_queue+0xc0/0x270
[69832.269840] blk_mq_run_work_fn+0x51/0x60
[69832.278170] process_one_work+0x6d4/0xfe0
[69832.278984] worker_thread+0x91/0xc80
[69832.279726] ? __kthread_parkme+0xb0/0x110
[69832.280554] ? process_one_work+0xfe0/0xfe0
[69832.281414] kthread+0x32d/0x3f0
[69832.282082] ? kthread_park+0x170/0x170
[69832.282849] ret_from_fork+0x1f/0x30
[69832.283573]
[69832.283886] Allocated by task 7725:
[69832.284599] kasan_save_stack+0x19/0x40
[69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0
[69832.286350] kmem_cache_alloc_node+0x13f/0x460
[69832.287237] bfq_get_queue+0x3d4/0x1140
[69832.287993] bfq_get_bfqq_handle_split+0x103/0x510
[69832.289015] bfq_init_rq+0x337/0x2d50
[69832.289749] bfq_insert_requests+0x304/0x4e10
[69832.290634] blk_mq_sched_insert_requests+0x13e/0x390
[69832.291629] blk_mq_flush_plug_list+0x4b4/0x760
[69832.292538] blk_flush_plug_list+0x2c5/0x480
[69832.293392] io_schedule_prepare+0xb2/0xd0
[69832.294209] io_schedule_timeout+0x13/0x80
[69832.295014] wait_for_common_io.constprop.1+0x13c/0x270
[69832.296137] submit_bio_wait+0x103/0x1a0
[69832.296932] blkdev_issue_discard+0xe6/0x160
[69832.297794] blk_ioctl_discard+0x219/0x290
[69832.298614] blkdev_common_ioctl+0x50a/0x1750
[69832.304715] blkdev_ioctl+0x470/0x600
[69832.305474] block_ioctl+0xde/0x120
[69832.306232] vfs_ioctl+0x6c/0xc0
[69832.306877] __se_sys_ioctl+0x90/0xa0
[69832.307629] do_syscall_64+0x2d/0x40
[69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[69832.309382]
[69832.309701] Freed by task 155:
[69832.310328] kasan_save_stack+0x19/0x40
[69832.311121] kasan_set_track+0x1c/0x30
[69832.311868] kasan_set_free_info+0x1b/0x30
[69832.312699] __kasan_slab_free+0x111/0x160
[69832.313524] kmem_cache_free+0x94/0x460
[69832.314367] bfq_put_queue+0x582/0x940
[69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0
[69832.317275] bfq_bfqq_expire+0xb27/0x2440
[69832.318084] bfq_dispatch_request+0x697/0x44b0
[69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830
[69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0
[69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140
[69832.322225] __blk_mq_run_hw_queue+0xc0/0x270
[69832.323114] blk_mq_run_work_fn+0x51/0x6
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 Version: aee69d78dec0ffdf82e35d57c626e80dddc314d5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:06.859094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:34.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74e610b5ee0d95e751280567100509eb11517efa",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "5117c9ff4c2ebae0f5c2c262d42a25a8fbc086e6",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "df6e00b1a53c57dca82c63b5ecbcad5452231bc7",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "080665e2c3cbfc68359b9a348a3546ed9b908e7a",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "5687958bf18f84384d809f521210d0f5deed03b0",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "40b4ba0030e0b02cbacd424ebb9f4c8b0976c786",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
},
{
"lessThan": "ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a",
"status": "affected",
"version": "aee69d78dec0ffdf82e35d57c626e80dddc314d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: fix use-after-free in bfq_dispatch_request\n\nKASAN reports a use-after-free report when doing normal scsi-mq test\n\n[69832.239032] ==================================================================\n[69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0\n[69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155\n[69832.244656]\n[69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8\n[69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[69832.249069] Workqueue: kblockd blk_mq_run_work_fn\n[69832.250022] Call Trace:\n[69832.250541] dump_stack+0x9b/0xce\n[69832.251232] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.252243] print_address_description.constprop.6+0x3e/0x60\n[69832.253381] ? __cpuidle_text_end+0x5/0x5\n[69832.254211] ? vprintk_func+0x6b/0x120\n[69832.254994] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.255952] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.256914] kasan_report.cold.9+0x22/0x3a\n[69832.257753] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.258755] check_memory_region+0x1c1/0x1e0\n[69832.260248] bfq_dispatch_request+0x1045/0x44b0\n[69832.261181] ? bfq_bfqq_expire+0x2440/0x2440\n[69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170\n[69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830\n[69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100\n[69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0\n[69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570\n[69832.267147] ? __switch_to+0x5f4/0xee0\n[69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140\n[69832.268946] __blk_mq_run_hw_queue+0xc0/0x270\n[69832.269840] blk_mq_run_work_fn+0x51/0x60\n[69832.278170] process_one_work+0x6d4/0xfe0\n[69832.278984] worker_thread+0x91/0xc80\n[69832.279726] ? __kthread_parkme+0xb0/0x110\n[69832.280554] ? process_one_work+0xfe0/0xfe0\n[69832.281414] kthread+0x32d/0x3f0\n[69832.282082] ? kthread_park+0x170/0x170\n[69832.282849] ret_from_fork+0x1f/0x30\n[69832.283573]\n[69832.283886] Allocated by task 7725:\n[69832.284599] kasan_save_stack+0x19/0x40\n[69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0\n[69832.286350] kmem_cache_alloc_node+0x13f/0x460\n[69832.287237] bfq_get_queue+0x3d4/0x1140\n[69832.287993] bfq_get_bfqq_handle_split+0x103/0x510\n[69832.289015] bfq_init_rq+0x337/0x2d50\n[69832.289749] bfq_insert_requests+0x304/0x4e10\n[69832.290634] blk_mq_sched_insert_requests+0x13e/0x390\n[69832.291629] blk_mq_flush_plug_list+0x4b4/0x760\n[69832.292538] blk_flush_plug_list+0x2c5/0x480\n[69832.293392] io_schedule_prepare+0xb2/0xd0\n[69832.294209] io_schedule_timeout+0x13/0x80\n[69832.295014] wait_for_common_io.constprop.1+0x13c/0x270\n[69832.296137] submit_bio_wait+0x103/0x1a0\n[69832.296932] blkdev_issue_discard+0xe6/0x160\n[69832.297794] blk_ioctl_discard+0x219/0x290\n[69832.298614] blkdev_common_ioctl+0x50a/0x1750\n[69832.304715] blkdev_ioctl+0x470/0x600\n[69832.305474] block_ioctl+0xde/0x120\n[69832.306232] vfs_ioctl+0x6c/0xc0\n[69832.306877] __se_sys_ioctl+0x90/0xa0\n[69832.307629] do_syscall_64+0x2d/0x40\n[69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[69832.309382]\n[69832.309701] Freed by task 155:\n[69832.310328] kasan_save_stack+0x19/0x40\n[69832.311121] kasan_set_track+0x1c/0x30\n[69832.311868] kasan_set_free_info+0x1b/0x30\n[69832.312699] __kasan_slab_free+0x111/0x160\n[69832.313524] kmem_cache_free+0x94/0x460\n[69832.314367] bfq_put_queue+0x582/0x940\n[69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0\n[69832.317275] bfq_bfqq_expire+0xb27/0x2440\n[69832.318084] bfq_dispatch_request+0x697/0x44b0\n[69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830\n[69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0\n[69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140\n[69832.322225] __blk_mq_run_hw_queue+0xc0/0x270\n[69832.323114] blk_mq_run_work_fn+0x51/0x6\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:38.713Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74e610b5ee0d95e751280567100509eb11517efa"
},
{
"url": "https://git.kernel.org/stable/c/5117c9ff4c2ebae0f5c2c262d42a25a8fbc086e6"
},
{
"url": "https://git.kernel.org/stable/c/df6e00b1a53c57dca82c63b5ecbcad5452231bc7"
},
{
"url": "https://git.kernel.org/stable/c/080665e2c3cbfc68359b9a348a3546ed9b908e7a"
},
{
"url": "https://git.kernel.org/stable/c/5687958bf18f84384d809f521210d0f5deed03b0"
},
{
"url": "https://git.kernel.org/stable/c/40b4ba0030e0b02cbacd424ebb9f4c8b0976c786"
},
{
"url": "https://git.kernel.org/stable/c/ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a"
}
],
"title": "bfq: fix use-after-free in bfq_dispatch_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49176",
"datePublished": "2025-02-26T01:55:30.586Z",
"dateReserved": "2025-02-26T01:49:39.280Z",
"dateUpdated": "2025-05-04T08:31:38.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57996 (GCVE-0-2024-57996)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-11-03 19:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: sch_sfq: don't allow 1 packet limit
The current implementation does not work correctly with a limit of
1. iproute2 actually checks for this and this patch adds the check in
kernel as well.
This fixes the following syzkaller reported crash:
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x125/0x19f lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:148 [inline]
__ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347
sfq_link net/sched/sch_sfq.c:210 [inline]
sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238
sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500
sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525
qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319
qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296
netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]
dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362
__dev_close_many+0x214/0x350 net/core/dev.c:1468
dev_close_many+0x207/0x510 net/core/dev.c:1506
unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738
unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695
unregister_netdevice include/linux/netdevice.h:2893 [inline]
__tun_detach+0x6b6/0x1600 drivers/net/tun.c:689
tun_detach drivers/net/tun.c:705 [inline]
tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640
__fput+0x203/0x840 fs/file_table.c:280
task_work_run+0x129/0x1b0 kernel/task_work.c:185
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x5ce/0x2200 kernel/exit.c:931
do_group_exit+0x144/0x310 kernel/exit.c:1046
__do_sys_exit_group kernel/exit.c:1057 [inline]
__se_sys_exit_group kernel/exit.c:1055 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055
do_syscall_64+0x6c/0xd0
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fe5e7b52479
Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.
RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0
R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270
The crash can be also be reproduced with the following (with a tc
recompiled to allow for sfq limits of 1):
tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s
../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1
ifconfig dummy0 up
ping -I dummy0 -f -c2 -W0.1 8.8.8.8
sleep 1
Scenario that triggers the crash:
* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1
* TBF dequeues: it peeks from SFQ which moves the packet to the
gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so
it schedules itself for later.
* the second packet is sent and TBF tries to queues it to SFQ. qdisc
qlen is now 2 and because the SFQ limit is 1 the packet is dropped
by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,
however q->tail is not NULL.
At this point, assuming no more packets are queued, when sch_dequeue
runs again it will decrement the qlen for the current empty slot
causing an underflow and the subsequent out of bounds access.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:07.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e12f6013d0a69660e8b99bfe381b9546ae667328",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b562b7f9231432da40d12e19786c1bd7df653a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fefc294204f10a3405f175f4ac2be16d63f135e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "10685681bafce6febb39770f3387621bf5d67d0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x125/0x19f lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:148 [inline]\n __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n sfq_link net/sched/sch_sfq.c:210 [inline]\n sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n __dev_close_many+0x214/0x350 net/core/dev.c:1468\n dev_close_many+0x207/0x510 net/core/dev.c:1506\n unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n unregister_netdevice include/linux/netdevice.h:2893 [inline]\n __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n tun_detach drivers/net/tun.c:705 [inline]\n tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n __fput+0x203/0x840 fs/file_table.c:280\n task_work_run+0x129/0x1b0 kernel/task_work.c:185\n exit_task_work include/linux/task_work.h:33 [inline]\n do_exit+0x5ce/0x2200 kernel/exit.c:931\n do_group_exit+0x144/0x310 kernel/exit.c:1046\n __do_sys_exit_group kernel/exit.c:1057 [inline]\n __se_sys_exit_group kernel/exit.c:1055 [inline]\n __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:42:44.697Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e12f6013d0a69660e8b99bfe381b9546ae667328"
},
{
"url": "https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961"
},
{
"url": "https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7"
},
{
"url": "https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7"
},
{
"url": "https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e"
},
{
"url": "https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4"
},
{
"url": "https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e"
},
{
"url": "https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b"
}
],
"title": "net_sched: sch_sfq: don\u0027t allow 1 packet limit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57996",
"datePublished": "2025-02-27T02:07:16.765Z",
"dateReserved": "2025-02-27T02:04:28.914Z",
"dateUpdated": "2025-11-03T19:33:07.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49545 (GCVE-0-2022-49545)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Cancel pending work at closing a MIDI substream
At closing a USB MIDI output substream, there might be still a pending
work, which would eventually access the rawmidi runtime object that is
being released. For fixing the race, make sure to cancel the pending
work at closing.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40bdb5ec957aca5c5c1924602bef6b0ab18e22d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11868ca21585561659c2575b0d6508ef8e9c4291",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e5fe2b6065541c6216a7a003b0cddf386be0d2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "517dcef4d2dda0132648f1e4c079ed17bba4d1a4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0125de38122f0f66bf61336158d12a1aabfe6425",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Cancel pending work at closing a MIDI substream\n\nAt closing a USB MIDI output substream, there might be still a pending\nwork, which would eventually access the rawmidi runtime object that is\nbeing released. For fixing the race, make sure to cancel the pending\nwork at closing."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:14.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40bdb5ec957aca5c5c1924602bef6b0ab18e22d3"
},
{
"url": "https://git.kernel.org/stable/c/11868ca21585561659c2575b0d6508ef8e9c4291"
},
{
"url": "https://git.kernel.org/stable/c/5e5fe2b6065541c6216a7a003b0cddf386be0d2d"
},
{
"url": "https://git.kernel.org/stable/c/517dcef4d2dda0132648f1e4c079ed17bba4d1a4"
},
{
"url": "https://git.kernel.org/stable/c/0125de38122f0f66bf61336158d12a1aabfe6425"
}
],
"title": "ALSA: usb-audio: Cancel pending work at closing a MIDI substream",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49545",
"datePublished": "2025-02-26T02:13:58.363Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-05-04T08:40:14.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49343 (GCVE-0-2022-49343)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid cycles in directory h-tree
A maliciously corrupted filesystem can contain cycles in the h-tree
stored inside a directory. That can easily lead to the kernel corrupting
tree nodes that were already verified under its hands while doing a node
split and consequently accessing unallocated memory. Fix the problem by
verifying traversed block numbers are unique.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24b8206fec1db21d7e82f21f0b2ff5e5672cf5b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b3ad9ff6f06c1dc6abf7437691c88ca3d6da3ac0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e157c8f87e8fac112d6c955e69a60cdb9bc80a60",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ff4cafa51762da3824881a9000ca421d4b78b138",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3a3ce941645407cd0b0b7f01ad9e2ea3770f46cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5a16a6df2c16eaf4de04948553ef0089dee463f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6084240bfc44bf265ab6ae7d96980469b05be0f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ba733f879c2a88910744647e41edeefbc0d92b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid cycles in directory h-tree\n\nA maliciously corrupted filesystem can contain cycles in the h-tree\nstored inside a directory. That can easily lead to the kernel corrupting\ntree nodes that were already verified under its hands while doing a node\nsplit and consequently accessing unallocated memory. Fix the problem by\nverifying traversed block numbers are unique."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:42.522Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24b8206fec1db21d7e82f21f0b2ff5e5672cf5b3"
},
{
"url": "https://git.kernel.org/stable/c/b3ad9ff6f06c1dc6abf7437691c88ca3d6da3ac0"
},
{
"url": "https://git.kernel.org/stable/c/e157c8f87e8fac112d6c955e69a60cdb9bc80a60"
},
{
"url": "https://git.kernel.org/stable/c/ff4cafa51762da3824881a9000ca421d4b78b138"
},
{
"url": "https://git.kernel.org/stable/c/3a3ce941645407cd0b0b7f01ad9e2ea3770f46cc"
},
{
"url": "https://git.kernel.org/stable/c/d5a16a6df2c16eaf4de04948553ef0089dee463f"
},
{
"url": "https://git.kernel.org/stable/c/6084240bfc44bf265ab6ae7d96980469b05be0f1"
},
{
"url": "https://git.kernel.org/stable/c/3ba733f879c2a88910744647e41edeefbc0d92b2"
}
],
"title": "ext4: avoid cycles in directory h-tree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49343",
"datePublished": "2025-02-26T02:10:59.970Z",
"dateReserved": "2025-02-26T02:08:31.542Z",
"dateUpdated": "2025-05-04T08:35:42.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49581 (GCVE-0-2022-49581)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-05-04 08:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
be2net: Fix buffer overflow in be_get_module_eeprom
be_cmd_read_port_transceiver_data assumes that it is given a buffer that
is at least PAGE_DATA_LEN long, or twice that if the module supports SFF
8472. However, this is not always the case.
Fix this by passing the desired offset and length to
be_cmd_read_port_transceiver_data so that we only copy the bytes once.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 Version: e36edd9d26cf257511548edaf2b7a56eb4fed854 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c",
"drivers/net/ethernet/emulex/benet/be_cmds.h",
"drivers/net/ethernet/emulex/benet/be_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5a8fc0679a8fd58d47aa2ebcfc5742631f753f9",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "fe4473fc7940f14c4a12db873b9729134c212654",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "8ff4f9df73e5c551a72ee6034886c17e8de6596d",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "a8569f76df7ec5b4b51155c57523a0b356db5741",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "665cbe91de2f7c97c51ca8fce39aae26477c1948",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "aba8ff847f4f927ad7a1a1ee4a9f29989a1a728f",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "18043da94c023f3ef09c15017bdb04e8f695ef10",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "d7241f679a59cfe27f92cb5c6272cb429fb1f7ec",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c",
"drivers/net/ethernet/emulex/benet/be_cmds.h",
"drivers/net/ethernet/emulex/benet/be_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.290",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.325",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.290",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.254",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix buffer overflow in be_get_module_eeprom\n\nbe_cmd_read_port_transceiver_data assumes that it is given a buffer that\nis at least PAGE_DATA_LEN long, or twice that if the module supports SFF\n8472. However, this is not always the case.\n\nFix this by passing the desired offset and length to\nbe_cmd_read_port_transceiver_data so that we only copy the bytes once."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:06.565Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5a8fc0679a8fd58d47aa2ebcfc5742631f753f9"
},
{
"url": "https://git.kernel.org/stable/c/fe4473fc7940f14c4a12db873b9729134c212654"
},
{
"url": "https://git.kernel.org/stable/c/8ff4f9df73e5c551a72ee6034886c17e8de6596d"
},
{
"url": "https://git.kernel.org/stable/c/a8569f76df7ec5b4b51155c57523a0b356db5741"
},
{
"url": "https://git.kernel.org/stable/c/665cbe91de2f7c97c51ca8fce39aae26477c1948"
},
{
"url": "https://git.kernel.org/stable/c/aba8ff847f4f927ad7a1a1ee4a9f29989a1a728f"
},
{
"url": "https://git.kernel.org/stable/c/18043da94c023f3ef09c15017bdb04e8f695ef10"
},
{
"url": "https://git.kernel.org/stable/c/d7241f679a59cfe27f92cb5c6272cb429fb1f7ec"
}
],
"title": "be2net: Fix buffer overflow in be_get_module_eeprom",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49581",
"datePublished": "2025-02-26T02:23:19.148Z",
"dateReserved": "2025-02-26T02:21:30.412Z",
"dateUpdated": "2025-05-04T08:41:06.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21773 (GCVE-0-2025-21773)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: fix potential NULL pointer dereference on udev->serial
The driver assumed that es58x_dev->udev->serial could never be NULL.
While this is true on commercially available devices, an attacker
could spoof the device identity providing a NULL USB serial number.
That would trigger a NULL pointer dereference.
Add a check on es58x_dev->udev->serial before accessing it.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:30:35.613393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:40.601Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1590667a60753ee5a54871f2840ceefd4a7831fa",
"status": "affected",
"version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
"versionType": "git"
},
{
"lessThan": "722e8e1219c8b6ac2865011fe339315d6a8d0721",
"status": "affected",
"version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
"versionType": "git"
},
{
"lessThan": "5059ea98d7bc133903d3e47ab36df6ed11d0c95f",
"status": "affected",
"version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
"versionType": "git"
},
{
"lessThan": "a1ad2109ce41c9e3912dadd07ad8a9c640064ffb",
"status": "affected",
"version": "9f06631c3f1f0f298536443df85a6837ba4c5f5c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: fix potential NULL pointer dereference on udev-\u003eserial\n\nThe driver assumed that es58x_dev-\u003eudev-\u003eserial could never be NULL.\nWhile this is true on commercially available devices, an attacker\ncould spoof the device identity providing a NULL USB serial number.\nThat would trigger a NULL pointer dereference.\n\nAdd a check on es58x_dev-\u003eudev-\u003eserial before accessing it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:48.039Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1590667a60753ee5a54871f2840ceefd4a7831fa"
},
{
"url": "https://git.kernel.org/stable/c/722e8e1219c8b6ac2865011fe339315d6a8d0721"
},
{
"url": "https://git.kernel.org/stable/c/5059ea98d7bc133903d3e47ab36df6ed11d0c95f"
},
{
"url": "https://git.kernel.org/stable/c/a1ad2109ce41c9e3912dadd07ad8a9c640064ffb"
}
],
"title": "can: etas_es58x: fix potential NULL pointer dereference on udev-\u003eserial",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21773",
"datePublished": "2025-02-27T02:18:20.013Z",
"dateReserved": "2024-12-29T08:45:45.762Z",
"dateUpdated": "2025-10-01T19:36:40.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53010 (GCVE-0-2023-53010)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt: Do not read past the end of test names
Test names were being concatenated based on a offset beyond the end of
the first name, which tripped the buffer overflow detection logic:
detected buffer overflow in strnlen
[...]
Call Trace:
bnxt_ethtool_init.cold+0x18/0x18
Refactor struct hwrm_selftest_qlist_output to use an actual array,
and adjust the concatenation to use snprintf() rather than a series of
strncat() calls.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_hsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cefa85480ac99c0bef5a09daadb48d65fc28e279",
"status": "affected",
"version": "eb51365846bc418687af4c4f41b68b6e84cdd449",
"versionType": "git"
},
{
"lessThan": "d3e599c090fc6977331150c5f0a69ab8ce87da21",
"status": "affected",
"version": "eb51365846bc418687af4c4f41b68b6e84cdd449",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_hsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: Do not read past the end of test names\n\nTest names were being concatenated based on a offset beyond the end of\nthe first name, which tripped the buffer overflow detection logic:\n\n detected buffer overflow in strnlen\n [...]\n Call Trace:\n bnxt_ethtool_init.cold+0x18/0x18\n\nRefactor struct hwrm_selftest_qlist_output to use an actual array,\nand adjust the concatenation to use snprintf() rather than a series of\nstrncat() calls."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:32.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cefa85480ac99c0bef5a09daadb48d65fc28e279"
},
{
"url": "https://git.kernel.org/stable/c/d3e599c090fc6977331150c5f0a69ab8ce87da21"
}
],
"title": "bnxt: Do not read past the end of test names",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53010",
"datePublished": "2025-03-27T16:43:40.228Z",
"dateReserved": "2025-03-27T16:40:15.748Z",
"dateUpdated": "2025-05-04T07:47:32.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46782 (GCVE-0-2024-46782)
Vulnerability from cvelistv5
Published
2024-09-18 07:12
Modified
2025-11-03 22:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ila: call nf_unregister_net_hooks() sooner
syzbot found an use-after-free Read in ila_nf_input [1]
Issue here is that ila_xlat_exit_net() frees the rhashtable,
then call nf_unregister_net_hooks().
It should be done in the reverse way, with a synchronize_rcu().
This is a good match for a pre_exit() method.
[1]
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
rht_key_hashfn include/linux/rhashtable.h:159 [inline]
__rhashtable_lookup include/linux/rhashtable.h:604 [inline]
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
nf_hook include/linux/netfilter.h:269 [inline]
NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
__netif_receive_skb_one_core net/core/dev.c:5661 [inline]
__netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775
process_backlog+0x662/0x15b0 net/core/dev.c:6108
__napi_poll+0xcb/0x490 net/core/dev.c:6772
napi_poll net/core/dev.c:6841 [inline]
net_rx_action+0x89b/0x1240 net/core/dev.c:6963
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xbfffffff(buddy)
raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000
raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103
__kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130
__do_kmalloc_node mm/slub.c:4146 [inline]
__kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164
__kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
bucket_table_alloc lib/rhashtable.c:186 [inline]
rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071
ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613
ops_ini
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:30:14.976916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T13:18:35.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:18:26.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ila/ila.h",
"net/ipv6/ila/ila_main.c",
"net/ipv6/ila/ila_xlat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43d34110882b97ba1ec66cc8234b18983efb9abf",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "dcaf4e2216824839d26727a15b638c6a677bd9fc",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "93ee345ba349922834e6a9d1dadabaedcc12dce6",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "bda4d84ac0d5421b346faee720011f58bdb99673",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "925c18a7cff93d8a4320d652351294ff7d0ac93c",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "18a5a16940464b301ea91bf5da3a324aedb347b2",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "47abd8adddbc0aecb8f231269ef659148d5dabe4",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
},
{
"lessThan": "031ae72825cef43e4650140b800ad58bf7a6a466",
"status": "affected",
"version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ila/ila.h",
"net/ipv6/ila/ila_main.c",
"net/ipv6/ila/ila_xlat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.226",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.322",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.284",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.226",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.167",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.110",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.51",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.10",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: call nf_unregister_net_hooks() sooner\n\nsyzbot found an use-after-free Read in ila_nf_input [1]\n\nIssue here is that ila_xlat_exit_net() frees the rhashtable,\nthen call nf_unregister_net_hooks().\n\nIt should be done in the reverse way, with a synchronize_rcu().\n\nThis is a good match for a pre_exit() method.\n\n[1]\n BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\nRead of size 4 at addr ffff888064620008 by task ksoftirqd/0/16\n\nCPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\n ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]\n ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312\n __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775\n process_backlog+0x662/0x15b0 net/core/dev.c:6108\n __napi_poll+0xcb/0x490 net/core/dev.c:6772\n napi_poll net/core/dev.c:6841 [inline]\n net_rx_action+0x89b/0x1240 net/core/dev.c:6963\n handle_softirqs+0x2c4/0x970 kernel/softirq.c:554\n run_ksoftirqd+0xca/0x130 kernel/softirq.c:928\n smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xbfffffff(buddy)\nraw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000\nraw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493\n prep_new_page mm/page_alloc.c:1501 [inline]\n get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439\n __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695\n __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]\n alloc_pages_node_noprof include/linux/gfp.h:296 [inline]\n ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103\n __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130\n __do_kmalloc_node mm/slub.c:4146 [inline]\n __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164\n __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650\n bucket_table_alloc lib/rhashtable.c:186 [inline]\n rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071\n ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613\n ops_ini\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:34:10.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf"
},
{
"url": "https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc"
},
{
"url": "https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6"
},
{
"url": "https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673"
},
{
"url": "https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c"
},
{
"url": "https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2"
},
{
"url": "https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4"
},
{
"url": "https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466"
}
],
"title": "ila: call nf_unregister_net_hooks() sooner",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46782",
"datePublished": "2024-09-18T07:12:38.652Z",
"dateReserved": "2024-09-11T15:12:18.276Z",
"dateUpdated": "2025-11-03T22:18:26.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49134 (GCVE-0-2022-49134)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum: Guard against invalid local ports
When processing events generated by the device's firmware, the driver
protects itself from events reported for non-existent local ports, but
not for the CPU port (local port 0), which exists, but does not have all
the fields as any local port.
This can result in a NULL pointer dereference when trying access
'struct mlxsw_sp_port' fields which are not initialized for CPU port.
Commit 63b08b1f6834 ("mlxsw: spectrum: Protect driver from buggy firmware")
already handled such issue by bailing early when processing a PUDE event
reported for the CPU port.
Generalize the approach by moving the check to a common function and
making use of it in all relevant places.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:13.504357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:02.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum.c",
"drivers/net/ethernet/mellanox/mlxsw/spectrum.h",
"drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c",
"drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cad27ba2e5a5843a7fab5aa30de2b8e8c3db3a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bcdfd615f83b4bd04678109bf18022d1476e4bbf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum.c",
"drivers/net/ethernet/mellanox/mlxsw/spectrum.h",
"drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c",
"drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum: Guard against invalid local ports\n\nWhen processing events generated by the device\u0027s firmware, the driver\nprotects itself from events reported for non-existent local ports, but\nnot for the CPU port (local port 0), which exists, but does not have all\nthe fields as any local port.\n\nThis can result in a NULL pointer dereference when trying access\n\u0027struct mlxsw_sp_port\u0027 fields which are not initialized for CPU port.\n\nCommit 63b08b1f6834 (\"mlxsw: spectrum: Protect driver from buggy firmware\")\nalready handled such issue by bailing early when processing a PUDE event\nreported for the CPU port.\n\nGeneralize the approach by moving the check to a common function and\nmaking use of it in all relevant places."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:43.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cad27ba2e5a5843a7fab5aa30de2b8e8c3db3a8"
},
{
"url": "https://git.kernel.org/stable/c/bcdfd615f83b4bd04678109bf18022d1476e4bbf"
}
],
"title": "mlxsw: spectrum: Guard against invalid local ports",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49134",
"datePublished": "2025-02-26T01:55:08.293Z",
"dateReserved": "2025-02-26T01:49:39.267Z",
"dateUpdated": "2025-10-01T19:57:02.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49305 (GCVE-0-2022-49305)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()
There is a deadlock in ieee80211_beacons_stop(), which is shown below:
(Thread 1) | (Thread 2)
| ieee80211_send_beacon()
ieee80211_beacons_stop() | mod_timer()
spin_lock_irqsave() //(1) | (wait a time)
... | ieee80211_send_beacon_cb()
del_timer_sync() | spin_lock_irqsave() //(2)
(wait timer to stop) | ...
We hold ieee->beacon_lock in position (1) of thread 1 and use
del_timer_sync() to wait timer to stop, but timer handler
also need ieee->beacon_lock in position (2) of thread 2.
As a result, ieee80211_beacons_stop() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_irqsave(), which could let timer handler to obtain
the needed lock.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:29.816182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:58.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b465bb2ebf666116c1ac745cb80c65154dc0d27e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1fbe033c52480f7954c057510040fa6286c4ea25",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "66f769762f65d957f688f3258755c6ec410bf710",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "042915c1bfedd684c1d98a841794ee203200571a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffc9cab7243f8151be37966301307bfd3cda2db3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b34cb54923a6e5ddefbaf358c85c922c6ab456e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "806c7b53414934ba2a39449b31fd1a038e500273",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()\n\nThere is a deadlock in ieee80211_beacons_stop(), which is shown below:\n\n (Thread 1) | (Thread 2)\n | ieee80211_send_beacon()\nieee80211_beacons_stop() | mod_timer()\n spin_lock_irqsave() //(1) | (wait a time)\n ... | ieee80211_send_beacon_cb()\n del_timer_sync() | spin_lock_irqsave() //(2)\n (wait timer to stop) | ...\n\nWe hold ieee-\u003ebeacon_lock in position (1) of thread 1 and use\ndel_timer_sync() to wait timer to stop, but timer handler\nalso need ieee-\u003ebeacon_lock in position (2) of thread 2.\nAs a result, ieee80211_beacons_stop() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_irqsave(), which could let timer handler to obtain\nthe needed lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:43.932Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b465bb2ebf666116c1ac745cb80c65154dc0d27e"
},
{
"url": "https://git.kernel.org/stable/c/1fbe033c52480f7954c057510040fa6286c4ea25"
},
{
"url": "https://git.kernel.org/stable/c/66f769762f65d957f688f3258755c6ec410bf710"
},
{
"url": "https://git.kernel.org/stable/c/042915c1bfedd684c1d98a841794ee203200571a"
},
{
"url": "https://git.kernel.org/stable/c/ffc9cab7243f8151be37966301307bfd3cda2db3"
},
{
"url": "https://git.kernel.org/stable/c/b34cb54923a6e5ddefbaf358c85c922c6ab456e2"
},
{
"url": "https://git.kernel.org/stable/c/806c7b53414934ba2a39449b31fd1a038e500273"
}
],
"title": "drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49305",
"datePublished": "2025-02-26T02:10:38.212Z",
"dateReserved": "2025-02-26T02:08:31.535Z",
"dateUpdated": "2025-10-01T19:46:58.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49268 (GCVE-0-2022-49268)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
Do not call snd_dma_free_pages() when snd_dma_alloc_pages() returns
-ENOMEM because it leads to a NULL pointer dereference bug.
The dmesg says:
[ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12
[ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ T1387] #PF: supervisor read access in kernel mode
[ T1387] #PF: error_code(0x0000) - not-present page
[ T1387] PGD 0 P4D 0
[ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3
[ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021
[ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80
[ T1387] Code: [... snip ...]
[ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246
[ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0
[ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000
[ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001
[ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828
[ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000
[ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0
[ T1387] PKRU: 55555554
[ T1387] Call Trace:
[ T1387] <TASK>
[ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]
[... snip ...]
[ T1387] </TASK>
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 Version: d16046ffa6de040bf580a64d5f4d0aa18258a854 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda-loader.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01df5f7627f1624d6bb0b8c0870a569b32adfbf8",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "0c307349fe060971625b856c92f0361b8ea9a120",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "b6094744e261083d3790c3def770ebf5060d383b",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "09eca322d4118dc26570ca6100fa34e59e5a5143",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "67f7bd9ff9079c1ee2de58e024fb582905c74c16",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
},
{
"lessThan": "b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9",
"status": "affected",
"version": "d16046ffa6de040bf580a64d5f4d0aa18258a854",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda-loader.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM\n\nDo not call snd_dma_free_pages() when snd_dma_alloc_pages() returns\n-ENOMEM because it leads to a NULL pointer dereference bug.\n\nThe dmesg says:\n\n [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12\n [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ T1387] #PF: supervisor read access in kernel mode\n [ T1387] #PF: error_code(0x0000) - not-present page\n [ T1387] PGD 0 P4D 0\n [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3\n [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021\n [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80\n [ T1387] Code: [... snip ...]\n [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246\n [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0\n [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000\n [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001\n [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828\n [ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000\n [ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0\n [ T1387] PKRU: 55555554\n [ T1387] Call Trace:\n [ T1387] \u003cTASK\u003e\n [ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]\n [... snip ...]\n [ T1387] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:44.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01df5f7627f1624d6bb0b8c0870a569b32adfbf8"
},
{
"url": "https://git.kernel.org/stable/c/0c307349fe060971625b856c92f0361b8ea9a120"
},
{
"url": "https://git.kernel.org/stable/c/b6094744e261083d3790c3def770ebf5060d383b"
},
{
"url": "https://git.kernel.org/stable/c/09eca322d4118dc26570ca6100fa34e59e5a5143"
},
{
"url": "https://git.kernel.org/stable/c/67f7bd9ff9079c1ee2de58e024fb582905c74c16"
},
{
"url": "https://git.kernel.org/stable/c/b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9"
}
],
"title": "ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49268",
"datePublished": "2025-02-26T01:56:16.713Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:44.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49357 (GCVE-0-2022-49357)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: Do not import certificates from UEFI Secure Boot for T2 Macs
On Apple T2 Macs, when Linux attempts to read the db and dbx efi variables
at early boot to load UEFI Secure Boot certificates, a page fault occurs
in Apple firmware code and EFI runtime services are disabled with the
following logs:
[Firmware Bug]: Page fault caused by firmware at PA: 0xffffb1edc0068000
WARNING: CPU: 3 PID: 104 at arch/x86/platform/efi/quirks.c:735 efi_crash_gracefully_on_page_fault+0x50/0xf0
(Removed some logs from here)
Call Trace:
<TASK>
page_fault_oops+0x4f/0x2c0
? search_bpf_extables+0x6b/0x80
? search_module_extables+0x50/0x80
? search_exception_tables+0x5b/0x60
kernelmode_fixup_or_oops+0x9e/0x110
__bad_area_nosemaphore+0x155/0x190
bad_area_nosemaphore+0x16/0x20
do_kern_addr_fault+0x8c/0xa0
exc_page_fault+0xd8/0x180
asm_exc_page_fault+0x1e/0x30
(Removed some logs from here)
? __efi_call+0x28/0x30
? switch_mm+0x20/0x30
? efi_call_rts+0x19a/0x8e0
? process_one_work+0x222/0x3f0
? worker_thread+0x4a/0x3d0
? kthread+0x17a/0x1a0
? process_one_work+0x3f0/0x3f0
? set_kthread_struct+0x40/0x40
? ret_from_fork+0x22/0x30
</TASK>
---[ end trace 1f82023595a5927f ]---
efi: Froze efi_rts_wq and disabled EFI Runtime Services
integrity: Couldn't get size: 0x8000000000000015
integrity: MODSIGN: Couldn't get UEFI db list
efi: EFI Runtime Services are disabled!
integrity: Couldn't get size: 0x8000000000000015
integrity: Couldn't get UEFI dbx list
integrity: Couldn't get size: 0x8000000000000015
integrity: Couldn't get mokx list
integrity: Couldn't get size: 0x80000000
So we avoid reading these UEFI variables and thus prevent the crash.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 15ea0e1e3e185040bed6119f815096f2e4326242 Version: 15ea0e1e3e185040bed6119f815096f2e4326242 Version: 15ea0e1e3e185040bed6119f815096f2e4326242 Version: 15ea0e1e3e185040bed6119f815096f2e4326242 Version: 15ea0e1e3e185040bed6119f815096f2e4326242 Version: 15ea0e1e3e185040bed6119f815096f2e4326242 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/platform_certs/keyring_handler.h",
"security/integrity/platform_certs/load_uefi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1cda6dd2c44771f042d65f0d17bec322ef99a0a",
"status": "affected",
"version": "15ea0e1e3e185040bed6119f815096f2e4326242",
"versionType": "git"
},
{
"lessThan": "c072cab98bac11f6ef9db640fb51834d9552e2e6",
"status": "affected",
"version": "15ea0e1e3e185040bed6119f815096f2e4326242",
"versionType": "git"
},
{
"lessThan": "65237307f88f5200782ae7f243bdd385e37cde5d",
"status": "affected",
"version": "15ea0e1e3e185040bed6119f815096f2e4326242",
"versionType": "git"
},
{
"lessThan": "b34786b25d75f9c119696e6bdf3827f54ae3601b",
"status": "affected",
"version": "15ea0e1e3e185040bed6119f815096f2e4326242",
"versionType": "git"
},
{
"lessThan": "1f7264f0510f519b4e4f575a8f0579ea65e7592e",
"status": "affected",
"version": "15ea0e1e3e185040bed6119f815096f2e4326242",
"versionType": "git"
},
{
"lessThan": "155ca952c7ca19aa32ecfb7373a32bbc2e1ec6eb",
"status": "affected",
"version": "15ea0e1e3e185040bed6119f815096f2e4326242",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/platform_certs/keyring_handler.h",
"security/integrity/platform_certs/load_uefi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: Do not import certificates from UEFI Secure Boot for T2 Macs\n\nOn Apple T2 Macs, when Linux attempts to read the db and dbx efi variables\nat early boot to load UEFI Secure Boot certificates, a page fault occurs\nin Apple firmware code and EFI runtime services are disabled with the\nfollowing logs:\n\n[Firmware Bug]: Page fault caused by firmware at PA: 0xffffb1edc0068000\nWARNING: CPU: 3 PID: 104 at arch/x86/platform/efi/quirks.c:735 efi_crash_gracefully_on_page_fault+0x50/0xf0\n(Removed some logs from here)\nCall Trace:\n \u003cTASK\u003e\n page_fault_oops+0x4f/0x2c0\n ? search_bpf_extables+0x6b/0x80\n ? search_module_extables+0x50/0x80\n ? search_exception_tables+0x5b/0x60\n kernelmode_fixup_or_oops+0x9e/0x110\n __bad_area_nosemaphore+0x155/0x190\n bad_area_nosemaphore+0x16/0x20\n do_kern_addr_fault+0x8c/0xa0\n exc_page_fault+0xd8/0x180\n asm_exc_page_fault+0x1e/0x30\n(Removed some logs from here)\n ? __efi_call+0x28/0x30\n ? switch_mm+0x20/0x30\n ? efi_call_rts+0x19a/0x8e0\n ? process_one_work+0x222/0x3f0\n ? worker_thread+0x4a/0x3d0\n ? kthread+0x17a/0x1a0\n ? process_one_work+0x3f0/0x3f0\n ? set_kthread_struct+0x40/0x40\n ? ret_from_fork+0x22/0x30\n \u003c/TASK\u003e\n---[ end trace 1f82023595a5927f ]---\nefi: Froze efi_rts_wq and disabled EFI Runtime Services\nintegrity: Couldn\u0027t get size: 0x8000000000000015\nintegrity: MODSIGN: Couldn\u0027t get UEFI db list\nefi: EFI Runtime Services are disabled!\nintegrity: Couldn\u0027t get size: 0x8000000000000015\nintegrity: Couldn\u0027t get UEFI dbx list\nintegrity: Couldn\u0027t get size: 0x8000000000000015\nintegrity: Couldn\u0027t get mokx list\nintegrity: Couldn\u0027t get size: 0x80000000\n\nSo we avoid reading these UEFI variables and thus prevent the crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:58.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1cda6dd2c44771f042d65f0d17bec322ef99a0a"
},
{
"url": "https://git.kernel.org/stable/c/c072cab98bac11f6ef9db640fb51834d9552e2e6"
},
{
"url": "https://git.kernel.org/stable/c/65237307f88f5200782ae7f243bdd385e37cde5d"
},
{
"url": "https://git.kernel.org/stable/c/b34786b25d75f9c119696e6bdf3827f54ae3601b"
},
{
"url": "https://git.kernel.org/stable/c/1f7264f0510f519b4e4f575a8f0579ea65e7592e"
},
{
"url": "https://git.kernel.org/stable/c/155ca952c7ca19aa32ecfb7373a32bbc2e1ec6eb"
}
],
"title": "efi: Do not import certificates from UEFI Secure Boot for T2 Macs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49357",
"datePublished": "2025-02-26T02:11:06.931Z",
"dateReserved": "2025-02-26T02:08:31.546Z",
"dateUpdated": "2025-05-04T08:35:58.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49400 (GCVE-0-2022-49400)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: Don't set mddev private to NULL in raid0 pers->free
In normal stop process, it does like this:
do_md_stop
|
__md_stop (pers->free(); mddev->private=NULL)
|
md_free (free mddev)
__md_stop sets mddev->private to NULL after pers->free. The raid device
will be stopped and mddev memory is free. But in reshape, it doesn't
free the mddev and mddev will still be used in new raid.
In reshape, it first sets mddev->private to new_pers and then runs
old_pers->free(). Now raid0 sets mddev->private to NULL in raid0_free.
The new raid can't work anymore. It will panic when dereference
mddev->private because of NULL pointer dereference.
It can panic like this:
[63010.814972] kernel BUG at drivers/md/raid10.c:928!
[63010.819778] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[63010.825011] CPU: 3 PID: 44437 Comm: md0_resync Kdump: loaded Not tainted 5.14.0-86.el9.x86_64 #1
[63010.833789] Hardware name: Dell Inc. PowerEdge R6415/07YXFK, BIOS 1.15.0 09/11/2020
[63010.841440] RIP: 0010:raise_barrier+0x161/0x170 [raid10]
[63010.865508] RSP: 0018:ffffc312408bbc10 EFLAGS: 00010246
[63010.870734] RAX: 0000000000000000 RBX: ffffa00bf7d39800 RCX: 0000000000000000
[63010.877866] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa00bf7d39800
[63010.884999] RBP: 0000000000000000 R08: fffffa4945e74400 R09: 0000000000000000
[63010.892132] R10: ffffa00eed02f798 R11: 0000000000000000 R12: ffffa00bbc435200
[63010.899266] R13: ffffa00bf7d39800 R14: 0000000000000400 R15: 0000000000000003
[63010.906399] FS: 0000000000000000(0000) GS:ffffa00eed000000(0000) knlGS:0000000000000000
[63010.914485] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[63010.920229] CR2: 00007f5cfbe99828 CR3: 0000000105efe000 CR4: 00000000003506e0
[63010.927363] Call Trace:
[63010.929822] ? bio_reset+0xe/0x40
[63010.933144] ? raid10_alloc_init_r10buf+0x60/0xa0 [raid10]
[63010.938629] raid10_sync_request+0x756/0x1610 [raid10]
[63010.943770] md_do_sync.cold+0x3e4/0x94c
[63010.947698] md_thread+0xab/0x160
[63010.951024] ? md_write_inc+0x50/0x50
[63010.954688] kthread+0x149/0x170
[63010.957923] ? set_kthread_struct+0x40/0x40
[63010.962107] ret_from_fork+0x22/0x30
Removing the code that sets mddev->private to NULL in raid0 can fix
problem.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:25.016328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:50.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f63fd1e0e0fc158023cc67ea6a07e278019061ba",
"status": "affected",
"version": "00e3d58f50a875343124bcf5a9637520a492b0d1",
"versionType": "git"
},
{
"lessThan": "b7a51df785031cc49caf1c59766ca89cfa97b54b",
"status": "affected",
"version": "0c031fd37f69deb0cd8c43bbfcfccd62ebd7e952",
"versionType": "git"
},
{
"lessThan": "7da3454a65f8a56e65dfb44fa0ccac08cbc2f5a1",
"status": "affected",
"version": "0c031fd37f69deb0cd8c43bbfcfccd62ebd7e952",
"versionType": "git"
},
{
"lessThan": "0f2571ad7a30ff6b33cde142439f9378669f8b4f",
"status": "affected",
"version": "0c031fd37f69deb0cd8c43bbfcfccd62ebd7e952",
"versionType": "git"
},
{
"status": "affected",
"version": "92053ae0398a58c6914e807d5e070297ba8cfe88",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don\u0027t set mddev private to NULL in raid0 pers-\u003efree\n\nIn normal stop process, it does like this:\n do_md_stop\n |\n __md_stop (pers-\u003efree(); mddev-\u003eprivate=NULL)\n |\n md_free (free mddev)\n__md_stop sets mddev-\u003eprivate to NULL after pers-\u003efree. The raid device\nwill be stopped and mddev memory is free. But in reshape, it doesn\u0027t\nfree the mddev and mddev will still be used in new raid.\n\nIn reshape, it first sets mddev-\u003eprivate to new_pers and then runs\nold_pers-\u003efree(). Now raid0 sets mddev-\u003eprivate to NULL in raid0_free.\nThe new raid can\u0027t work anymore. It will panic when dereference\nmddev-\u003eprivate because of NULL pointer dereference.\n\nIt can panic like this:\n[63010.814972] kernel BUG at drivers/md/raid10.c:928!\n[63010.819778] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[63010.825011] CPU: 3 PID: 44437 Comm: md0_resync Kdump: loaded Not tainted 5.14.0-86.el9.x86_64 #1\n[63010.833789] Hardware name: Dell Inc. PowerEdge R6415/07YXFK, BIOS 1.15.0 09/11/2020\n[63010.841440] RIP: 0010:raise_barrier+0x161/0x170 [raid10]\n[63010.865508] RSP: 0018:ffffc312408bbc10 EFLAGS: 00010246\n[63010.870734] RAX: 0000000000000000 RBX: ffffa00bf7d39800 RCX: 0000000000000000\n[63010.877866] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa00bf7d39800\n[63010.884999] RBP: 0000000000000000 R08: fffffa4945e74400 R09: 0000000000000000\n[63010.892132] R10: ffffa00eed02f798 R11: 0000000000000000 R12: ffffa00bbc435200\n[63010.899266] R13: ffffa00bf7d39800 R14: 0000000000000400 R15: 0000000000000003\n[63010.906399] FS: 0000000000000000(0000) GS:ffffa00eed000000(0000) knlGS:0000000000000000\n[63010.914485] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[63010.920229] CR2: 00007f5cfbe99828 CR3: 0000000105efe000 CR4: 00000000003506e0\n[63010.927363] Call Trace:\n[63010.929822] ? bio_reset+0xe/0x40\n[63010.933144] ? raid10_alloc_init_r10buf+0x60/0xa0 [raid10]\n[63010.938629] raid10_sync_request+0x756/0x1610 [raid10]\n[63010.943770] md_do_sync.cold+0x3e4/0x94c\n[63010.947698] md_thread+0xab/0x160\n[63010.951024] ? md_write_inc+0x50/0x50\n[63010.954688] kthread+0x149/0x170\n[63010.957923] ? set_kthread_struct+0x40/0x40\n[63010.962107] ret_from_fork+0x22/0x30\n\nRemoving the code that sets mddev-\u003eprivate to NULL in raid0 can fix\nproblem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:38.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f63fd1e0e0fc158023cc67ea6a07e278019061ba"
},
{
"url": "https://git.kernel.org/stable/c/b7a51df785031cc49caf1c59766ca89cfa97b54b"
},
{
"url": "https://git.kernel.org/stable/c/7da3454a65f8a56e65dfb44fa0ccac08cbc2f5a1"
},
{
"url": "https://git.kernel.org/stable/c/0f2571ad7a30ff6b33cde142439f9378669f8b4f"
}
],
"title": "md: Don\u0027t set mddev private to NULL in raid0 pers-\u003efree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49400",
"datePublished": "2025-02-26T02:12:28.139Z",
"dateReserved": "2025-02-26T02:08:31.564Z",
"dateUpdated": "2025-10-01T19:46:50.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21856 (GCVE-0-2025-21856)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-10-01 19:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/ism: add release function for struct device
According to device_release() in /drivers/base/core.c,
a device without a release function is a broken device
and must be fixed.
The current code directly frees the device after calling device_add()
without waiting for other kernel parts to release their references.
Thus, a reference could still be held to a struct device,
e.g., by sysfs, leading to potential use-after-free
issues if a proper release function is not set.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:59.490091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:38.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ism_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "940d15254d2216b585558bcf36312da50074e711",
"status": "affected",
"version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
"versionType": "git"
},
{
"lessThan": "0505ff2936f166405d81d0d454a81d9c14124344",
"status": "affected",
"version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
"versionType": "git"
},
{
"lessThan": "e26e8ac27351f457091459a0a355bacd06d5bb2b",
"status": "affected",
"version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
"versionType": "git"
},
{
"lessThan": "915e34d5ad35a6a9e56113f852ade4a730fb88f0",
"status": "affected",
"version": "8c81ba20349daf9f7e58bb05a0c12f4b71813a30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/ism_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ism: add release function for struct device\n\nAccording to device_release() in /drivers/base/core.c,\na device without a release function is a broken device\nand must be fixed.\n\nThe current code directly frees the device after calling device_add()\nwithout waiting for other kernel parts to release their references.\nThus, a reference could still be held to a struct device,\ne.g., by sysfs, leading to potential use-after-free\nissues if a proper release function is not set."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:38.537Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/940d15254d2216b585558bcf36312da50074e711"
},
{
"url": "https://git.kernel.org/stable/c/0505ff2936f166405d81d0d454a81d9c14124344"
},
{
"url": "https://git.kernel.org/stable/c/e26e8ac27351f457091459a0a355bacd06d5bb2b"
},
{
"url": "https://git.kernel.org/stable/c/915e34d5ad35a6a9e56113f852ade4a730fb88f0"
}
],
"title": "s390/ism: add release function for struct device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21856",
"datePublished": "2025-03-12T09:42:09.929Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-10-01T19:26:38.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49724 (GCVE-0-2022-49724)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: goldfish: Fix free_irq() on remove
Pass the correct dev_id to free_irq() to fix this splat when the driver
is unbound:
WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq
Trying to free already-free IRQ 65
Call Trace:
warn_slowpath_fmt
free_irq
goldfish_tty_remove
platform_remove
device_remove
device_release_driver_internal
device_driver_detach
unbind_store
drv_attr_store
...
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 465893e18878e119d8d0255439fad8debbd646fd Version: 465893e18878e119d8d0255439fad8debbd646fd Version: 465893e18878e119d8d0255439fad8debbd646fd Version: 465893e18878e119d8d0255439fad8debbd646fd Version: 465893e18878e119d8d0255439fad8debbd646fd Version: 465893e18878e119d8d0255439fad8debbd646fd Version: 465893e18878e119d8d0255439fad8debbd646fd |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/goldfish.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4b0b8edccb0cfb15a8cecf4161e0571d3daac64",
"status": "affected",
"version": "465893e18878e119d8d0255439fad8debbd646fd",
"versionType": "git"
},
{
"lessThan": "c83a1d40dc624070a203eb383ef9fb60eb634136",
"status": "affected",
"version": "465893e18878e119d8d0255439fad8debbd646fd",
"versionType": "git"
},
{
"lessThan": "f7183c76d500324b8b5bd0af5e663cfa57b7b836",
"status": "affected",
"version": "465893e18878e119d8d0255439fad8debbd646fd",
"versionType": "git"
},
{
"lessThan": "65ca4db68b6819244df9024aea4be55edf8af1ef",
"status": "affected",
"version": "465893e18878e119d8d0255439fad8debbd646fd",
"versionType": "git"
},
{
"lessThan": "fb15e79cacddfbc62264e6e807bde50ad688e988",
"status": "affected",
"version": "465893e18878e119d8d0255439fad8debbd646fd",
"versionType": "git"
},
{
"lessThan": "a6fcd7ffd76a9c1d998a2d02d518c78a55c5bed8",
"status": "affected",
"version": "465893e18878e119d8d0255439fad8debbd646fd",
"versionType": "git"
},
{
"lessThan": "499e13aac6c762e1e828172b0f0f5275651d6512",
"status": "affected",
"version": "465893e18878e119d8d0255439fad8debbd646fd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/goldfish.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: goldfish: Fix free_irq() on remove\n\nPass the correct dev_id to free_irq() to fix this splat when the driver\nis unbound:\n\n WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq\n Trying to free already-free IRQ 65\n Call Trace:\n warn_slowpath_fmt\n free_irq\n goldfish_tty_remove\n platform_remove\n device_remove\n device_release_driver_internal\n device_driver_detach\n unbind_store\n drv_attr_store\n ..."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:07.784Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4b0b8edccb0cfb15a8cecf4161e0571d3daac64"
},
{
"url": "https://git.kernel.org/stable/c/c83a1d40dc624070a203eb383ef9fb60eb634136"
},
{
"url": "https://git.kernel.org/stable/c/f7183c76d500324b8b5bd0af5e663cfa57b7b836"
},
{
"url": "https://git.kernel.org/stable/c/65ca4db68b6819244df9024aea4be55edf8af1ef"
},
{
"url": "https://git.kernel.org/stable/c/fb15e79cacddfbc62264e6e807bde50ad688e988"
},
{
"url": "https://git.kernel.org/stable/c/a6fcd7ffd76a9c1d998a2d02d518c78a55c5bed8"
},
{
"url": "https://git.kernel.org/stable/c/499e13aac6c762e1e828172b0f0f5275651d6512"
}
],
"title": "tty: goldfish: Fix free_irq() on remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49724",
"datePublished": "2025-02-26T02:24:36.699Z",
"dateReserved": "2025-02-26T02:21:30.447Z",
"dateUpdated": "2025-05-04T08:44:07.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49376 (GCVE-0-2022-49376)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: sd: Fix potential NULL pointer dereference
If sd_probe() sees an early error before sdkp->device is initialized,
sd_zbc_release_disk() is called. This causes a NULL pointer dereference
when sd_is_zoned() is called inside that function. Avoid this by removing
the call to sd_zbc_release_disk() in sd_probe() error path.
This change is safe and does not result in zone information memory leakage
because the zone information for a zoned disk is allocated only when
sd_revalidate_disk() is called, at which point sdkp->disk_dev is fully set,
resulting in sd_disk_release() being called when needed to cleanup a disk
zone information using sd_zbc_release_disk().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:41:58.424102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:52.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/sd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1f0187025905e9981000d44a92e159468b561a8",
"status": "affected",
"version": "89d9475610771b5e5fe1879075f0fc9ba6e3755f",
"versionType": "git"
},
{
"lessThan": "0fcb0b131cc90c8f523a293d84c58d0c7273c96f",
"status": "affected",
"version": "89d9475610771b5e5fe1879075f0fc9ba6e3755f",
"versionType": "git"
},
{
"lessThan": "78f8e96df06e2d04d82d4071c299b59d28744f47",
"status": "affected",
"version": "89d9475610771b5e5fe1879075f0fc9ba6e3755f",
"versionType": "git"
},
{
"lessThan": "3733439593ad12f7b54ae35c273ea6f15d692de3",
"status": "affected",
"version": "89d9475610771b5e5fe1879075f0fc9ba6e3755f",
"versionType": "git"
},
{
"lessThan": "05fbde3a77a4f1d62e4c4428f384288c1f1a0be5",
"status": "affected",
"version": "89d9475610771b5e5fe1879075f0fc9ba6e3755f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/sd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sd: Fix potential NULL pointer dereference\n\nIf sd_probe() sees an early error before sdkp-\u003edevice is initialized,\nsd_zbc_release_disk() is called. This causes a NULL pointer dereference\nwhen sd_is_zoned() is called inside that function. Avoid this by removing\nthe call to sd_zbc_release_disk() in sd_probe() error path.\n\nThis change is safe and does not result in zone information memory leakage\nbecause the zone information for a zoned disk is allocated only when\nsd_revalidate_disk() is called, at which point sdkp-\u003edisk_dev is fully set,\nresulting in sd_disk_release() being called when needed to cleanup a disk\nzone information using sd_zbc_release_disk()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:22.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1f0187025905e9981000d44a92e159468b561a8"
},
{
"url": "https://git.kernel.org/stable/c/0fcb0b131cc90c8f523a293d84c58d0c7273c96f"
},
{
"url": "https://git.kernel.org/stable/c/78f8e96df06e2d04d82d4071c299b59d28744f47"
},
{
"url": "https://git.kernel.org/stable/c/3733439593ad12f7b54ae35c273ea6f15d692de3"
},
{
"url": "https://git.kernel.org/stable/c/05fbde3a77a4f1d62e4c4428f384288c1f1a0be5"
}
],
"title": "scsi: sd: Fix potential NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49376",
"datePublished": "2025-02-26T02:11:16.118Z",
"dateReserved": "2025-02-26T02:08:31.558Z",
"dateUpdated": "2025-10-01T19:46:52.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49138 (GCVE-0-2022-49138)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Ignore multiple conn complete events
When one of the three connection complete events is received multiple
times for the same handle, the device is registered multiple times which
leads to memory corruptions. Therefore, consequent events for a single
connection are ignored.
The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET
is introduced to identify new connections. To make sure the events do not
contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks
are introduced.
Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa1ca580e3ffe62a2c5ea1c095b609b2943c5269",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5ebaa7c5f6f688959e8d40840b2249ede63b8ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_conn.c",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Ignore multiple conn complete events\n\nWhen one of the three connection complete events is received multiple\ntimes for the same handle, the device is registered multiple times which\nleads to memory corruptions. Therefore, consequent events for a single\nconnection are ignored.\n\nThe conn-\u003estate can hold different values, therefore HCI_CONN_HANDLE_UNSET\nis introduced to identify new connections. To make sure the events do not\ncontain this or another invalid handle HCI_CONN_HANDLE_MAX and checks\nare introduced.\n\nBuglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:49.651Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa1ca580e3ffe62a2c5ea1c095b609b2943c5269"
},
{
"url": "https://git.kernel.org/stable/c/d5ebaa7c5f6f688959e8d40840b2249ede63b8ed"
}
],
"title": "Bluetooth: hci_event: Ignore multiple conn complete events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49138",
"datePublished": "2025-02-26T01:55:10.632Z",
"dateReserved": "2025-02-26T01:49:39.268Z",
"dateUpdated": "2025-05-04T08:30:49.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35826 (GCVE-0-2024-35826)
Vulnerability from cvelistv5
Published
2024-05-17 13:27
Modified
2025-05-04 12:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: Fix page refcounts for unaligned buffers in __bio_release_pages()
Fix an incorrect number of pages being released for buffers that do not
start at the beginning of a page.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 9025ee1079291fac79c7fcc20086e9f0015f86f4 Version: 8955324cc9f93304efe163120038b38c36c09fba Version: d198c15d181cc9d580f0f2c25150b077d1d49c1a Version: 1b151e2435fc3a9b10c8946c6aebe9f3e1938c55 Version: 1b151e2435fc3a9b10c8946c6aebe9f3e1938c55 Version: d2d0b95ca1b5fefa3deed444a803c9f809db66cf Version: 3f4e660144edb053886fc80f587a71ad7afc2ad6 Version: bfc0647791d7a8f3e178a896a26c4ef7794876b7 Version: 0f2dca516541032fe47a1236c852f58edc662795 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:42:25.762308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:21.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "242006996d15f5ca62e22f8c7de077d9c4a8f367",
"status": "affected",
"version": "9025ee1079291fac79c7fcc20086e9f0015f86f4",
"versionType": "git"
},
{
"lessThan": "7d3765550374f71248c55e6206ea1d6fd4537e65",
"status": "affected",
"version": "8955324cc9f93304efe163120038b38c36c09fba",
"versionType": "git"
},
{
"lessThan": "ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35",
"status": "affected",
"version": "d198c15d181cc9d580f0f2c25150b077d1d49c1a",
"versionType": "git"
},
{
"lessThan": "c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2",
"status": "affected",
"version": "1b151e2435fc3a9b10c8946c6aebe9f3e1938c55",
"versionType": "git"
},
{
"lessThan": "38b43539d64b2fa020b3b9a752a986769f87f7a6",
"status": "affected",
"version": "1b151e2435fc3a9b10c8946c6aebe9f3e1938c55",
"versionType": "git"
},
{
"status": "affected",
"version": "d2d0b95ca1b5fefa3deed444a803c9f809db66cf",
"versionType": "git"
},
{
"status": "affected",
"version": "3f4e660144edb053886fc80f587a71ad7afc2ad6",
"versionType": "git"
},
{
"status": "affected",
"version": "bfc0647791d7a8f3e178a896a26c4ef7794876b7",
"versionType": "git"
},
{
"status": "affected",
"version": "0f2dca516541032fe47a1236c852f58edc662795",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "6.1.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "6.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "6.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.307",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.148",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:55:52.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367"
},
{
"url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65"
},
{
"url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35"
},
{
"url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2"
},
{
"url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6"
}
],
"title": "block: Fix page refcounts for unaligned buffers in __bio_release_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35826",
"datePublished": "2024-05-17T13:27:32.383Z",
"dateReserved": "2024-05-17T12:19:12.347Z",
"dateUpdated": "2025-05-04T12:55:52.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49206 (GCVE-0-2022-49206)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix memory leak in error flow for subscribe event routine
In case the second xa_insert() fails, the obj_event is not released. Fix
the error unwind flow to free that memory to avoid a memory leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7597385371425febdaa8c6a1da3625d4ffff16f5 Version: 7597385371425febdaa8c6a1da3625d4ffff16f5 Version: 7597385371425febdaa8c6a1da3625d4ffff16f5 Version: 7597385371425febdaa8c6a1da3625d4ffff16f5 Version: 7597385371425febdaa8c6a1da3625d4ffff16f5 Version: 7597385371425febdaa8c6a1da3625d4ffff16f5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:07.712082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:56:58.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/devx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0174a89663a5ef83617da15bf24c0af2f62b6c7f",
"status": "affected",
"version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
"versionType": "git"
},
{
"lessThan": "c98d903ff9e79c210beddea4e6bc15ac38e25aa5",
"status": "affected",
"version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
"versionType": "git"
},
{
"lessThan": "8dd392e352d3269938fea32061a74655a613f929",
"status": "affected",
"version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
"versionType": "git"
},
{
"lessThan": "d66498507801fd9a20307a15a0814a0a016c3cde",
"status": "affected",
"version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
"versionType": "git"
},
{
"lessThan": "414b4e8738484379f18d6c4e780787c80dbf8a2c",
"status": "affected",
"version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
"versionType": "git"
},
{
"lessThan": "087f9c3f2309ed183f7e4b85ae57121d8663224d",
"status": "affected",
"version": "7597385371425febdaa8c6a1da3625d4ffff16f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/devx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix memory leak in error flow for subscribe event routine\n\nIn case the second xa_insert() fails, the obj_event is not released. Fix\nthe error unwind flow to free that memory to avoid a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:21.031Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0174a89663a5ef83617da15bf24c0af2f62b6c7f"
},
{
"url": "https://git.kernel.org/stable/c/c98d903ff9e79c210beddea4e6bc15ac38e25aa5"
},
{
"url": "https://git.kernel.org/stable/c/8dd392e352d3269938fea32061a74655a613f929"
},
{
"url": "https://git.kernel.org/stable/c/d66498507801fd9a20307a15a0814a0a016c3cde"
},
{
"url": "https://git.kernel.org/stable/c/414b4e8738484379f18d6c4e780787c80dbf8a2c"
},
{
"url": "https://git.kernel.org/stable/c/087f9c3f2309ed183f7e4b85ae57121d8663224d"
}
],
"title": "RDMA/mlx5: Fix memory leak in error flow for subscribe event routine",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49206",
"datePublished": "2025-02-26T01:55:45.685Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-10-01T19:56:58.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49148 (GCVE-0-2022-49148)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Free the page array when watch_queue is dismantled
Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the
watch_queue is torn down") took care of the bitmap, but not the page
array.
BUG: memory leak
unreferenced object 0xffff88810d9bc140 (size 32):
comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s)
hex dump (first 32 bytes):
40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
kmalloc_array include/linux/slab.h:621 [inline]
kcalloc include/linux/slab.h:652 [inline]
watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251
pipe_ioctl+0x82/0x140 fs/pipe.c:632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:50.624778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:01.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7169f60110915c8b53bffd43741fa020a75eb87a",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "4913daecd04addb41bc96a9175a885e1c19862a8",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "3963a5d1ff75585bddf0c3a918566a6be09d7520",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "375cd2536494cfbcdda84ae8b3e35bf19d0250b9",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
},
{
"lessThan": "b490207017ba237d97b735b2aa66dc241ccd18f5",
"status": "affected",
"version": "c73be61cede5882f9605a852414db559c0ebedfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Free the page array when watch_queue is dismantled\n\nCommit 7ea1a0124b6d (\"watch_queue: Free the alloc bitmap when the\nwatch_queue is torn down\") took care of the bitmap, but not the page\narray.\n\n BUG: memory leak\n unreferenced object 0xffff88810d9bc140 (size 32):\n comm \"syz-executor335\", pid 3603, jiffies 4294946994 (age 12.840s)\n hex dump (first 32 bytes):\n 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@.............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n kmalloc_array include/linux/slab.h:621 [inline]\n kcalloc include/linux/slab.h:652 [inline]\n watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251\n pipe_ioctl+0x82/0x140 fs/pipe.c:632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:00.333Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7169f60110915c8b53bffd43741fa020a75eb87a"
},
{
"url": "https://git.kernel.org/stable/c/4913daecd04addb41bc96a9175a885e1c19862a8"
},
{
"url": "https://git.kernel.org/stable/c/3963a5d1ff75585bddf0c3a918566a6be09d7520"
},
{
"url": "https://git.kernel.org/stable/c/375cd2536494cfbcdda84ae8b3e35bf19d0250b9"
},
{
"url": "https://git.kernel.org/stable/c/b490207017ba237d97b735b2aa66dc241ccd18f5"
}
],
"title": "watch_queue: Free the page array when watch_queue is dismantled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49148",
"datePublished": "2025-02-26T01:55:15.872Z",
"dateReserved": "2025-02-26T01:49:39.273Z",
"dateUpdated": "2025-10-01T19:57:01.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49656 (GCVE-0-2022-49656)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: meson: Fix refcount leak in meson_smp_prepare_cpus
of_find_compatible_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d850f3e5d2966e5c9eb55f66181cee960737e04c Version: d850f3e5d2966e5c9eb55f66181cee960737e04c Version: d850f3e5d2966e5c9eb55f66181cee960737e04c Version: d850f3e5d2966e5c9eb55f66181cee960737e04c Version: d850f3e5d2966e5c9eb55f66181cee960737e04c Version: d850f3e5d2966e5c9eb55f66181cee960737e04c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:33:34.909146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:48.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-meson/platsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e1bcd33478ef44e63a45457055060b5fe4118ad",
"status": "affected",
"version": "d850f3e5d2966e5c9eb55f66181cee960737e04c",
"versionType": "git"
},
{
"lessThan": "3cf8ece9113242c10f83c7675ea4f4f67959ee43",
"status": "affected",
"version": "d850f3e5d2966e5c9eb55f66181cee960737e04c",
"versionType": "git"
},
{
"lessThan": "3d90607e7e6afa89768b0aaa915b58bd2b849276",
"status": "affected",
"version": "d850f3e5d2966e5c9eb55f66181cee960737e04c",
"versionType": "git"
},
{
"lessThan": "7208101ded1e9dcc52c8f0f8b16474211c871c1a",
"status": "affected",
"version": "d850f3e5d2966e5c9eb55f66181cee960737e04c",
"versionType": "git"
},
{
"lessThan": "c5fbf4f74c94fd60d5e9bf9f7f8268c3601562ca",
"status": "affected",
"version": "d850f3e5d2966e5c9eb55f66181cee960737e04c",
"versionType": "git"
},
{
"lessThan": "34d2cd3fccced12b958b8848e3eff0ee4296764c",
"status": "affected",
"version": "d850f3e5d2966e5c9eb55f66181cee960737e04c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-meson/platsmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.252",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.205",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.130",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.54",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.11",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: meson: Fix refcount leak in meson_smp_prepare_cpus\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:42:41.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e1bcd33478ef44e63a45457055060b5fe4118ad"
},
{
"url": "https://git.kernel.org/stable/c/3cf8ece9113242c10f83c7675ea4f4f67959ee43"
},
{
"url": "https://git.kernel.org/stable/c/3d90607e7e6afa89768b0aaa915b58bd2b849276"
},
{
"url": "https://git.kernel.org/stable/c/7208101ded1e9dcc52c8f0f8b16474211c871c1a"
},
{
"url": "https://git.kernel.org/stable/c/c5fbf4f74c94fd60d5e9bf9f7f8268c3601562ca"
},
{
"url": "https://git.kernel.org/stable/c/34d2cd3fccced12b958b8848e3eff0ee4296764c"
}
],
"title": "ARM: meson: Fix refcount leak in meson_smp_prepare_cpus",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49656",
"datePublished": "2025-02-26T02:23:55.949Z",
"dateReserved": "2025-02-26T02:21:30.434Z",
"dateUpdated": "2025-10-01T19:36:48.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49113 (GCVE-0-2022-49113)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/secvar: fix refcount leak in format_show()
Refcount leak will happen when format_show returns failure in multiple
cases. Unified management of of_node_put can fix this problem.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:48:55.588675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:04.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/secvar-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02222bf4f0a27f6eba66d1f597cdb5daadd51829",
"status": "affected",
"version": "bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec",
"versionType": "git"
},
{
"lessThan": "2a71e3ecd829a82013cf095c55068c61d991e885",
"status": "affected",
"version": "bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec",
"versionType": "git"
},
{
"lessThan": "c105ffb6b9744158e37e9f81f0f38861951d1c1f",
"status": "affected",
"version": "bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec",
"versionType": "git"
},
{
"lessThan": "d05e4265d33af60b39606c20c731e3e719bfe3d6",
"status": "affected",
"version": "bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec",
"versionType": "git"
},
{
"lessThan": "d601fd24e6964967f115f036a840f4f28488f63f",
"status": "affected",
"version": "bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/secvar-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/secvar: fix refcount leak in format_show()\n\nRefcount leak will happen when format_show returns failure in multiple\ncases. Unified management of of_node_put can fix this problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:58:37.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02222bf4f0a27f6eba66d1f597cdb5daadd51829"
},
{
"url": "https://git.kernel.org/stable/c/2a71e3ecd829a82013cf095c55068c61d991e885"
},
{
"url": "https://git.kernel.org/stable/c/c105ffb6b9744158e37e9f81f0f38861951d1c1f"
},
{
"url": "https://git.kernel.org/stable/c/d05e4265d33af60b39606c20c731e3e719bfe3d6"
},
{
"url": "https://git.kernel.org/stable/c/d601fd24e6964967f115f036a840f4f28488f63f"
}
],
"title": "powerpc/secvar: fix refcount leak in format_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49113",
"datePublished": "2025-02-26T01:54:57.663Z",
"dateReserved": "2025-02-26T01:49:39.262Z",
"dateUpdated": "2025-10-01T19:57:04.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49701 (GCVE-0-2022-49701)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-05-04 08:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Allocate/free queue resource only during probe/remove
Currently, the sub-queues and event pool resources are allocated/freed for
every CRQ connection event such as reset and LPM. This exposes the driver
to a couple issues. First the inefficiency of freeing and reallocating
memory that can simply be resued after being sanitized. Further, a system
under memory pressue runs the risk of allocation failures that could result
in a crippled driver. Finally, there is a race window where command
submission/compeletion can try to pull/return elements from/to an event
pool that is being deleted or already has been deleted due to the lack of
host state around freeing/allocating resources. The following is an example
of list corruption following a live partition migration (LPM):
Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: vfat fat isofs cdrom ext4 mbcache jbd2 nft_counter nft_compat nf_tables nfnetlink rpadlpar_io rpaphp xsk_diag nfsv3 nfs_acl nfs lockd grace fscache netfs rfkill bonding tls sunrpc pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc scsi_transport_fc ibmveth vmx_crypto dm_multipath dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse
CPU: 0 PID: 2108 Comm: ibmvfc_0 Kdump: loaded Not tainted 5.14.0-70.9.1.el9_0.ppc64le #1
NIP: c0000000007c4bb0 LR: c0000000007c4bac CTR: 00000000005b9a10
REGS: c00000025c10b760 TRAP: 0700 Not tainted (5.14.0-70.9.1.el9_0.ppc64le)
MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 2800028f XER: 0000000f
CFAR: c0000000001f55bc IRQMASK: 0
GPR00: c0000000007c4bac c00000025c10ba00 c000000002a47c00 000000000000004e
GPR04: c0000031e3006f88 c0000031e308bd00 c00000025c10b768 0000000000000027
GPR08: 0000000000000000 c0000031e3009dc0 00000031e0eb0000 0000000000000000
GPR12: c0000031e2ffffa8 c000000002dd0000 c000000000187108 c00000020fcee2c0
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000000 0000000000000000 c008000002f81300
GPR24: 5deadbeef0000100 5deadbeef0000122 c000000263ba6910 c00000024cc88000
GPR28: 000000000000003c c0000002430a0000 c0000002430ac300 000000000000c300
NIP [c0000000007c4bb0] __list_del_entry_valid+0x90/0x100
LR [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100
Call Trace:
[c00000025c10ba00] [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100 (unreliable)
[c00000025c10ba60] [c008000002f42284] ibmvfc_free_queue+0xec/0x210 [ibmvfc]
[c00000025c10bb10] [c008000002f4246c] ibmvfc_deregister_scsi_channel+0xc4/0x160 [ibmvfc]
[c00000025c10bba0] [c008000002f42580] ibmvfc_release_sub_crqs+0x78/0x130 [ibmvfc]
[c00000025c10bc20] [c008000002f4f6cc] ibmvfc_do_work+0x5c4/0xc70 [ibmvfc]
[c00000025c10bce0] [c008000002f4fdec] ibmvfc_work+0x74/0x1e8 [ibmvfc]
[c00000025c10bda0] [c0000000001872b8] kthread+0x1b8/0x1c0
[c00000025c10be10] [c00000000000cd64] ret_from_kernel_thread+0x5c/0x64
Instruction dump:
40820034 38600001 38210060 4e800020 7c0802a6 7c641b78 3c62fe7a 7d254b78
3863b590 f8010070 4ba309cd 60000000 <0fe00000> 7c0802a6 3c62fe7a 3863b640
---[ end trace 11a2b65a92f8b66c ]---
ibmvfc 30000003: Send warning. Receive queue closed, will retry.
Add registration/deregistration helpers that are called instead during
connection resets to sanitize and reconfigure the queues.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "161ec2a0807ddd58bc0f24f3e1e7e3d4fef5297f",
"status": "affected",
"version": "3034ebe26389740bb6b4a463e05afb51dc93c336",
"versionType": "git"
},
{
"lessThan": "9f23c499ca601b2a1e1d2e761d03964b739bca0e",
"status": "affected",
"version": "3034ebe26389740bb6b4a463e05afb51dc93c336",
"versionType": "git"
},
{
"lessThan": "72ea7fe0db73d65c7d977208842d8ade9b823de9",
"status": "affected",
"version": "3034ebe26389740bb6b4a463e05afb51dc93c336",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Allocate/free queue resource only during probe/remove\n\nCurrently, the sub-queues and event pool resources are allocated/freed for\nevery CRQ connection event such as reset and LPM. This exposes the driver\nto a couple issues. First the inefficiency of freeing and reallocating\nmemory that can simply be resued after being sanitized. Further, a system\nunder memory pressue runs the risk of allocation failures that could result\nin a crippled driver. Finally, there is a race window where command\nsubmission/compeletion can try to pull/return elements from/to an event\npool that is being deleted or already has been deleted due to the lack of\nhost state around freeing/allocating resources. The following is an example\nof list corruption following a live partition migration (LPM):\n\nOops: Exception in kernel mode, sig: 5 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in: vfat fat isofs cdrom ext4 mbcache jbd2 nft_counter nft_compat nf_tables nfnetlink rpadlpar_io rpaphp xsk_diag nfsv3 nfs_acl nfs lockd grace fscache netfs rfkill bonding tls sunrpc pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc scsi_transport_fc ibmveth vmx_crypto dm_multipath dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\nCPU: 0 PID: 2108 Comm: ibmvfc_0 Kdump: loaded Not tainted 5.14.0-70.9.1.el9_0.ppc64le #1\nNIP: c0000000007c4bb0 LR: c0000000007c4bac CTR: 00000000005b9a10\nREGS: c00000025c10b760 TRAP: 0700 Not tainted (5.14.0-70.9.1.el9_0.ppc64le)\nMSR: 800000000282b033 \u003cSF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e CR: 2800028f XER: 0000000f\nCFAR: c0000000001f55bc IRQMASK: 0\n GPR00: c0000000007c4bac c00000025c10ba00 c000000002a47c00 000000000000004e\n GPR04: c0000031e3006f88 c0000031e308bd00 c00000025c10b768 0000000000000027\n GPR08: 0000000000000000 c0000031e3009dc0 00000031e0eb0000 0000000000000000\n GPR12: c0000031e2ffffa8 c000000002dd0000 c000000000187108 c00000020fcee2c0\n GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n GPR20: 0000000000000000 0000000000000000 0000000000000000 c008000002f81300\n GPR24: 5deadbeef0000100 5deadbeef0000122 c000000263ba6910 c00000024cc88000\n GPR28: 000000000000003c c0000002430a0000 c0000002430ac300 000000000000c300\nNIP [c0000000007c4bb0] __list_del_entry_valid+0x90/0x100\nLR [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100\nCall Trace:\n[c00000025c10ba00] [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100 (unreliable)\n[c00000025c10ba60] [c008000002f42284] ibmvfc_free_queue+0xec/0x210 [ibmvfc]\n[c00000025c10bb10] [c008000002f4246c] ibmvfc_deregister_scsi_channel+0xc4/0x160 [ibmvfc]\n[c00000025c10bba0] [c008000002f42580] ibmvfc_release_sub_crqs+0x78/0x130 [ibmvfc]\n[c00000025c10bc20] [c008000002f4f6cc] ibmvfc_do_work+0x5c4/0xc70 [ibmvfc]\n[c00000025c10bce0] [c008000002f4fdec] ibmvfc_work+0x74/0x1e8 [ibmvfc]\n[c00000025c10bda0] [c0000000001872b8] kthread+0x1b8/0x1c0\n[c00000025c10be10] [c00000000000cd64] ret_from_kernel_thread+0x5c/0x64\nInstruction dump:\n40820034 38600001 38210060 4e800020 7c0802a6 7c641b78 3c62fe7a 7d254b78\n3863b590 f8010070 4ba309cd 60000000 \u003c0fe00000\u003e 7c0802a6 3c62fe7a 3863b640\n---[ end trace 11a2b65a92f8b66c ]---\nibmvfc 30000003: Send warning. Receive queue closed, will retry.\n\nAdd registration/deregistration helpers that are called instead during\nconnection resets to sanitize and reconfigure the queues."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:34.368Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/161ec2a0807ddd58bc0f24f3e1e7e3d4fef5297f"
},
{
"url": "https://git.kernel.org/stable/c/9f23c499ca601b2a1e1d2e761d03964b739bca0e"
},
{
"url": "https://git.kernel.org/stable/c/72ea7fe0db73d65c7d977208842d8ade9b823de9"
}
],
"title": "scsi: ibmvfc: Allocate/free queue resource only during probe/remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49701",
"datePublished": "2025-02-26T02:24:21.358Z",
"dateReserved": "2025-02-26T02:21:30.443Z",
"dateUpdated": "2025-05-04T08:43:34.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49446 (GCVE-0-2022-49446)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvdimm: Fix firmware activation deadlock scenarios
Lockdep reports the following deadlock scenarios for CXL root device
power-management, device_prepare(), operations, and device_shutdown()
operations for 'nd_region' devices:
Chain exists of:
&nvdimm_region_key --> &nvdimm_bus->reconfig_mutex --> system_transition_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(system_transition_mutex);
lock(&nvdimm_bus->reconfig_mutex);
lock(system_transition_mutex);
lock(&nvdimm_region_key);
Chain exists of:
&cxl_nvdimm_bridge_key --> acpi_scan_lock --> &cxl_root_key
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&cxl_root_key);
lock(acpi_scan_lock);
lock(&cxl_root_key);
lock(&cxl_nvdimm_bridge_key);
These stem from holding nvdimm_bus_lock() over hibernate_quiet_exec()
which walks the entire system device topology taking device_lock() along
the way. The nvdimm_bus_lock() is protecting against unregistration,
multiple simultaneous ops callers, and preventing activate_show() from
racing activate_store(). For the first 2, the lock is redundant.
Unregistration already flushes all ops users, and sysfs already prevents
multiple threads to be active in an ops handler at the same time. For
the last userspace should already be waiting for its last
activate_store() to complete, and does not need activate_show() to flush
the write side, so this lock usage can be deleted in these attributes.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:40:46.179643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:48.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "641649f31e20df630310f5c22f26c071acc676d4",
"status": "affected",
"version": "48001ea50d17f3eb06a552e9ecf21f7fc01b25da",
"versionType": "git"
},
{
"lessThan": "2f97ebc58d5fc83ca1528cd553fa725472ab3ca8",
"status": "affected",
"version": "48001ea50d17f3eb06a552e9ecf21f7fc01b25da",
"versionType": "git"
},
{
"lessThan": "ceb924ee16b2c8e48dcac3d9ad6be01c40b5a228",
"status": "affected",
"version": "48001ea50d17f3eb06a552e9ecf21f7fc01b25da",
"versionType": "git"
},
{
"lessThan": "2fd853fdb40afc052de338693df1372f2ead7be7",
"status": "affected",
"version": "48001ea50d17f3eb06a552e9ecf21f7fc01b25da",
"versionType": "git"
},
{
"lessThan": "e6829d1bd3c4b58296ee9e412f7ed4d6cb390192",
"status": "affected",
"version": "48001ea50d17f3eb06a552e9ecf21f7fc01b25da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvdimm: Fix firmware activation deadlock scenarios\n\nLockdep reports the following deadlock scenarios for CXL root device\npower-management, device_prepare(), operations, and device_shutdown()\noperations for \u0027nd_region\u0027 devices:\n\n Chain exists of:\n \u0026nvdimm_region_key --\u003e \u0026nvdimm_bus-\u003ereconfig_mutex --\u003e system_transition_mutex\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(system_transition_mutex);\n lock(\u0026nvdimm_bus-\u003ereconfig_mutex);\n lock(system_transition_mutex);\n lock(\u0026nvdimm_region_key);\n\n Chain exists of:\n \u0026cxl_nvdimm_bridge_key --\u003e acpi_scan_lock --\u003e \u0026cxl_root_key\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(\u0026cxl_root_key);\n lock(acpi_scan_lock);\n lock(\u0026cxl_root_key);\n lock(\u0026cxl_nvdimm_bridge_key);\n\nThese stem from holding nvdimm_bus_lock() over hibernate_quiet_exec()\nwhich walks the entire system device topology taking device_lock() along\nthe way. The nvdimm_bus_lock() is protecting against unregistration,\nmultiple simultaneous ops callers, and preventing activate_show() from\nracing activate_store(). For the first 2, the lock is redundant.\nUnregistration already flushes all ops users, and sysfs already prevents\nmultiple threads to be active in an ops handler at the same time. For\nthe last userspace should already be waiting for its last\nactivate_store() to complete, and does not need activate_show() to flush\nthe write side, so this lock usage can be deleted in these attributes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:55.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/641649f31e20df630310f5c22f26c071acc676d4"
},
{
"url": "https://git.kernel.org/stable/c/2f97ebc58d5fc83ca1528cd553fa725472ab3ca8"
},
{
"url": "https://git.kernel.org/stable/c/ceb924ee16b2c8e48dcac3d9ad6be01c40b5a228"
},
{
"url": "https://git.kernel.org/stable/c/2fd853fdb40afc052de338693df1372f2ead7be7"
},
{
"url": "https://git.kernel.org/stable/c/e6829d1bd3c4b58296ee9e412f7ed4d6cb390192"
}
],
"title": "nvdimm: Fix firmware activation deadlock scenarios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49446",
"datePublished": "2025-02-26T02:12:57.876Z",
"dateReserved": "2025-02-26T02:08:31.571Z",
"dateUpdated": "2025-10-01T19:46:48.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49310 (GCVE-0-2022-49310)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
char: xillybus: fix a refcount leak in cleanup_dev()
usb_get_dev is called in xillyusb_probe. So it is better to call
usb_put_dev before xdev is released.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:44:21.264048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:58.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/xillybus/xillyusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc8fceda3b89006e8a7dda8a097d36045d044c25",
"status": "affected",
"version": "a53d1202aef122894b6e46116a92174a9123db5d",
"versionType": "git"
},
{
"lessThan": "21f1f167d727f3f857e26d509ef5a6d47fd31bc3",
"status": "affected",
"version": "a53d1202aef122894b6e46116a92174a9123db5d",
"versionType": "git"
},
{
"lessThan": "e277b95acdab84cd5d2f8d537a37aef6d21e988b",
"status": "affected",
"version": "a53d1202aef122894b6e46116a92174a9123db5d",
"versionType": "git"
},
{
"lessThan": "b67d19662fdee275c479d21853bc1239600a798f",
"status": "affected",
"version": "a53d1202aef122894b6e46116a92174a9123db5d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/xillybus/xillyusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: xillybus: fix a refcount leak in cleanup_dev()\n\nusb_get_dev is called in xillyusb_probe. So it is better to call\nusb_put_dev before xdev is released."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:55.305Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc8fceda3b89006e8a7dda8a097d36045d044c25"
},
{
"url": "https://git.kernel.org/stable/c/21f1f167d727f3f857e26d509ef5a6d47fd31bc3"
},
{
"url": "https://git.kernel.org/stable/c/e277b95acdab84cd5d2f8d537a37aef6d21e988b"
},
{
"url": "https://git.kernel.org/stable/c/b67d19662fdee275c479d21853bc1239600a798f"
}
],
"title": "char: xillybus: fix a refcount leak in cleanup_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49310",
"datePublished": "2025-02-26T02:10:40.664Z",
"dateReserved": "2025-02-26T02:08:31.536Z",
"dateUpdated": "2025-10-01T19:46:58.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49705 (GCVE-0-2022-49705)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p: fix fid refcount leak in v9fs_vfs_atomic_open_dotl
We need to release directory fid if we fail halfway through open
This fixes fid leaking with xfstests generic 531
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:32:32.816962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:45.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/9p/vfs_inode_dotl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22832ac3eb5be3f7168816a76b64c1284e12eb3c",
"status": "affected",
"version": "6636b6dcc3db2258cd0585b8078c1c225c4b6dde",
"versionType": "git"
},
{
"lessThan": "8bc5412ba1a45edfd1e451874c483c26a097af2b",
"status": "affected",
"version": "6636b6dcc3db2258cd0585b8078c1c225c4b6dde",
"versionType": "git"
},
{
"lessThan": "beca774fc51a9ba8abbc869cf0c3d965ff17cd24",
"status": "affected",
"version": "6636b6dcc3db2258cd0585b8078c1c225c4b6dde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/9p/vfs_inode_dotl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.51",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.8",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: fix fid refcount leak in v9fs_vfs_atomic_open_dotl\n\nWe need to release directory fid if we fail halfway through open\n\nThis fixes fid leaking with xfstests generic 531"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:43:39.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22832ac3eb5be3f7168816a76b64c1284e12eb3c"
},
{
"url": "https://git.kernel.org/stable/c/8bc5412ba1a45edfd1e451874c483c26a097af2b"
},
{
"url": "https://git.kernel.org/stable/c/beca774fc51a9ba8abbc869cf0c3d965ff17cd24"
}
],
"title": "9p: fix fid refcount leak in v9fs_vfs_atomic_open_dotl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49705",
"datePublished": "2025-02-26T02:24:24.077Z",
"dateReserved": "2025-02-26T02:21:30.443Z",
"dateUpdated": "2025-10-01T19:36:45.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21733 (GCVE-0-2025-21733)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 07:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/osnoise: Fix resetting of tracepoints
If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD
disabled, but then that option is enabled and timerlat is removed, the
tracepoints that were enabled on timerlat registration do not get
disabled. If the option is disabled again and timelat is started, then it
triggers a warning in the tracepoint code due to registering the
tracepoint again without ever disabling it.
Do not use the same user space defined options to know to disable the
tracepoints when timerlat is removed. Instead, set a global flag when it
is enabled and use that flag to know to disable the events.
~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
~# echo timerlat > /sys/kernel/tracing/current_tracer
~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
~# echo nop > /sys/kernel/tracing/current_tracer
~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
~# echo timerlat > /sys/kernel/tracing/current_tracer
Triggers:
------------[ cut here ]------------
WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0
Modules linked in:
CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:tracepoint_add_func+0x3b6/0x3f0
Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b
RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202
RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410
RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002
R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001
R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008
FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0
Call Trace:
<TASK>
? __warn.cold+0xb7/0x14d
? tracepoint_add_func+0x3b6/0x3f0
? report_bug+0xea/0x170
? handle_bug+0x58/0x90
? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20
? __pfx_trace_sched_migrate_callback+0x10/0x10
? tracepoint_add_func+0x3b6/0x3f0
? __pfx_trace_sched_migrate_callback+0x10/0x10
? __pfx_trace_sched_migrate_callback+0x10/0x10
tracepoint_probe_register+0x78/0xb0
? __pfx_trace_sched_migrate_callback+0x10/0x10
osnoise_workload_start+0x2b5/0x370
timerlat_tracer_init+0x76/0x1b0
tracing_set_tracer+0x244/0x400
tracing_set_trace_write+0xa0/0xe0
vfs_write+0xfc/0x570
? do_sys_openat2+0x9c/0xe0
ksys_write+0x72/0xf0
do_syscall_64+0x79/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee8c4c39a8f97467d63adfe03bcd45139d8c8b53",
"status": "affected",
"version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
"versionType": "git"
},
{
"lessThan": "b45707c3c0671d9c49fa7b94c197a508aa55d16f",
"status": "affected",
"version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
"versionType": "git"
},
{
"lessThan": "e482cecd2305be1e3e6a8ee70c9b86c511484f7b",
"status": "affected",
"version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
"versionType": "git"
},
{
"lessThan": "e3ff4245928f948f3eb2e852aa350b870421c358",
"status": "affected",
"version": "e88ed227f639ebcb31ed4e5b88756b47d904584b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix resetting of tracepoints\n\nIf a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD\ndisabled, but then that option is enabled and timerlat is removed, the\ntracepoints that were enabled on timerlat registration do not get\ndisabled. If the option is disabled again and timelat is started, then it\ntriggers a warning in the tracepoint code due to registering the\ntracepoint again without ever disabling it.\n\nDo not use the same user space defined options to know to disable the\ntracepoints when timerlat is removed. Instead, set a global flag when it\nis enabled and use that flag to know to disable the events.\n\n ~# echo NO_OSNOISE_WORKLOAD \u003e /sys/kernel/tracing/osnoise/options\n ~# echo timerlat \u003e /sys/kernel/tracing/current_tracer\n ~# echo OSNOISE_WORKLOAD \u003e /sys/kernel/tracing/osnoise/options\n ~# echo nop \u003e /sys/kernel/tracing/current_tracer\n ~# echo NO_OSNOISE_WORKLOAD \u003e /sys/kernel/tracing/osnoise/options\n ~# echo timerlat \u003e /sys/kernel/tracing/current_tracer\n\nTriggers:\n\n ------------[ cut here ]------------\n WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0\n Modules linked in:\n CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:tracepoint_add_func+0x3b6/0x3f0\n Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff \u003c0f\u003e 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b\n RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202\n RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410\n RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002\n R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001\n R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008\n FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n ? __warn.cold+0xb7/0x14d\n ? tracepoint_add_func+0x3b6/0x3f0\n ? report_bug+0xea/0x170\n ? handle_bug+0x58/0x90\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n ? tracepoint_add_func+0x3b6/0x3f0\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n tracepoint_probe_register+0x78/0xb0\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n osnoise_workload_start+0x2b5/0x370\n timerlat_tracer_init+0x76/0x1b0\n tracing_set_tracer+0x244/0x400\n tracing_set_trace_write+0xa0/0xe0\n vfs_write+0xfc/0x570\n ? do_sys_openat2+0x9c/0xe0\n ksys_write+0x72/0xf0\n do_syscall_64+0x79/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:19:59.585Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee8c4c39a8f97467d63adfe03bcd45139d8c8b53"
},
{
"url": "https://git.kernel.org/stable/c/b45707c3c0671d9c49fa7b94c197a508aa55d16f"
},
{
"url": "https://git.kernel.org/stable/c/e482cecd2305be1e3e6a8ee70c9b86c511484f7b"
},
{
"url": "https://git.kernel.org/stable/c/e3ff4245928f948f3eb2e852aa350b870421c358"
}
],
"title": "tracing/osnoise: Fix resetting of tracepoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21733",
"datePublished": "2025-02-27T02:12:11.145Z",
"dateReserved": "2024-12-29T08:45:45.756Z",
"dateUpdated": "2025-05-04T07:19:59.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49325 (GCVE-0-2022-49325)
Vulnerability from cvelistv5
Published
2025-02-26 02:10
Modified
2025-05-04 08:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: add accessors to read/set tp->snd_cwnd
We had various bugs over the years with code
breaking the assumption that tp->snd_cwnd is greater
than zero.
Lately, syzbot reported the WARN_ON_ONCE(!tp->prior_cwnd) added
in commit 8b8a321ff72c ("tcp: fix zero cwnd in tcp_cwnd_reduction")
can trigger, and without a repro we would have to spend
considerable time finding the bug.
Instead of complaining too late, we want to catch where
and when tp->snd_cwnd is set to an illegal value.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h",
"include/trace/events/tcp.h",
"net/core/filter.c",
"net/ipv4/tcp.c",
"net/ipv4/tcp_bbr.c",
"net/ipv4/tcp_bic.c",
"net/ipv4/tcp_cdg.c",
"net/ipv4/tcp_cong.c",
"net/ipv4/tcp_cubic.c",
"net/ipv4/tcp_dctcp.c",
"net/ipv4/tcp_highspeed.c",
"net/ipv4/tcp_htcp.c",
"net/ipv4/tcp_hybla.c",
"net/ipv4/tcp_illinois.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv4/tcp_lp.c",
"net/ipv4/tcp_metrics.c",
"net/ipv4/tcp_nv.c",
"net/ipv4/tcp_output.c",
"net/ipv4/tcp_rate.c",
"net/ipv4/tcp_scalable.c",
"net/ipv4/tcp_vegas.c",
"net/ipv4/tcp_veno.c",
"net/ipv4/tcp_westwood.c",
"net/ipv4/tcp_yeah.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3308676ec525901bf1656014003c443a60730a04",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5aba0ad44fb4a7fb78c5076c313456de199a3c29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41e191fe72282e193a7744e2fc1786b23156c9e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40570375356c874b1578e05c1dcc3ff7c1322dbe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tcp.h",
"include/trace/events/tcp.h",
"net/core/filter.c",
"net/ipv4/tcp.c",
"net/ipv4/tcp_bbr.c",
"net/ipv4/tcp_bic.c",
"net/ipv4/tcp_cdg.c",
"net/ipv4/tcp_cong.c",
"net/ipv4/tcp_cubic.c",
"net/ipv4/tcp_dctcp.c",
"net/ipv4/tcp_highspeed.c",
"net/ipv4/tcp_htcp.c",
"net/ipv4/tcp_hybla.c",
"net/ipv4/tcp_illinois.c",
"net/ipv4/tcp_input.c",
"net/ipv4/tcp_ipv4.c",
"net/ipv4/tcp_lp.c",
"net/ipv4/tcp_metrics.c",
"net/ipv4/tcp_nv.c",
"net/ipv4/tcp_output.c",
"net/ipv4/tcp_rate.c",
"net/ipv4/tcp_scalable.c",
"net/ipv4/tcp_vegas.c",
"net/ipv4/tcp_veno.c",
"net/ipv4/tcp_westwood.c",
"net/ipv4/tcp_yeah.c",
"net/ipv6/tcp_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add accessors to read/set tp-\u003esnd_cwnd\n\nWe had various bugs over the years with code\nbreaking the assumption that tp-\u003esnd_cwnd is greater\nthan zero.\n\nLately, syzbot reported the WARN_ON_ONCE(!tp-\u003eprior_cwnd) added\nin commit 8b8a321ff72c (\"tcp: fix zero cwnd in tcp_cwnd_reduction\")\ncan trigger, and without a repro we would have to spend\nconsiderable time finding the bug.\n\nInstead of complaining too late, we want to catch where\nand when tp-\u003esnd_cwnd is set to an illegal value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:35:14.345Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3308676ec525901bf1656014003c443a60730a04"
},
{
"url": "https://git.kernel.org/stable/c/5aba0ad44fb4a7fb78c5076c313456de199a3c29"
},
{
"url": "https://git.kernel.org/stable/c/41e191fe72282e193a7744e2fc1786b23156c9e4"
},
{
"url": "https://git.kernel.org/stable/c/40570375356c874b1578e05c1dcc3ff7c1322dbe"
}
],
"title": "tcp: add accessors to read/set tp-\u003esnd_cwnd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49325",
"datePublished": "2025-02-26T02:10:48.158Z",
"dateReserved": "2025-02-26T02:08:31.538Z",
"dateUpdated": "2025-05-04T08:35:14.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21859 (GCVE-0-2025-21859)
Vulnerability from cvelistv5
Published
2025-03-12 09:42
Modified
2025-11-03 19:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: f_midi: f_midi_complete to call queue_work
When using USB MIDI, a lock is attempted to be acquired twice through a
re-entrant call to f_midi_transmit, causing a deadlock.
Fix it by using queue_work() to schedule the inner f_midi_transmit() via
a high priority work queue from the completion handler.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d5daf49b58661ec4af7a55b277176efbf945ca05 Version: d5daf49b58661ec4af7a55b277176efbf945ca05 Version: d5daf49b58661ec4af7a55b277176efbf945ca05 Version: d5daf49b58661ec4af7a55b277176efbf945ca05 Version: d5daf49b58661ec4af7a55b277176efbf945ca05 Version: d5daf49b58661ec4af7a55b277176efbf945ca05 Version: d5daf49b58661ec4af7a55b277176efbf945ca05 Version: d5daf49b58661ec4af7a55b277176efbf945ca05 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:50.980181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:37.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:38:16.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "727dee0857946b85232526de4f5a957fe163e89a",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
},
{
"lessThan": "1f10923404705a94891e612dff3b75e828a78368",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
},
{
"lessThan": "b09957657d7767d164b3432af2129bd72947553c",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
},
{
"lessThan": "24a942610ee9bafb2692a456ae850c5b2e409b05",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
},
{
"lessThan": "deeee3adb2c01eedab32c3b4519337689ad02e8a",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
},
{
"lessThan": "e9fec6f42c45db2f62dc373fb1a10d2488c04e79",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
},
{
"lessThan": "8aa6b4be1f4efccbfc533e6ec8841d26e4fa8dba",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
},
{
"lessThan": "4ab37fcb42832cdd3e9d5e50653285ca84d6686f",
"status": "affected",
"version": "d5daf49b58661ec4af7a55b277176efbf945ca05",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: f_midi: f_midi_complete to call queue_work\n\nWhen using USB MIDI, a lock is attempted to be acquired twice through a\nre-entrant call to f_midi_transmit, causing a deadlock.\n\nFix it by using queue_work() to schedule the inner f_midi_transmit() via\na high priority work queue from the completion handler."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:41.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/727dee0857946b85232526de4f5a957fe163e89a"
},
{
"url": "https://git.kernel.org/stable/c/1f10923404705a94891e612dff3b75e828a78368"
},
{
"url": "https://git.kernel.org/stable/c/b09957657d7767d164b3432af2129bd72947553c"
},
{
"url": "https://git.kernel.org/stable/c/24a942610ee9bafb2692a456ae850c5b2e409b05"
},
{
"url": "https://git.kernel.org/stable/c/deeee3adb2c01eedab32c3b4519337689ad02e8a"
},
{
"url": "https://git.kernel.org/stable/c/e9fec6f42c45db2f62dc373fb1a10d2488c04e79"
},
{
"url": "https://git.kernel.org/stable/c/8aa6b4be1f4efccbfc533e6ec8841d26e4fa8dba"
},
{
"url": "https://git.kernel.org/stable/c/4ab37fcb42832cdd3e9d5e50653285ca84d6686f"
}
],
"title": "USB: gadget: f_midi: f_midi_complete to call queue_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21859",
"datePublished": "2025-03-12T09:42:12.036Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2025-11-03T19:38:16.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21765 (GCVE-0-2025-21765)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU protection in ip6_default_advmss()
ip6_default_advmss() needs rcu protection to make
sure the net structure it reads does not disappear.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e Version: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:20.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78ad057472d8c76e0602402269222f9f9c698790",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "d02f30d220ef9511568a48dba8a9004c65f8d904",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "28de355b63ad42309ed5a03ee7c436c90512265b",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "84212387caadb211cd9dadd6fd5563bd37dc1f5e",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "4176a68b0db8fc74ac14fcd00ba8231371051dc2",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "713a40c892f40300d63691d9f85b2a23b48fe1e8",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "550ed693f47370502a71b85382e7f9e6417300b8",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "3c8ffcd248da34fc41e52a46e51505900115fc2a",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU protection in ip6_default_advmss()\n\nip6_default_advmss() needs rcu protection to make\nsure the net structure it reads does not disappear."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:38.487Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78ad057472d8c76e0602402269222f9f9c698790"
},
{
"url": "https://git.kernel.org/stable/c/d02f30d220ef9511568a48dba8a9004c65f8d904"
},
{
"url": "https://git.kernel.org/stable/c/28de355b63ad42309ed5a03ee7c436c90512265b"
},
{
"url": "https://git.kernel.org/stable/c/84212387caadb211cd9dadd6fd5563bd37dc1f5e"
},
{
"url": "https://git.kernel.org/stable/c/4176a68b0db8fc74ac14fcd00ba8231371051dc2"
},
{
"url": "https://git.kernel.org/stable/c/713a40c892f40300d63691d9f85b2a23b48fe1e8"
},
{
"url": "https://git.kernel.org/stable/c/550ed693f47370502a71b85382e7f9e6417300b8"
},
{
"url": "https://git.kernel.org/stable/c/3c8ffcd248da34fc41e52a46e51505900115fc2a"
}
],
"title": "ipv6: use RCU protection in ip6_default_advmss()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21765",
"datePublished": "2025-02-27T02:18:16.078Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:20.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49085 (GCVE-0-2022-49085)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drbd: Fix five use after free bugs in get_initial_state
In get_initial_state, it calls notify_initial_state_done(skb,..) if
cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),
the skb will be freed by nlmsg_free(skb).
Then get_initial_state will goto out and the freed skb will be used by
return value skb->len, which is a uaf bug.
What's worse, the same problem goes even further: skb can also be
freed in the notify_*_state_change -> notify_*_state calls below.
Thus 4 additional uaf bugs happened.
My patch lets the problem callee functions: notify_initial_state_done
and notify_*_state_change return an error code if errors happen.
So that the error codes could be propagated and the uaf bugs can be avoid.
v2 reports a compilation warning. This v3 fixed this warning and built
successfully in my local environment with no additional warnings.
v2: https://lore.kernel.org/patchwork/patch/1435218/
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da Version: a29728463b254ce81ecefdf20c1a02e01d9361da |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:12.644580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:29.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/drbd/drbd_int.h",
"drivers/block/drbd/drbd_nl.c",
"drivers/block/drbd/drbd_state.c",
"drivers/block/drbd/drbd_state_change.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0489700bfeb1e53eb2039c2291c67e71b0b40103",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "dcf6be17b5c53b741898d2223b23e66d682de300",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "188fe6b26765edbad4055611c0f788b6870f4024",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "b6a4055036eed1f5e239ce3d8b0db1ce38bba447",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "594205b4936771a250f9d141e7e0fff21c3dd2d9",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "a972c768723359ec995579902473028fe3cd64b1",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "de63e74da2333b4068bb79983e632db730fea97e",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "226e993c39405292781bfcf4b039a8db56aab362",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
},
{
"lessThan": "aadb22ba2f656581b2f733deb3a467c48cc618f6",
"status": "affected",
"version": "a29728463b254ce81ecefdf20c1a02e01d9361da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/drbd/drbd_int.h",
"drivers/block/drbd/drbd_nl.c",
"drivers/block/drbd/drbd_state.c",
"drivers/block/drbd/drbd_state_change.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: Fix five use after free bugs in get_initial_state\n\nIn get_initial_state, it calls notify_initial_state_done(skb,..) if\ncb-\u003eargs[5]==1. If genlmsg_put() failed in notify_initial_state_done(),\nthe skb will be freed by nlmsg_free(skb).\nThen get_initial_state will goto out and the freed skb will be used by\nreturn value skb-\u003elen, which is a uaf bug.\n\nWhat\u0027s worse, the same problem goes even further: skb can also be\nfreed in the notify_*_state_change -\u003e notify_*_state calls below.\nThus 4 additional uaf bugs happened.\n\nMy patch lets the problem callee functions: notify_initial_state_done\nand notify_*_state_change return an error code if errors happen.\nSo that the error codes could be propagated and the uaf bugs can be avoid.\n\nv2 reports a compilation warning. This v3 fixed this warning and built\nsuccessfully in my local environment with no additional warnings.\nv2: https://lore.kernel.org/patchwork/patch/1435218/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:24.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0489700bfeb1e53eb2039c2291c67e71b0b40103"
},
{
"url": "https://git.kernel.org/stable/c/dcf6be17b5c53b741898d2223b23e66d682de300"
},
{
"url": "https://git.kernel.org/stable/c/188fe6b26765edbad4055611c0f788b6870f4024"
},
{
"url": "https://git.kernel.org/stable/c/b6a4055036eed1f5e239ce3d8b0db1ce38bba447"
},
{
"url": "https://git.kernel.org/stable/c/594205b4936771a250f9d141e7e0fff21c3dd2d9"
},
{
"url": "https://git.kernel.org/stable/c/a972c768723359ec995579902473028fe3cd64b1"
},
{
"url": "https://git.kernel.org/stable/c/de63e74da2333b4068bb79983e632db730fea97e"
},
{
"url": "https://git.kernel.org/stable/c/226e993c39405292781bfcf4b039a8db56aab362"
},
{
"url": "https://git.kernel.org/stable/c/aadb22ba2f656581b2f733deb3a467c48cc618f6"
}
],
"title": "drbd: Fix five use after free bugs in get_initial_state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49085",
"datePublished": "2025-02-26T01:54:43.579Z",
"dateReserved": "2025-02-26T01:49:39.248Z",
"dateUpdated": "2025-05-04T08:29:24.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47645 (GCVE-0-2021-47645)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com
On the case tmp_dcim=1, the index of buffer is miscalculated.
This generate a NULL pointer dereference later.
So let's fix the calcul and add a check to prevent this to reappear.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 Version: 61c3b19f7b9eb7c7838fd35f86566230fefd6550 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:50:33.182211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:07.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/zoran/zoran_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dce4b265a5357731058f69645840dabc718c687",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bafec1a6ba4b187a7fcdcfce0faebdc623d4ef8e",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "7e76f3ed7ab2ae026c6ef9cc23096a7554af8c52",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "20db2ed1e2f9fcd417fa67853e5154f0c2537d6c",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "20811bbe685ca3eddd34b0c750860427d7030910",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
},
{
"lessThan": "e3b86f4e558cea9eed71d894df2f19b10d60a207",
"status": "affected",
"version": "61c3b19f7b9eb7c7838fd35f86566230fefd6550",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/zoran/zoran_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "5.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com\n\nOn the case tmp_dcim=1, the index of buffer is miscalculated.\nThis generate a NULL pointer dereference later.\n\nSo let\u0027s fix the calcul and add a check to prevent this to reappear."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T11:16:58.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dce4b265a5357731058f69645840dabc718c687"
},
{
"url": "https://git.kernel.org/stable/c/bafec1a6ba4b187a7fcdcfce0faebdc623d4ef8e"
},
{
"url": "https://git.kernel.org/stable/c/7e76f3ed7ab2ae026c6ef9cc23096a7554af8c52"
},
{
"url": "https://git.kernel.org/stable/c/20db2ed1e2f9fcd417fa67853e5154f0c2537d6c"
},
{
"url": "https://git.kernel.org/stable/c/20811bbe685ca3eddd34b0c750860427d7030910"
},
{
"url": "https://git.kernel.org/stable/c/e3b86f4e558cea9eed71d894df2f19b10d60a207"
}
],
"title": "media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47645",
"datePublished": "2025-02-26T01:54:14.651Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-10-01T19:57:07.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21753 (GCVE-0-2025-21753)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-11-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free when attempting to join an aborted transaction
When we are trying to join the current transaction and if it's aborted,
we read its 'aborted' field after unlocking fs_info->trans_lock and
without holding any extra reference count on it. This means that a
concurrent task that is aborting the transaction may free the transaction
before we read its 'aborted' field, leading to a use-after-free.
Fix this by reading the 'aborted' field while holding fs_info->trans_lock
since any freeing task must first acquire that lock and set
fs_info->running_transaction to NULL before freeing the transaction.
This was reported by syzbot and Dmitry with the following stack traces
from KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128
CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound btrfs_async_reclaim_data_space
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803
btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
worker_thread+0x870/0xd30 kernel/workqueue.c:3398
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5315:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329
kmalloc_noprof include/linux/slab.h:901 [inline]
join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308
start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572
lookup_open fs/namei.c:3649 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x1c03/0x3590 fs/namei.c:3984
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_creat fs/open.c:1495 [inline]
__se_sys_creat fs/open.c:1489 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1489
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5336:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4613 [inline]
kfree+0x196/0x430 mm/slub.c:4761
cleanup_transaction fs/btrfs/transaction.c:2063 [inline]
btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598
insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757
btrfs_balance+0x992/
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 871383be592ba7e819d27556591e315a0df38cee Version: 871383be592ba7e819d27556591e315a0df38cee Version: 871383be592ba7e819d27556591e315a0df38cee Version: 871383be592ba7e819d27556591e315a0df38cee Version: 871383be592ba7e819d27556591e315a0df38cee Version: 871383be592ba7e819d27556591e315a0df38cee Version: 871383be592ba7e819d27556591e315a0df38cee Version: 871383be592ba7e819d27556591e315a0df38cee |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:14:22.911957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:29.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:58.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cee55b1219568c80bf0d5dc55066e4a859baf753",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
},
{
"lessThan": "c7a53757717e68af94a56929d57f1e6daff220ec",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
},
{
"lessThan": "7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
},
{
"lessThan": "6ba4663ada6c6315af23a6669d386146634808ec",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
},
{
"lessThan": "8f5cff471039caa2b088060c074c2bf2081bcb01",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
},
{
"lessThan": "86d71a026a7f63da905db9add845c8ee88801eca",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
},
{
"lessThan": "ce628048390dad80320d5a1f74de6ca1e1be91e7",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
},
{
"lessThan": "e2f0943cf37305dbdeaf9846e3c941451bcdef63",
"status": "affected",
"version": "871383be592ba7e819d27556591e315a0df38cee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.78",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.14",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.3",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when attempting to join an aborted transaction\n\nWhen we are trying to join the current transaction and if it\u0027s aborted,\nwe read its \u0027aborted\u0027 field after unlocking fs_info-\u003etrans_lock and\nwithout holding any extra reference count on it. This means that a\nconcurrent task that is aborting the transaction may free the transaction\nbefore we read its \u0027aborted\u0027 field, leading to a use-after-free.\n\nFix this by reading the \u0027aborted\u0027 field while holding fs_info-\u003etrans_lock\nsince any freeing task must first acquire that lock and set\nfs_info-\u003erunning_transaction to NULL before freeing the transaction.\n\nThis was reported by syzbot and Dmitry with the following stack traces\nfrom KASAN:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\n\n CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n Workqueue: events_unbound btrfs_async_reclaim_data_space\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\n btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\n Allocated by task 5315:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n kmalloc_noprof include/linux/slab.h:901 [inline]\n join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\n start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\n lookup_open fs/namei.c:3649 [inline]\n open_last_lookups fs/namei.c:3748 [inline]\n path_openat+0x1c03/0x3590 fs/namei.c:3984\n do_filp_open+0x27f/0x4e0 fs/namei.c:4014\n do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\n do_sys_open fs/open.c:1417 [inline]\n __do_sys_creat fs/open.c:1495 [inline]\n __se_sys_creat fs/open.c:1489 [inline]\n __x64_sys_creat+0x123/0x170 fs/open.c:1489\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 5336:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2353 [inline]\n slab_free mm/slub.c:4613 [inline]\n kfree+0x196/0x430 mm/slub.c:4761\n cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\n btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\n insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\n btrfs_balance+0x992/\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:26.747Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753"
},
{
"url": "https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec"
},
{
"url": "https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc"
},
{
"url": "https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec"
},
{
"url": "https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01"
},
{
"url": "https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca"
},
{
"url": "https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7"
},
{
"url": "https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63"
}
],
"title": "btrfs: fix use-after-free when attempting to join an aborted transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21753",
"datePublished": "2025-02-27T02:12:23.235Z",
"dateReserved": "2024-12-29T08:45:45.760Z",
"dateUpdated": "2025-11-03T19:36:58.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49402 (GCVE-0-2022-49402)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Clean up hash direct_functions on register failures
We see the following GPF when register_ftrace_direct fails:
[ ] general protection fault, probably for non-canonical address \
0x200000000000010: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
[...]
[ ] RIP: 0010:ftrace_find_rec_direct+0x53/0x70
[ ] Code: 48 c1 e0 03 48 03 42 08 48 8b 10 31 c0 48 85 d2 74 [...]
[ ] RSP: 0018:ffffc9000138bc10 EFLAGS: 00010206
[ ] RAX: 0000000000000000 RBX: ffffffff813e0df0 RCX: 000000000000003b
[ ] RDX: 0200000000000000 RSI: 000000000000000c RDI: ffffffff813e0df0
[ ] RBP: ffffffffa00a3000 R08: ffffffff81180ce0 R09: 0000000000000001
[ ] R10: ffffc9000138bc18 R11: 0000000000000001 R12: ffffffff813e0df0
[ ] R13: ffffffff813e0df0 R14: ffff888171b56400 R15: 0000000000000000
[ ] FS: 00007fa9420c7780(0000) GS:ffff888ff6a00000(0000) knlGS:000000000
[ ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ ] CR2: 000000000770d000 CR3: 0000000107d50003 CR4: 0000000000370ee0
[ ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ ] Call Trace:
[ ] <TASK>
[ ] register_ftrace_direct+0x54/0x290
[ ] ? render_sigset_t+0xa0/0xa0
[ ] bpf_trampoline_update+0x3f5/0x4a0
[ ] ? 0xffffffffa00a3000
[ ] bpf_trampoline_link_prog+0xa9/0x140
[ ] bpf_tracing_prog_attach+0x1dc/0x450
[ ] bpf_raw_tracepoint_open+0x9a/0x1e0
[ ] ? find_held_lock+0x2d/0x90
[ ] ? lock_release+0x150/0x430
[ ] __sys_bpf+0xbd6/0x2700
[ ] ? lock_is_held_type+0xd8/0x130
[ ] __x64_sys_bpf+0x1c/0x20
[ ] do_syscall_64+0x3a/0x80
[ ] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ ] RIP: 0033:0x7fa9421defa9
[ ] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 9 f8 [...]
[ ] RSP: 002b:00007ffed743bd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
[ ] RAX: ffffffffffffffda RBX: 00000000069d2480 RCX: 00007fa9421defa9
[ ] RDX: 0000000000000078 RSI: 00007ffed743bd80 RDI: 0000000000000011
[ ] RBP: 00007ffed743be00 R08: 0000000000bb7270 R09: 0000000000000000
[ ] R10: 00000000069da210 R11: 0000000000000246 R12: 0000000000000001
[ ] R13: 00007ffed743c4b0 R14: 00000000069d2480 R15: 0000000000000001
[ ] </TASK>
[ ] Modules linked in: klp_vm(OK)
[ ] ---[ end trace 0000000000000000 ]---
One way to trigger this is:
1. load a livepatch that patches kernel function xxx;
2. run bpftrace -e 'kfunc:xxx {}', this will fail (expected for now);
3. repeat #2 => gpf.
This is because the entry is added to direct_functions, but not removed.
Fix this by remove the entry from direct_functions when
register_ftrace_direct fails.
Also remove the last trailing space from ftrace.c, so we don't have to
worry about it anymore.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82c888e51c2176a06f8b4541cf748ee81aac6e7e",
"status": "affected",
"version": "763e34e74bb7d5c316015e2e39fcc8520bfd071c",
"versionType": "git"
},
{
"lessThan": "cae2978d6907ef2c08b9b15f704e783f7c284713",
"status": "affected",
"version": "763e34e74bb7d5c316015e2e39fcc8520bfd071c",
"versionType": "git"
},
{
"lessThan": "805e87af946d8d2954171361e64d143ff37a441b",
"status": "affected",
"version": "763e34e74bb7d5c316015e2e39fcc8520bfd071c",
"versionType": "git"
},
{
"lessThan": "a0392833a178cf109a57c2a9d4d531bdfc6cd98f",
"status": "affected",
"version": "763e34e74bb7d5c316015e2e39fcc8520bfd071c",
"versionType": "git"
},
{
"lessThan": "7d54c15cb89a29a5f59e5ffc9ee62e6591769ef1",
"status": "affected",
"version": "763e34e74bb7d5c316015e2e39fcc8520bfd071c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Clean up hash direct_functions on register failures\n\nWe see the following GPF when register_ftrace_direct fails:\n\n[ ] general protection fault, probably for non-canonical address \\\n 0x200000000000010: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n[...]\n[ ] RIP: 0010:ftrace_find_rec_direct+0x53/0x70\n[ ] Code: 48 c1 e0 03 48 03 42 08 48 8b 10 31 c0 48 85 d2 74 [...]\n[ ] RSP: 0018:ffffc9000138bc10 EFLAGS: 00010206\n[ ] RAX: 0000000000000000 RBX: ffffffff813e0df0 RCX: 000000000000003b\n[ ] RDX: 0200000000000000 RSI: 000000000000000c RDI: ffffffff813e0df0\n[ ] RBP: ffffffffa00a3000 R08: ffffffff81180ce0 R09: 0000000000000001\n[ ] R10: ffffc9000138bc18 R11: 0000000000000001 R12: ffffffff813e0df0\n[ ] R13: ffffffff813e0df0 R14: ffff888171b56400 R15: 0000000000000000\n[ ] FS: 00007fa9420c7780(0000) GS:ffff888ff6a00000(0000) knlGS:000000000\n[ ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ ] CR2: 000000000770d000 CR3: 0000000107d50003 CR4: 0000000000370ee0\n[ ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ ] Call Trace:\n[ ] \u003cTASK\u003e\n[ ] register_ftrace_direct+0x54/0x290\n[ ] ? render_sigset_t+0xa0/0xa0\n[ ] bpf_trampoline_update+0x3f5/0x4a0\n[ ] ? 0xffffffffa00a3000\n[ ] bpf_trampoline_link_prog+0xa9/0x140\n[ ] bpf_tracing_prog_attach+0x1dc/0x450\n[ ] bpf_raw_tracepoint_open+0x9a/0x1e0\n[ ] ? find_held_lock+0x2d/0x90\n[ ] ? lock_release+0x150/0x430\n[ ] __sys_bpf+0xbd6/0x2700\n[ ] ? lock_is_held_type+0xd8/0x130\n[ ] __x64_sys_bpf+0x1c/0x20\n[ ] do_syscall_64+0x3a/0x80\n[ ] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ ] RIP: 0033:0x7fa9421defa9\n[ ] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 9 f8 [...]\n[ ] RSP: 002b:00007ffed743bd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\n[ ] RAX: ffffffffffffffda RBX: 00000000069d2480 RCX: 00007fa9421defa9\n[ ] RDX: 0000000000000078 RSI: 00007ffed743bd80 RDI: 0000000000000011\n[ ] RBP: 00007ffed743be00 R08: 0000000000bb7270 R09: 0000000000000000\n[ ] R10: 00000000069da210 R11: 0000000000000246 R12: 0000000000000001\n[ ] R13: 00007ffed743c4b0 R14: 00000000069d2480 R15: 0000000000000001\n[ ] \u003c/TASK\u003e\n[ ] Modules linked in: klp_vm(OK)\n[ ] ---[ end trace 0000000000000000 ]---\n\nOne way to trigger this is:\n 1. load a livepatch that patches kernel function xxx;\n 2. run bpftrace -e \u0027kfunc:xxx {}\u0027, this will fail (expected for now);\n 3. repeat #2 =\u003e gpf.\n\nThis is because the entry is added to direct_functions, but not removed.\nFix this by remove the entry from direct_functions when\nregister_ftrace_direct fails.\n\nAlso remove the last trailing space from ftrace.c, so we don\u0027t have to\nworry about it anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:54.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82c888e51c2176a06f8b4541cf748ee81aac6e7e"
},
{
"url": "https://git.kernel.org/stable/c/cae2978d6907ef2c08b9b15f704e783f7c284713"
},
{
"url": "https://git.kernel.org/stable/c/805e87af946d8d2954171361e64d143ff37a441b"
},
{
"url": "https://git.kernel.org/stable/c/a0392833a178cf109a57c2a9d4d531bdfc6cd98f"
},
{
"url": "https://git.kernel.org/stable/c/7d54c15cb89a29a5f59e5ffc9ee62e6591769ef1"
}
],
"title": "ftrace: Clean up hash direct_functions on register failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49402",
"datePublished": "2025-02-26T02:12:29.070Z",
"dateReserved": "2025-02-26T02:08:31.565Z",
"dateUpdated": "2025-05-04T08:36:54.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47248 (GCVE-0-2021-47248)
Vulnerability from cvelistv5
Published
2024-05-21 14:19
Modified
2025-05-04 07:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: fix race between close() and udp_abort()
Kaustubh reported and diagnosed a panic in udp_lib_lookup().
The root cause is udp_abort() racing with close(). Both
racing functions acquire the socket lock, but udp{v6}_destroy_sock()
release it before performing destructive actions.
We can't easily extend the socket lock scope to avoid the race,
instead use the SOCK_DEAD flag to prevent udp_abort from doing
any action when the critical race happens.
Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 5d77dca82839ef016a93ad7acd7058b14d967752 Version: 5d77dca82839ef016a93ad7acd7058b14d967752 Version: 5d77dca82839ef016a93ad7acd7058b14d967752 Version: 5d77dca82839ef016a93ad7acd7058b14d967752 Version: 5d77dca82839ef016a93ad7acd7058b14d967752 Version: 5d77dca82839ef016a93ad7acd7058b14d967752 Version: 5d77dca82839ef016a93ad7acd7058b14d967752 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47248",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T18:04:43.420239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:13:24.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:32:07.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c",
"net/ipv6/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3c36c773aed0fef8b1d3d555b43393ec564400f",
"status": "affected",
"version": "5d77dca82839ef016a93ad7acd7058b14d967752",
"versionType": "git"
},
{
"lessThan": "a0882f68f54f7a8b6308261acee9bd4faab5a69e",
"status": "affected",
"version": "5d77dca82839ef016a93ad7acd7058b14d967752",
"versionType": "git"
},
{
"lessThan": "2f73448041bd0682d4b552cfd314ace66107f1ad",
"status": "affected",
"version": "5d77dca82839ef016a93ad7acd7058b14d967752",
"versionType": "git"
},
{
"lessThan": "5a88477c1c85e4baa51e91f2d40f2166235daa56",
"status": "affected",
"version": "5d77dca82839ef016a93ad7acd7058b14d967752",
"versionType": "git"
},
{
"lessThan": "8729ec8a2238152a4afc212a331a6cd2c61aeeac",
"status": "affected",
"version": "5d77dca82839ef016a93ad7acd7058b14d967752",
"versionType": "git"
},
{
"lessThan": "65310b0aff86980a011c7c7bfa487a333d4ca241",
"status": "affected",
"version": "5d77dca82839ef016a93ad7acd7058b14d967752",
"versionType": "git"
},
{
"lessThan": "a8b897c7bcd47f4147d066e22cc01d1026d7640e",
"status": "affected",
"version": "5d77dca82839ef016a93ad7acd7058b14d967752",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c",
"net/ipv6/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.274",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.238",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.196",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.128",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.46",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.13",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: fix race between close() and udp_abort()\n\nKaustubh reported and diagnosed a panic in udp_lib_lookup().\nThe root cause is udp_abort() racing with close(). Both\nracing functions acquire the socket lock, but udp{v6}_destroy_sock()\nrelease it before performing destructive actions.\n\nWe can\u0027t easily extend the socket lock scope to avoid the race,\ninstead use the SOCK_DEAD flag to prevent udp_abort from doing\nany action when the critical race happens.\n\nDiagnosed-and-tested-by: Kaustubh Pandey \u003ckapandey@codeaurora.org\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:07:06.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f"
},
{
"url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e"
},
{
"url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad"
},
{
"url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56"
},
{
"url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac"
},
{
"url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241"
},
{
"url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e"
}
],
"title": "udp: fix race between close() and udp_abort()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47248",
"datePublished": "2024-05-21T14:19:45.588Z",
"dateReserved": "2024-04-10T18:59:19.536Z",
"dateUpdated": "2025-05-04T07:07:06.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21762 (GCVE-0-2025-21762)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-11-03 19:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arp: use RCU protection in arp_xmit()
arp_xmit() can be called without RTNL or RCU protection.
Use RCU protection to avoid potential UAF.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 29a26a56803855a79dbd028cd61abee56237d6e5 Version: 29a26a56803855a79dbd028cd61abee56237d6e5 Version: 29a26a56803855a79dbd028cd61abee56237d6e5 Version: 29a26a56803855a79dbd028cd61abee56237d6e5 Version: 29a26a56803855a79dbd028cd61abee56237d6e5 Version: 29a26a56803855a79dbd028cd61abee56237d6e5 Version: 29a26a56803855a79dbd028cd61abee56237d6e5 Version: 29a26a56803855a79dbd028cd61abee56237d6e5 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:30.024595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:11.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/arp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10f555e3f573d004ae9d89b3276abb58c4ede5c3",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
},
{
"lessThan": "307cd1e2d3cb1cbc6c40c679cada6d7168b18431",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
},
{
"lessThan": "d9366ac2f956a1948b68c0500f84a3462ff2ed8a",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
},
{
"lessThan": "f189654459423d4d48bef2d120b4bfba559e6039",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
},
{
"lessThan": "e9f4dee534eb1b225b0a120395ad9bc2afe164d3",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
},
{
"lessThan": "01d1b5c9abcaff29a43f1d17a19c33eec92c7dbe",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
},
{
"lessThan": "2c331718d3389b6c5f6855078ab7171849e016bd",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
},
{
"lessThan": "a42b69f692165ec39db42d595f4f65a4c8f42e44",
"status": "affected",
"version": "29a26a56803855a79dbd028cd61abee56237d6e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/arp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: use RCU protection in arp_xmit()\n\narp_xmit() can be called without RTNL or RCU protection.\n\nUse RCU protection to avoid potential UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:34.803Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10f555e3f573d004ae9d89b3276abb58c4ede5c3"
},
{
"url": "https://git.kernel.org/stable/c/307cd1e2d3cb1cbc6c40c679cada6d7168b18431"
},
{
"url": "https://git.kernel.org/stable/c/d9366ac2f956a1948b68c0500f84a3462ff2ed8a"
},
{
"url": "https://git.kernel.org/stable/c/f189654459423d4d48bef2d120b4bfba559e6039"
},
{
"url": "https://git.kernel.org/stable/c/e9f4dee534eb1b225b0a120395ad9bc2afe164d3"
},
{
"url": "https://git.kernel.org/stable/c/01d1b5c9abcaff29a43f1d17a19c33eec92c7dbe"
},
{
"url": "https://git.kernel.org/stable/c/2c331718d3389b6c5f6855078ab7171849e016bd"
},
{
"url": "https://git.kernel.org/stable/c/a42b69f692165ec39db42d595f4f65a4c8f42e44"
}
],
"title": "arp: use RCU protection in arp_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21762",
"datePublished": "2025-02-27T02:18:14.600Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:11.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49731 (GCVE-0-2022-49731)
Vulnerability from cvelistv5
Published
2025-02-26 02:24
Modified
2025-10-01 19:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()
In an unlikely (and probably wrong?) case that the 'ppi' parameter of
ata_host_alloc_pinfo() points to an array starting with a NULL pointer,
there's going to be a kernel oops as the 'pi' local variable won't get
reassigned from the initial value of NULL. Initialize 'pi' instead to
'&ata_dummy_port_info' to fix the possible kernel oops for good...
Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:31:53.132246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:43.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ata/libata-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca4693e6e06e4fd2b240c0fec47aa2498c94848e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ac5efee33f29e704226506d429b84575a5d66f8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a810bd5af06977a847d1f202b22d7defd5c62497",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "253334f84c81bc6a43af489f108c0bddad989eef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "36cd19e7d4e5571d77a2ed20c5b6ef50cf57734a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ff128fbea720bf763fa345680dda5f050bc24a47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07cbdb4807d369fbda73062a91b570c4dc5ec429",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf476fe22aa1851bab4728e0c49025a6a0bea307",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ata/libata-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.320",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()\n\nIn an unlikely (and probably wrong?) case that the \u0027ppi\u0027 parameter of\nata_host_alloc_pinfo() points to an array starting with a NULL pointer,\nthere\u0027s going to be a kernel oops as the \u0027pi\u0027 local variable won\u0027t get\nreassigned from the initial value of NULL. Initialize \u0027pi\u0027 instead to\n\u0027\u0026ata_dummy_port_info\u0027 to fix the possible kernel oops for good...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:15.648Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca4693e6e06e4fd2b240c0fec47aa2498c94848e"
},
{
"url": "https://git.kernel.org/stable/c/1ac5efee33f29e704226506d429b84575a5d66f8"
},
{
"url": "https://git.kernel.org/stable/c/a810bd5af06977a847d1f202b22d7defd5c62497"
},
{
"url": "https://git.kernel.org/stable/c/253334f84c81bc6a43af489f108c0bddad989eef"
},
{
"url": "https://git.kernel.org/stable/c/36cd19e7d4e5571d77a2ed20c5b6ef50cf57734a"
},
{
"url": "https://git.kernel.org/stable/c/ff128fbea720bf763fa345680dda5f050bc24a47"
},
{
"url": "https://git.kernel.org/stable/c/07cbdb4807d369fbda73062a91b570c4dc5ec429"
},
{
"url": "https://git.kernel.org/stable/c/bf476fe22aa1851bab4728e0c49025a6a0bea307"
}
],
"title": "ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49731",
"datePublished": "2025-02-26T02:24:41.300Z",
"dateReserved": "2025-02-26T02:21:30.449Z",
"dateUpdated": "2025-10-01T19:36:43.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47639 (GCVE-0-2021-47639)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU
Zap both valid and invalid roots when zapping/unmapping a gfn range, as
KVM must ensure it holds no references to the freed page after returning
from the unmap operation. Most notably, the TDP MMU doesn't zap invalid
roots in mmu_notifier callbacks. This leads to use-after-free and other
issues if the mmu_notifier runs to completion while an invalid root
zapper yields as KVM fails to honor the requirement that there must be
_no_ references to the page after the mmu_notifier returns.
The bug is most easily reproduced by hacking KVM to cause a collision
between set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug
exists between kvm_mmu_notifier_invalidate_range_start() and memslot
updates as well. Invalidating a root ensures pages aren't accessible by
the guest, and KVM won't read or write page data itself, but KVM will
trigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing
a zap of an invalid root _after_ the mmu_notifier returns is fatal.
WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]
RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]
Call Trace:
<TASK>
kvm_set_pfn_dirty+0xa8/0xe0 [kvm]
__handle_changed_spte+0x2ab/0x5e0 [kvm]
__handle_changed_spte+0x2ab/0x5e0 [kvm]
__handle_changed_spte+0x2ab/0x5e0 [kvm]
zap_gfn_range+0x1f3/0x310 [kvm]
kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]
kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]
set_nx_huge_pages+0xb4/0x190 [kvm]
param_attr_store+0x70/0x100
module_attr_store+0x19/0x30
kernfs_fop_write_iter+0x119/0x1b0
new_sync_write+0x11c/0x1b0
vfs_write+0x1cc/0x270
ksys_write+0x5f/0xe0
do_syscall_64+0x38/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
</TASK>
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47639",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:52.744634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:35.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/tdp_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af47248407c0c5ae52a752af1ab5ce5b0db91502",
"status": "affected",
"version": "b7cccd397f310739fb85383033e95580f99927e0",
"versionType": "git"
},
{
"lessThan": "0c8a8da182d4333d9bbb9131d765145568c847b2",
"status": "affected",
"version": "b7cccd397f310739fb85383033e95580f99927e0",
"versionType": "git"
},
{
"lessThan": "8cf6f98ab1d16d5e607635a0c21c4231eb15367e",
"status": "affected",
"version": "b7cccd397f310739fb85383033e95580f99927e0",
"versionType": "git"
},
{
"lessThan": "d62007edf01f5c11f75d0f4b1e538fc52a5b1982",
"status": "affected",
"version": "b7cccd397f310739fb85383033e95580f99927e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/tdp_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU\n\nZap both valid and invalid roots when zapping/unmapping a gfn range, as\nKVM must ensure it holds no references to the freed page after returning\nfrom the unmap operation. Most notably, the TDP MMU doesn\u0027t zap invalid\nroots in mmu_notifier callbacks. This leads to use-after-free and other\nissues if the mmu_notifier runs to completion while an invalid root\nzapper yields as KVM fails to honor the requirement that there must be\n_no_ references to the page after the mmu_notifier returns.\n\nThe bug is most easily reproduced by hacking KVM to cause a collision\nbetween set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug\nexists between kvm_mmu_notifier_invalidate_range_start() and memslot\nupdates as well. Invalidating a root ensures pages aren\u0027t accessible by\nthe guest, and KVM won\u0027t read or write page data itself, but KVM will\ntrigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing\na zap of an invalid root _after_ the mmu_notifier returns is fatal.\n\n WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]\n RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]\n Call Trace:\n \u003cTASK\u003e\n kvm_set_pfn_dirty+0xa8/0xe0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n zap_gfn_range+0x1f3/0x310 [kvm]\n kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]\n kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]\n set_nx_huge_pages+0xb4/0x190 [kvm]\n param_attr_store+0x70/0x100\n module_attr_store+0x19/0x30\n kernfs_fop_write_iter+0x119/0x1b0\n new_sync_write+0x11c/0x1b0\n vfs_write+0x1cc/0x270\n ksys_write+0x5f/0xe0\n do_syscall_64+0x38/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:18.607Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af47248407c0c5ae52a752af1ab5ce5b0db91502"
},
{
"url": "https://git.kernel.org/stable/c/0c8a8da182d4333d9bbb9131d765145568c847b2"
},
{
"url": "https://git.kernel.org/stable/c/8cf6f98ab1d16d5e607635a0c21c4231eb15367e"
},
{
"url": "https://git.kernel.org/stable/c/d62007edf01f5c11f75d0f4b1e538fc52a5b1982"
}
],
"title": "KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47639",
"datePublished": "2025-02-26T01:54:11.651Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-05-04T07:15:18.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21876 (GCVE-0-2025-21876)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix suspicious RCU usage
Commit <d74169ceb0d2> ("iommu/vt-d: Allocate DMAR fault interrupts
locally") moved the call to enable_drhd_fault_handling() to a code
path that does not hold any lock while traversing the drhd list. Fix
it by ensuring the dmar_global_lock lock is held when traversing the
drhd list.
Without this fix, the following warning is triggered:
=============================
WARNING: suspicious RCU usage
6.14.0-rc3 #55 Not tainted
-----------------------------
drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 1
2 locks held by cpuhp/1/23:
#0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0
#1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0
stack backtrace:
CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55
Call Trace:
<TASK>
dump_stack_lvl+0xb7/0xd0
lockdep_rcu_suspicious+0x159/0x1f0
? __pfx_enable_drhd_fault_handling+0x10/0x10
enable_drhd_fault_handling+0x151/0x180
cpuhp_invoke_callback+0x1df/0x990
cpuhp_thread_fun+0x1ea/0x2c0
smpboot_thread_fn+0x1f5/0x2e0
? __pfx_smpboot_thread_fn+0x10/0x10
kthread+0x12a/0x2d0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x4a/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Holding the lock in enable_drhd_fault_handling() triggers a lockdep splat
about a possible deadlock between dmar_global_lock and cpu_hotplug_lock.
This is avoided by not holding dmar_global_lock when calling
iommu_device_register(), which initiates the device probe process.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/dmar.c",
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4117c72938493a77ab53cc4b8284be8fb6ec8065",
"status": "affected",
"version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
"versionType": "git"
},
{
"lessThan": "c603ccbe91d189849e1439134598ec567088dcec",
"status": "affected",
"version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
"versionType": "git"
},
{
"lessThan": "b150654f74bf0df8e6a7936d5ec51400d9ec06d8",
"status": "affected",
"version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/dmar.c",
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix suspicious RCU usage\n\nCommit \u003cd74169ceb0d2\u003e (\"iommu/vt-d: Allocate DMAR fault interrupts\nlocally\") moved the call to enable_drhd_fault_handling() to a code\npath that does not hold any lock while traversing the drhd list. Fix\nit by ensuring the dmar_global_lock lock is held when traversing the\ndrhd list.\n\nWithout this fix, the following warning is triggered:\n =============================\n WARNING: suspicious RCU usage\n 6.14.0-rc3 #55 Not tainted\n -----------------------------\n drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!!\n other info that might help us debug this:\n rcu_scheduler_active = 1, debug_locks = 1\n 2 locks held by cpuhp/1/23:\n #0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n #1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n stack backtrace:\n CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xb7/0xd0\n lockdep_rcu_suspicious+0x159/0x1f0\n ? __pfx_enable_drhd_fault_handling+0x10/0x10\n enable_drhd_fault_handling+0x151/0x180\n cpuhp_invoke_callback+0x1df/0x990\n cpuhp_thread_fun+0x1ea/0x2c0\n smpboot_thread_fn+0x1f5/0x2e0\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x12a/0x2d0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x4a/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nHolding the lock in enable_drhd_fault_handling() triggers a lockdep splat\nabout a possible deadlock between dmar_global_lock and cpu_hotplug_lock.\nThis is avoided by not holding dmar_global_lock when calling\niommu_device_register(), which initiates the device probe process."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:02.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4117c72938493a77ab53cc4b8284be8fb6ec8065"
},
{
"url": "https://git.kernel.org/stable/c/c603ccbe91d189849e1439134598ec567088dcec"
},
{
"url": "https://git.kernel.org/stable/c/b150654f74bf0df8e6a7936d5ec51400d9ec06d8"
}
],
"title": "iommu/vt-d: Fix suspicious RCU usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21876",
"datePublished": "2025-03-27T14:57:06.802Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:23:02.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49095 (GCVE-0-2022-49095)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
The error handling path of the probe releases a resource that is not freed
in the remove function. In some cases, a ioremap() must be undone.
Add the missing iounmap() call in the remove function.
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 Version: 45804fbb00eea27bdf4d62751681228a9e2844e9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/zorro7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce430cfad6a5385d5b7f7c1dc3fa50f10abfd41b",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "1e0c01319dedf1e63ec5df37ead048e17afd92ba",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "db863ab2baf058ed05c7b723612e3c40c9dd6885",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "34a47f7ddb4fd1cbd12397aa6f7dad1de08b4050",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "c5f77b595379b5191316edd365a542f8b1526066",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "aefd755a96051aa56b198cb7ecd168b22ba384f6",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "de6aee0978f164d3d0c771ce03e3066a26c371c5",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "a845c678e094894f38cc9526d212b21933ce44c7",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
},
{
"lessThan": "16ed828b872d12ccba8f07bcc446ae89ba662f9c",
"status": "affected",
"version": "45804fbb00eea27bdf4d62751681228a9e2844e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/zorro7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.23"
},
{
"lessThan": "2.6.23",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()\n\nThe error handling path of the probe releases a resource that is not freed\nin the remove function. In some cases, a ioremap() must be undone.\n\nAdd the missing iounmap() call in the remove function."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:29:47.033Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce430cfad6a5385d5b7f7c1dc3fa50f10abfd41b"
},
{
"url": "https://git.kernel.org/stable/c/1e0c01319dedf1e63ec5df37ead048e17afd92ba"
},
{
"url": "https://git.kernel.org/stable/c/db863ab2baf058ed05c7b723612e3c40c9dd6885"
},
{
"url": "https://git.kernel.org/stable/c/34a47f7ddb4fd1cbd12397aa6f7dad1de08b4050"
},
{
"url": "https://git.kernel.org/stable/c/c5f77b595379b5191316edd365a542f8b1526066"
},
{
"url": "https://git.kernel.org/stable/c/aefd755a96051aa56b198cb7ecd168b22ba384f6"
},
{
"url": "https://git.kernel.org/stable/c/de6aee0978f164d3d0c771ce03e3066a26c371c5"
},
{
"url": "https://git.kernel.org/stable/c/a845c678e094894f38cc9526d212b21933ce44c7"
},
{
"url": "https://git.kernel.org/stable/c/16ed828b872d12ccba8f07bcc446ae89ba662f9c"
}
],
"title": "scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49095",
"datePublished": "2025-02-26T01:54:48.637Z",
"dateReserved": "2025-02-26T01:49:39.249Z",
"dateUpdated": "2025-05-04T08:29:47.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47794 (GCVE-0-2024-47794)
Vulnerability from cvelistv5
Published
2025-01-11 12:25
Modified
2025-09-03 12:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Prevent tailcall infinite loop caused by freplace
There is a potential infinite loop issue that can occur when using a
combination of tail calls and freplace.
In an upcoming selftest, the attach target for entry_freplace of
tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in
entry_freplace leads to entry_tc. This results in an infinite loop:
entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc.
The problem arises because the tail_call_cnt in entry_freplace resets to
zero each time entry_freplace is executed, causing the tail call mechanism
to never terminate, eventually leading to a kernel panic.
To fix this issue, the solution is twofold:
1. Prevent updating a program extended by an freplace program to a
prog_array map.
2. Prevent extending a program that is already part of a prog_array map
with an freplace program.
This ensures that:
* If a program or its subprogram has been extended by an freplace program,
it can no longer be updated to a prog_array map.
* If a program has been added to a prog_array map, neither it nor its
subprograms can be extended by an freplace program.
Moreover, an extension program should not be tailcalled. As such, return
-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a
prog_array map.
Additionally, fix a minor code style issue by replacing eight spaces with a
tab for proper formatting.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/arraymap.c",
"kernel/bpf/core.c",
"kernel/bpf/syscall.c",
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "987aa730bad3e1ef66d9f30182294daa78f6387d",
"status": "affected",
"version": "be8704ff07d2374bcc5c675526f95e70c6459683",
"versionType": "git"
},
{
"lessThan": "d6083f040d5d8f8d748462c77e90547097df936e",
"status": "affected",
"version": "be8704ff07d2374bcc5c675526f95e70c6459683",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/arraymap.c",
"kernel/bpf/core.c",
"kernel/bpf/syscall.c",
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tailcall infinite loop caused by freplace\n\nThere is a potential infinite loop issue that can occur when using a\ncombination of tail calls and freplace.\n\nIn an upcoming selftest, the attach target for entry_freplace of\ntailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in\nentry_freplace leads to entry_tc. This results in an infinite loop:\n\nentry_tc -\u003e subprog_tc -\u003e entry_freplace --tailcall-\u003e entry_tc.\n\nThe problem arises because the tail_call_cnt in entry_freplace resets to\nzero each time entry_freplace is executed, causing the tail call mechanism\nto never terminate, eventually leading to a kernel panic.\n\nTo fix this issue, the solution is twofold:\n\n1. Prevent updating a program extended by an freplace program to a\n prog_array map.\n2. Prevent extending a program that is already part of a prog_array map\n with an freplace program.\n\nThis ensures that:\n\n* If a program or its subprogram has been extended by an freplace program,\n it can no longer be updated to a prog_array map.\n* If a program has been added to a prog_array map, neither it nor its\n subprograms can be extended by an freplace program.\n\nMoreover, an extension program should not be tailcalled. As such, return\n-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a\nprog_array map.\n\nAdditionally, fix a minor code style issue by replacing eight spaces with a\ntab for proper formatting."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T12:59:15.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/987aa730bad3e1ef66d9f30182294daa78f6387d"
},
{
"url": "https://git.kernel.org/stable/c/d6083f040d5d8f8d748462c77e90547097df936e"
}
],
"title": "bpf: Prevent tailcall infinite loop caused by freplace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47794",
"datePublished": "2025-01-11T12:25:14.419Z",
"dateReserved": "2025-01-09T09:49:29.737Z",
"dateUpdated": "2025-09-03T12:59:15.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49426 (GCVE-0-2022-49426)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu-v3-sva: Fix mm use-after-free
We currently call arm64_mm_context_put() without holding a reference to
the mm, which can result in use-after-free. Call mmgrab()/mmdrop() to
ensure the mm only gets freed after we unpinned the ASID.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:16:10.824439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:32.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc90f13ea0dcd960e5002d204fa55cec4e0db2fa",
"status": "affected",
"version": "32784a9562fb0518b12e9797ee2aec52214adf6f",
"versionType": "git"
},
{
"lessThan": "e3cbbdbff8a4db5d053c53fd71be62ccccdb52b0",
"status": "affected",
"version": "32784a9562fb0518b12e9797ee2aec52214adf6f",
"versionType": "git"
},
{
"lessThan": "9aa215450888cf29af0c479e14a712dc6b0c506c",
"status": "affected",
"version": "32784a9562fb0518b12e9797ee2aec52214adf6f",
"versionType": "git"
},
{
"lessThan": "cbd23144f7662b00bcde32a938c4a4057e476d68",
"status": "affected",
"version": "32784a9562fb0518b12e9797ee2aec52214adf6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3-sva: Fix mm use-after-free\n\nWe currently call arm64_mm_context_put() without holding a reference to\nthe mm, which can result in use-after-free. Call mmgrab()/mmdrop() to\nensure the mm only gets freed after we unpinned the ASID."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:24.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc90f13ea0dcd960e5002d204fa55cec4e0db2fa"
},
{
"url": "https://git.kernel.org/stable/c/e3cbbdbff8a4db5d053c53fd71be62ccccdb52b0"
},
{
"url": "https://git.kernel.org/stable/c/9aa215450888cf29af0c479e14a712dc6b0c506c"
},
{
"url": "https://git.kernel.org/stable/c/cbd23144f7662b00bcde32a938c4a4057e476d68"
}
],
"title": "iommu/arm-smmu-v3-sva: Fix mm use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49426",
"datePublished": "2025-02-26T02:12:47.206Z",
"dateReserved": "2025-02-26T02:08:31.569Z",
"dateUpdated": "2025-05-04T08:37:24.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49509 (GCVE-0-2022-49509)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-05-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: max9286: fix kernel oops when removing module
When removing the max9286 module we get a kernel oops:
Unable to handle kernel paging request at virtual address 000000aa00000094
Mem abort info:
ESR = 0x96000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000880d85000
[000000aa00000094] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in: fsl_jr_uio caam_jr rng_core libdes caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine max9271 authenc crct10dif_ce mxc_jpeg_encdec
CPU: 2 PID: 713 Comm: rmmod Tainted: G C 5.15.5-00057-gaebcd29c8ed7-dirty #5
Hardware name: Freescale i.MX8QXP MEK (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : i2c_mux_del_adapters+0x24/0xf0
lr : max9286_remove+0x28/0xd0 [max9286]
sp : ffff800013a9bbf0
x29: ffff800013a9bbf0 x28: ffff00080b6da940 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
x23: ffff000801a5b970 x22: ffff0008048b0890 x21: ffff800009297000
x20: ffff0008048b0f70 x19: 000000aa00000064 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000014 x13: 0000000000000000 x12: ffff000802da49e8
x11: ffff000802051918 x10: ffff000802da4920 x9 : ffff000800030098
x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
x5 : 8080808000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : ffffffffffffffff x1 : ffff00080b6da940 x0 : 0000000000000000
Call trace:
i2c_mux_del_adapters+0x24/0xf0
max9286_remove+0x28/0xd0 [max9286]
i2c_device_remove+0x40/0x110
__device_release_driver+0x188/0x234
driver_detach+0xc4/0x150
bus_remove_driver+0x60/0xe0
driver_unregister+0x34/0x64
i2c_del_driver+0x58/0xa0
max9286_i2c_driver_exit+0x1c/0x490 [max9286]
__arm64_sys_delete_module+0x194/0x260
invoke_syscall+0x48/0x114
el0_svc_common.constprop.0+0xd4/0xfc
do_el0_svc+0x2c/0x94
el0_svc+0x28/0x80
el0t_64_sync_handler+0xa8/0x130
el0t_64_sync+0x1a0/0x1a4
The Oops happens because the I2C client data does not point to
max9286_priv anymore but to v4l2_subdev. The change happened in
max9286_init() which calls v4l2_i2c_subdev_init() later on...
Besides fixing the max9286_remove() function, remove the call to
i2c_set_clientdata() in max9286_probe(), to avoid confusion, and make
the necessary changes to max9286_init() so that it doesn't have to use
i2c_get_clientdata() in order to fetch the pointer to priv.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/max9286.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4ec75df70575cdf33d9638c7844e729bfe6ce24",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "579c77595dbbdfe4f2edf335899f86ac51eca4e9",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "9dd783274c89c21a038d967b52a858a297e767f8",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "365ab7ebc24eebb42b9e020aeb440d51af8960cd",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/max9286.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: max9286: fix kernel oops when removing module\n\nWhen removing the max9286 module we get a kernel oops:\n\nUnable to handle kernel paging request at virtual address 000000aa00000094\nMem abort info:\n ESR = 0x96000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000880d85000\n[000000aa00000094] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nModules linked in: fsl_jr_uio caam_jr rng_core libdes caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine max9271 authenc crct10dif_ce mxc_jpeg_encdec\nCPU: 2 PID: 713 Comm: rmmod Tainted: G C 5.15.5-00057-gaebcd29c8ed7-dirty #5\nHardware name: Freescale i.MX8QXP MEK (DT)\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : i2c_mux_del_adapters+0x24/0xf0\nlr : max9286_remove+0x28/0xd0 [max9286]\nsp : ffff800013a9bbf0\nx29: ffff800013a9bbf0 x28: ffff00080b6da940 x27: 0000000000000000\nx26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff000801a5b970 x22: ffff0008048b0890 x21: ffff800009297000\nx20: ffff0008048b0f70 x19: 000000aa00000064 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000014 x13: 0000000000000000 x12: ffff000802da49e8\nx11: ffff000802051918 x10: ffff000802da4920 x9 : ffff000800030098\nx8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\nx5 : 8080808000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffffffffffffffff x1 : ffff00080b6da940 x0 : 0000000000000000\nCall trace:\n i2c_mux_del_adapters+0x24/0xf0\n max9286_remove+0x28/0xd0 [max9286]\n i2c_device_remove+0x40/0x110\n __device_release_driver+0x188/0x234\n driver_detach+0xc4/0x150\n bus_remove_driver+0x60/0xe0\n driver_unregister+0x34/0x64\n i2c_del_driver+0x58/0xa0\n max9286_i2c_driver_exit+0x1c/0x490 [max9286]\n __arm64_sys_delete_module+0x194/0x260\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xd4/0xfc\n do_el0_svc+0x2c/0x94\n el0_svc+0x28/0x80\n el0t_64_sync_handler+0xa8/0x130\n el0t_64_sync+0x1a0/0x1a4\n\nThe Oops happens because the I2C client data does not point to\nmax9286_priv anymore but to v4l2_subdev. The change happened in\nmax9286_init() which calls v4l2_i2c_subdev_init() later on...\n\nBesides fixing the max9286_remove() function, remove the call to\ni2c_set_clientdata() in max9286_probe(), to avoid confusion, and make\nthe necessary changes to max9286_init() so that it doesn\u0027t have to use\ni2c_get_clientdata() in order to fetch the pointer to priv."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:39:28.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4ec75df70575cdf33d9638c7844e729bfe6ce24"
},
{
"url": "https://git.kernel.org/stable/c/579c77595dbbdfe4f2edf335899f86ac51eca4e9"
},
{
"url": "https://git.kernel.org/stable/c/9dd783274c89c21a038d967b52a858a297e767f8"
},
{
"url": "https://git.kernel.org/stable/c/365ab7ebc24eebb42b9e020aeb440d51af8960cd"
}
],
"title": "media: i2c: max9286: fix kernel oops when removing module",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49509",
"datePublished": "2025-02-26T02:13:40.134Z",
"dateReserved": "2025-02-26T02:08:31.587Z",
"dateUpdated": "2025-05-04T08:39:28.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47643 (GCVE-0-2021-47643)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: ir_toy: free before error exiting
Fix leak in error path.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/ir_toy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99e3f83539cac6884a4df02cb204a57a184ea12b",
"status": "affected",
"version": "261463dbc34ff0acafe4d84df04535b48a15afea",
"versionType": "git"
},
{
"lessThan": "2011363c196846c083649c91ed30aeef64358d52",
"status": "affected",
"version": "261463dbc34ff0acafe4d84df04535b48a15afea",
"versionType": "git"
},
{
"lessThan": "382e0f6958ef34eb093127b6d74c12f3b8fd0904",
"status": "affected",
"version": "261463dbc34ff0acafe4d84df04535b48a15afea",
"versionType": "git"
},
{
"lessThan": "93ef3fdf3b6633c58f049e5a6be755777dde4340",
"status": "affected",
"version": "261463dbc34ff0acafe4d84df04535b48a15afea",
"versionType": "git"
},
{
"lessThan": "52cdb013036391d9d87aba5b4fc49cdfc6ea4b23",
"status": "affected",
"version": "261463dbc34ff0acafe4d84df04535b48a15afea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/ir_toy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ir_toy: free before error exiting\n\nFix leak in error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:15:23.510Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99e3f83539cac6884a4df02cb204a57a184ea12b"
},
{
"url": "https://git.kernel.org/stable/c/2011363c196846c083649c91ed30aeef64358d52"
},
{
"url": "https://git.kernel.org/stable/c/382e0f6958ef34eb093127b6d74c12f3b8fd0904"
},
{
"url": "https://git.kernel.org/stable/c/93ef3fdf3b6633c58f049e5a6be755777dde4340"
},
{
"url": "https://git.kernel.org/stable/c/52cdb013036391d9d87aba5b4fc49cdfc6ea4b23"
}
],
"title": "media: ir_toy: free before error exiting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47643",
"datePublished": "2025-02-26T01:54:13.684Z",
"dateReserved": "2025-02-26T01:48:21.519Z",
"dateUpdated": "2025-05-04T07:15:23.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49246 (GCVE-0-2022-49246)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: atmel: Fix error handling in snd_proto_probe
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This function only calls of_node_put() in the regular path.
And it will cause refcount leak in error paths.
Fix this by calling of_node_put() in error handling too.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/mikroe-proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f32ac9bf5e3f594ef9bfedb410aebc98cf784e69",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
},
{
"lessThan": "0f517480d5888cd54487c5662ce4da95b30ad798",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
},
{
"lessThan": "8fa969cd8485031294f91fc7184399000cae6355",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
},
{
"lessThan": "b0bfaf0544d08d093d6211d7ef8816fb0b5b6c75",
"status": "affected",
"version": "a45f8853a5f95e3760dfbd7ba09d3d597d247040",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/atmel/mikroe-proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: atmel: Fix error handling in snd_proto_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFix this by calling of_node_put() in error handling too."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:16.716Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f32ac9bf5e3f594ef9bfedb410aebc98cf784e69"
},
{
"url": "https://git.kernel.org/stable/c/0f517480d5888cd54487c5662ce4da95b30ad798"
},
{
"url": "https://git.kernel.org/stable/c/8fa969cd8485031294f91fc7184399000cae6355"
},
{
"url": "https://git.kernel.org/stable/c/b0bfaf0544d08d093d6211d7ef8816fb0b5b6c75"
}
],
"title": "ASoC: atmel: Fix error handling in snd_proto_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49246",
"datePublished": "2025-02-26T01:56:05.740Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:16.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49399 (GCVE-0-2022-49399)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: goldfish: Use tty_port_destroy() to destroy port
In goldfish_tty_probe(), the port initialized through tty_port_init()
should be destroyed in error paths.In goldfish_tty_remove(), qtty->port
also should be destroyed or else might leak resources.
Fix the above by calling tty_port_destroy().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca Version: 666b7793d4bfa9f150b5c2007ab48c755ddc53ca |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/goldfish.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "241fcb79dd1df276d80b19f5f6acc9eaaaa63309",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
},
{
"lessThan": "326192b99c903a2193d820c30ed936cc2402382c",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
},
{
"lessThan": "9ae3d073f7db5578ae1907544f0c15947e9678e6",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
},
{
"lessThan": "ee6c33b29e624f515202a31bf6ef0437f26a1867",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
},
{
"lessThan": "da64f419d7f78272bfe40dde1262602d4ff6b32c",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
},
{
"lessThan": "45f6ce70abfb7ccf9d787781cbc4c03294a775a1",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
},
{
"lessThan": "4639d1b992de8f37d66f698056875c274efcd45f",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
},
{
"lessThan": "507b05063d1b7a1fcb9f7d7c47586fc4f3508f98",
"status": "affected",
"version": "666b7793d4bfa9f150b5c2007ab48c755ddc53ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/goldfish.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.283",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: goldfish: Use tty_port_destroy() to destroy port\n\nIn goldfish_tty_probe(), the port initialized through tty_port_init()\nshould be destroyed in error paths.In goldfish_tty_remove(), qtty-\u003eport\nalso should be destroyed or else might leak resources.\n\nFix the above by calling tty_port_destroy()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:51.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/241fcb79dd1df276d80b19f5f6acc9eaaaa63309"
},
{
"url": "https://git.kernel.org/stable/c/326192b99c903a2193d820c30ed936cc2402382c"
},
{
"url": "https://git.kernel.org/stable/c/9ae3d073f7db5578ae1907544f0c15947e9678e6"
},
{
"url": "https://git.kernel.org/stable/c/ee6c33b29e624f515202a31bf6ef0437f26a1867"
},
{
"url": "https://git.kernel.org/stable/c/da64f419d7f78272bfe40dde1262602d4ff6b32c"
},
{
"url": "https://git.kernel.org/stable/c/45f6ce70abfb7ccf9d787781cbc4c03294a775a1"
},
{
"url": "https://git.kernel.org/stable/c/4639d1b992de8f37d66f698056875c274efcd45f"
},
{
"url": "https://git.kernel.org/stable/c/507b05063d1b7a1fcb9f7d7c47586fc4f3508f98"
}
],
"title": "tty: goldfish: Use tty_port_destroy() to destroy port",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49399",
"datePublished": "2025-02-26T02:12:27.650Z",
"dateReserved": "2025-02-26T02:08:31.563Z",
"dateUpdated": "2025-05-04T08:36:51.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49254 (GCVE-0-2022-49254)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()
In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to
ctx->active_fmt and there is a dereference of it after that, which could
lead to NULL pointer dereference on failure of devm_kzalloc().
Fix this bug by adding a NULL check of ctx->active_fmt.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings, and our static
analyzer no longer warns about this code.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/ti-vpe/cal-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa613ac270292e102503e9767882e39200efe608",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
},
{
"lessThan": "91e2805579ab0783eed53acc2bf9fb553e939004",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
},
{
"lessThan": "1381f1a629a090c251965edb56f849ad648414a4",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
},
{
"lessThan": "abd77889851d2ead0d0c9c4d29f1808801477b00",
"status": "affected",
"version": "7168155002cf7aadbfaa14a28f037c880a214764",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/ti-vpe/cal-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()\n\nIn cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to\nctx-\u003eactive_fmt and there is a dereference of it after that, which could\nlead to NULL pointer dereference on failure of devm_kzalloc().\n\nFix this bug by adding a NULL check of ctx-\u003eactive_fmt.\n\nThis bug was found by a static analyzer.\n\nBuilds with \u0027make allyesconfig\u0027 show no new warnings, and our static\nanalyzer no longer warns about this code."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:27.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa613ac270292e102503e9767882e39200efe608"
},
{
"url": "https://git.kernel.org/stable/c/91e2805579ab0783eed53acc2bf9fb553e939004"
},
{
"url": "https://git.kernel.org/stable/c/1381f1a629a090c251965edb56f849ad648414a4"
},
{
"url": "https://git.kernel.org/stable/c/abd77889851d2ead0d0c9c4d29f1808801477b00"
}
],
"title": "media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49254",
"datePublished": "2025-02-26T01:56:09.619Z",
"dateReserved": "2025-02-26T01:49:39.295Z",
"dateUpdated": "2025-05-04T08:33:27.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49390 (GCVE-0-2022-49390)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 12:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
macsec: fix UAF bug for real_dev
Create a new macsec device but not get reference to real_dev. That can
not ensure that real_dev is freed after macsec. That will trigger the
UAF bug for real_dev as following:
==================================================================
BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
Call Trace:
...
macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
dev_get_iflink+0x73/0xe0 net/core/dev.c:637
default_operstate net/core/link_watch.c:42 [inline]
rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54
linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161
Allocated by task 22209:
...
alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549
rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235
veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748
Freed by task 8:
...
kfree+0xd6/0x4d0 mm/slub.c:4552
kvfree+0x42/0x50 mm/util.c:615
device_release+0x9f/0x240 drivers/base/core.c:2229
kobject_cleanup lib/kobject.c:673 [inline]
kobject_release lib/kobject.c:704 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1c8/0x540 lib/kobject.c:721
netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327
After commit faab39f63c1f ("net: allow out-of-order netdev unregistration")
and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we
can add dev_hold_track() in macsec_dev_init() and dev_put_track() in
macsec_free_netdev() to fix the problem.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2bce1ebed17da54c65042ec2b962e3234bad5b47 Version: 2bce1ebed17da54c65042ec2b962e3234bad5b47 Version: 2bce1ebed17da54c65042ec2b962e3234bad5b47 Version: 1861904a6092ed411203c6a02c75bfc45b27cc3c Version: 3a2675a2d97a68332fa5c33043038bfeb31455a8 Version: b0add6db3d5ec4561cab257358871a9d3df7f0a3 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:33.560218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:28.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macsec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78933cbc143b82d02330e00900d2fd08f2682f4e",
"status": "affected",
"version": "2bce1ebed17da54c65042ec2b962e3234bad5b47",
"versionType": "git"
},
{
"lessThan": "d130282179aa6051449ac8f8df1115769998a665",
"status": "affected",
"version": "2bce1ebed17da54c65042ec2b962e3234bad5b47",
"versionType": "git"
},
{
"lessThan": "196a888ca6571deb344468e1d7138e3273206335",
"status": "affected",
"version": "2bce1ebed17da54c65042ec2b962e3234bad5b47",
"versionType": "git"
},
{
"status": "affected",
"version": "1861904a6092ed411203c6a02c75bfc45b27cc3c",
"versionType": "git"
},
{
"status": "affected",
"version": "3a2675a2d97a68332fa5c33043038bfeb31455a8",
"versionType": "git"
},
{
"status": "affected",
"version": "b0add6db3d5ec4561cab257358871a9d3df7f0a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macsec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: fix UAF bug for real_dev\n\nCreate a new macsec device but not get reference to real_dev. That can\nnot ensure that real_dev is freed after macsec. That will trigger the\nUAF bug for real_dev as following:\n\n==================================================================\nBUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662\nCall Trace:\n ...\n macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662\n dev_get_iflink+0x73/0xe0 net/core/dev.c:637\n default_operstate net/core/link_watch.c:42 [inline]\n rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54\n linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161\n\nAllocated by task 22209:\n ...\n alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549\n rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235\n veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748\n\nFreed by task 8:\n ...\n kfree+0xd6/0x4d0 mm/slub.c:4552\n kvfree+0x42/0x50 mm/util.c:615\n device_release+0x9f/0x240 drivers/base/core.c:2229\n kobject_cleanup lib/kobject.c:673 [inline]\n kobject_release lib/kobject.c:704 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1c8/0x540 lib/kobject.c:721\n netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327\n\nAfter commit faab39f63c1f (\"net: allow out-of-order netdev unregistration\")\nand commit e5f80fcf869a (\"ipv6: give an IPv6 dev to blackhole_netdev\"), we\ncan add dev_hold_track() in macsec_dev_init() and dev_put_track() in\nmacsec_free_netdev() to fix the problem."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:44:34.195Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78933cbc143b82d02330e00900d2fd08f2682f4e"
},
{
"url": "https://git.kernel.org/stable/c/d130282179aa6051449ac8f8df1115769998a665"
},
{
"url": "https://git.kernel.org/stable/c/196a888ca6571deb344468e1d7138e3273206335"
}
],
"title": "macsec: fix UAF bug for real_dev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49390",
"datePublished": "2025-02-26T02:11:23.327Z",
"dateReserved": "2025-02-26T02:08:31.561Z",
"dateUpdated": "2025-05-04T12:44:34.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49292 (GCVE-0-2022-49292)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: oss: Fix PCM OSS buffer allocation overflow
We've got syzbot reports hitting INT_MAX overflow at vmalloc()
allocation that is called from snd_pcm_plug_alloc(). Although we
apply the restrictions to input parameters, it's based only on the
hw_params of the underlying PCM device. Since the PCM OSS layer
allocates a temporary buffer for the data conversion, the size may
become unexpectedly large when more channels or higher rates is given;
in the reported case, it went over INT_MAX, hence it hits WARN_ON().
This patch is an attempt to avoid such an overflow and an allocation
for too large buffers. First off, it adds the limit of 1MB as the
upper bound for period bytes. This must be large enough for all use
cases, and we really don't want to handle a larger temporary buffer
than this size. The size check is performed at two places, where the
original period bytes is calculated and where the plugin buffer size
is calculated.
In addition, the driver uses array_size() and array3_size() for
multiplications to catch overflows for the converted period size and
buffer bytes.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c",
"sound/core/oss/pcm_plugin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a63af1baf0a5e11827db60e3127f87e437cab6e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c4190b41a69990666b4000999e27f8f1b2a426b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ce74ff7059341d8b2f4d01c3383491df63d1898",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a40cbf3579a8e14849ba7ce46309c1992658d2b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb08bf99195a87c798bc8ae1357337a981faeade",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e74a069c6a7bb505f3ade141dddf85f4b0b5145a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efb6402c3c4a7c26d97c92d70186424097b6e366",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/oss/pcm_oss.c",
"sound/core/oss/pcm_plugin.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: oss: Fix PCM OSS buffer allocation overflow\n\nWe\u0027ve got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc(). Although we\napply the restrictions to input parameters, it\u0027s based only on the\nhw_params of the underlying PCM device. Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\n\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers. First off, it adds the limit of 1MB as the\nupper bound for period bytes. This must be large enough for all use\ncases, and we really don\u0027t want to handle a larger temporary buffer\nthan this size. The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\n\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:34:23.499Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5"
},
{
"url": "https://git.kernel.org/stable/c/0c4190b41a69990666b4000999e27f8f1b2a426b"
},
{
"url": "https://git.kernel.org/stable/c/5ce74ff7059341d8b2f4d01c3383491df63d1898"
},
{
"url": "https://git.kernel.org/stable/c/7a40cbf3579a8e14849ba7ce46309c1992658d2b"
},
{
"url": "https://git.kernel.org/stable/c/fb08bf99195a87c798bc8ae1357337a981faeade"
},
{
"url": "https://git.kernel.org/stable/c/e74a069c6a7bb505f3ade141dddf85f4b0b5145a"
},
{
"url": "https://git.kernel.org/stable/c/efb6402c3c4a7c26d97c92d70186424097b6e366"
}
],
"title": "ALSA: oss: Fix PCM OSS buffer allocation overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49292",
"datePublished": "2025-02-26T01:56:28.552Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2025-05-04T08:34:23.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49056 (GCVE-0-2022-49056)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-05-20T13:54:51.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49056",
"datePublished": "2025-02-26T01:54:28.256Z",
"dateRejected": "2025-05-20T13:54:51.614Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-05-20T13:54:51.614Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56640 (GCVE-0-2024-56640)
Vulnerability from cvelistv5
Published
2024-12-27 15:02
Modified
2025-11-03 20:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix LGR and link use-after-free issue
We encountered a LGR/link use-after-free issue, which manifested as
the LGR/link refcnt reaching 0 early and entering the clear process,
making resource access unsafe.
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140
Workqueue: events smc_lgr_terminate_work [smc]
Call trace:
refcount_warn_saturate+0x9c/0x140
__smc_lgr_terminate.part.45+0x2a8/0x370 [smc]
smc_lgr_terminate_work+0x28/0x30 [smc]
process_one_work+0x1b8/0x420
worker_thread+0x158/0x510
kthread+0x114/0x118
or
refcount_t: underflow; use-after-free.
WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140
Workqueue: smc_hs_wq smc_listen_work [smc]
Call trace:
refcount_warn_saturate+0xf0/0x140
smcr_link_put+0x1cc/0x1d8 [smc]
smc_conn_free+0x110/0x1b0 [smc]
smc_conn_abort+0x50/0x60 [smc]
smc_listen_find_device+0x75c/0x790 [smc]
smc_listen_work+0x368/0x8a0 [smc]
process_one_work+0x1b8/0x420
worker_thread+0x158/0x510
kthread+0x114/0x118
It is caused by repeated release of LGR/link refcnt. One suspect is that
smc_conn_free() is called repeatedly because some smc_conn_free() from
server listening path are not protected by sock lock.
e.g.
Calls under socklock | smc_listen_work
-------------------------------------------------------
lock_sock(sk) | smc_conn_abort
smc_conn_free | \- smc_conn_free
\- smcr_link_put | \- smcr_link_put (duplicated)
release_sock(sk)
So here add sock lock protection in smc_listen_work() path, making it
exclusive with other connection operations.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:41:51.231757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:22.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:51:40.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f502a88fdd415647a1f2dc45fac71b9c522a052b",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "0cf598548a6c36d90681d53c6b77d52363f2f295",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "673d606683ac70bc074ca6676b938bff18635226",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "6f0ae06a234a78ae137064f2c89135ac078a00eb",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
},
{
"lessThan": "2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7",
"status": "affected",
"version": "3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix LGR and link use-after-free issue\n\nWe encountered a LGR/link use-after-free issue, which manifested as\nthe LGR/link refcnt reaching 0 early and entering the clear process,\nmaking resource access unsafe.\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140\n Workqueue: events smc_lgr_terminate_work [smc]\n Call trace:\n refcount_warn_saturate+0x9c/0x140\n __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]\n smc_lgr_terminate_work+0x28/0x30 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nor\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140\n Workqueue: smc_hs_wq smc_listen_work [smc]\n Call trace:\n refcount_warn_saturate+0xf0/0x140\n smcr_link_put+0x1cc/0x1d8 [smc]\n smc_conn_free+0x110/0x1b0 [smc]\n smc_conn_abort+0x50/0x60 [smc]\n smc_listen_find_device+0x75c/0x790 [smc]\n smc_listen_work+0x368/0x8a0 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nIt is caused by repeated release of LGR/link refcnt. One suspect is that\nsmc_conn_free() is called repeatedly because some smc_conn_free() from\nserver listening path are not protected by sock lock.\n\ne.g.\n\nCalls under socklock | smc_listen_work\n-------------------------------------------------------\nlock_sock(sk) | smc_conn_abort\nsmc_conn_free | \\- smc_conn_free\n\\- smcr_link_put | \\- smcr_link_put (duplicated)\nrelease_sock(sk)\n\nSo here add sock lock protection in smc_listen_work() path, making it\nexclusive with other connection operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:00:47.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b"
},
{
"url": "https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295"
},
{
"url": "https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226"
},
{
"url": "https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb"
},
{
"url": "https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7"
}
],
"title": "net/smc: fix LGR and link use-after-free issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56640",
"datePublished": "2024-12-27T15:02:42.253Z",
"dateReserved": "2024-12-27T15:00:39.839Z",
"dateUpdated": "2025-11-03T20:51:40.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53064 (GCVE-0-2024-53064)
Vulnerability from cvelistv5
Published
2024-11-19 17:22
Modified
2025-10-01 20:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix idpf_vc_core_init error path
In an event where the platform running the device control plane
is rebooted, reset is detected on the driver. It releases
all the resources and waits for the reset to complete. Once the
reset is done, it tries to build the resources back. At this
time if the device control plane is not yet started, then
the driver timeouts on the virtchnl message and retries to
establish the mailbox again.
In the retry flow, mailbox is deinitialized but the mailbox
workqueue is still alive and polling for the mailbox message.
This results in accessing the released control queue leading to
null-ptr-deref. Fix it by unrolling the work queue cancellation
and mailbox deinitialization in the reverse order which they got
initialized.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:12:39.767213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:16.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_virtchnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "683fcd90ba22507ebeb1921a26dfe77efff8c266",
"status": "affected",
"version": "4930fbf419a72d7477426fd883bfc37e20a61a6e",
"versionType": "git"
},
{
"lessThan": "9b58031ff96b84a38d7b73b23c7ecfb2e0557f43",
"status": "affected",
"version": "4930fbf419a72d7477426fd883bfc37e20a61a6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_virtchnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix idpf_vc_core_init error path\n\nIn an event where the platform running the device control plane\nis rebooted, reset is detected on the driver. It releases\nall the resources and waits for the reset to complete. Once the\nreset is done, it tries to build the resources back. At this\ntime if the device control plane is not yet started, then\nthe driver timeouts on the virtchnl message and retries to\nestablish the mailbox again.\n\nIn the retry flow, mailbox is deinitialized but the mailbox\nworkqueue is still alive and polling for the mailbox message.\nThis results in accessing the released control queue leading to\nnull-ptr-deref. Fix it by unrolling the work queue cancellation\nand mailbox deinitialization in the reverse order which they got\ninitialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:52:02.781Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/683fcd90ba22507ebeb1921a26dfe77efff8c266"
},
{
"url": "https://git.kernel.org/stable/c/9b58031ff96b84a38d7b73b23c7ecfb2e0557f43"
}
],
"title": "idpf: fix idpf_vc_core_init error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53064",
"datePublished": "2024-11-19T17:22:34.143Z",
"dateReserved": "2024-11-19T17:17:24.975Z",
"dateUpdated": "2025-10-01T20:17:16.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49156 (GCVE-0-2022-49156)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix scheduling while atomic
The driver makes a call into midlayer (fc_remote_port_delete) which can put
the thread to sleep. The thread that originates the call is in interrupt
context. The combination of the two trigger a crash. Schedule the call in
non-interrupt context where it is more safe.
kernel: BUG: scheduling while atomic: swapper/7/0/0x00010000
kernel: Call Trace:
kernel: <IRQ>
kernel: dump_stack+0x66/0x81
kernel: __schedule_bug.cold.90+0x5/0x1d
kernel: __schedule+0x7af/0x960
kernel: schedule+0x28/0x80
kernel: schedule_timeout+0x26d/0x3b0
kernel: wait_for_completion+0xb4/0x140
kernel: ? wake_up_q+0x70/0x70
kernel: __wait_rcu_gp+0x12c/0x160
kernel: ? sdev_evt_alloc+0xc0/0x180 [scsi_mod]
kernel: synchronize_sched+0x6c/0x80
kernel: ? call_rcu_bh+0x20/0x20
kernel: ? __bpf_trace_rcu_invoke_callback+0x10/0x10
kernel: sdev_evt_alloc+0xfd/0x180 [scsi_mod]
kernel: starget_for_each_device+0x85/0xb0 [scsi_mod]
kernel: ? scsi_init_io+0x360/0x3d0 [scsi_mod]
kernel: scsi_init_io+0x388/0x3d0 [scsi_mod]
kernel: device_for_each_child+0x54/0x90
kernel: fc_remote_port_delete+0x70/0xe0 [scsi_transport_fc]
kernel: qla2x00_schedule_rport_del+0x62/0xf0 [qla2xxx]
kernel: qla2x00_mark_device_lost+0x9c/0xd0 [qla2xxx]
kernel: qla24xx_handle_plogi_done_event+0x55f/0x570 [qla2xxx]
kernel: qla2x00_async_login_sp_done+0xd2/0x100 [qla2xxx]
kernel: qla24xx_logio_entry+0x13a/0x3c0 [qla2xxx]
kernel: qla24xx_process_response_queue+0x306/0x400 [qla2xxx]
kernel: qla24xx_msix_rsp_q+0x3f/0xb0 [qla2xxx]
kernel: __handle_irq_event_percpu+0x40/0x180
kernel: handle_irq_event_percpu+0x30/0x80
kernel: handle_irq_event+0x36/0x60
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fef50214dd04427233a2e66cd624d468e67aecb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "826a9d4a00d1424afa961504aec6298ee92d5053",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "78225d6a2a4ffdb2250ce2b7691a9e68a3f86912",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "78612f2fe8e26637476d756a44f0f05cca0d97de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "afd438ff874ca40b74321b3fa19bd61adfd7ca0c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix scheduling while atomic\n\nThe driver makes a call into midlayer (fc_remote_port_delete) which can put\nthe thread to sleep. The thread that originates the call is in interrupt\ncontext. The combination of the two trigger a crash. Schedule the call in\nnon-interrupt context where it is more safe.\n\nkernel: BUG: scheduling while atomic: swapper/7/0/0x00010000\nkernel: Call Trace:\nkernel: \u003cIRQ\u003e\nkernel: dump_stack+0x66/0x81\nkernel: __schedule_bug.cold.90+0x5/0x1d\nkernel: __schedule+0x7af/0x960\nkernel: schedule+0x28/0x80\nkernel: schedule_timeout+0x26d/0x3b0\nkernel: wait_for_completion+0xb4/0x140\nkernel: ? wake_up_q+0x70/0x70\nkernel: __wait_rcu_gp+0x12c/0x160\nkernel: ? sdev_evt_alloc+0xc0/0x180 [scsi_mod]\nkernel: synchronize_sched+0x6c/0x80\nkernel: ? call_rcu_bh+0x20/0x20\nkernel: ? __bpf_trace_rcu_invoke_callback+0x10/0x10\nkernel: sdev_evt_alloc+0xfd/0x180 [scsi_mod]\nkernel: starget_for_each_device+0x85/0xb0 [scsi_mod]\nkernel: ? scsi_init_io+0x360/0x3d0 [scsi_mod]\nkernel: scsi_init_io+0x388/0x3d0 [scsi_mod]\nkernel: device_for_each_child+0x54/0x90\nkernel: fc_remote_port_delete+0x70/0xe0 [scsi_transport_fc]\nkernel: qla2x00_schedule_rport_del+0x62/0xf0 [qla2xxx]\nkernel: qla2x00_mark_device_lost+0x9c/0xd0 [qla2xxx]\nkernel: qla24xx_handle_plogi_done_event+0x55f/0x570 [qla2xxx]\nkernel: qla2x00_async_login_sp_done+0xd2/0x100 [qla2xxx]\nkernel: qla24xx_logio_entry+0x13a/0x3c0 [qla2xxx]\nkernel: qla24xx_process_response_queue+0x306/0x400 [qla2xxx]\nkernel: qla24xx_msix_rsp_q+0x3f/0xb0 [qla2xxx]\nkernel: __handle_irq_event_percpu+0x40/0x180\nkernel: handle_irq_event_percpu+0x30/0x80\nkernel: handle_irq_event+0x36/0x60"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:31:11.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fef50214dd04427233a2e66cd624d468e67aecb"
},
{
"url": "https://git.kernel.org/stable/c/826a9d4a00d1424afa961504aec6298ee92d5053"
},
{
"url": "https://git.kernel.org/stable/c/78225d6a2a4ffdb2250ce2b7691a9e68a3f86912"
},
{
"url": "https://git.kernel.org/stable/c/78612f2fe8e26637476d756a44f0f05cca0d97de"
},
{
"url": "https://git.kernel.org/stable/c/afd438ff874ca40b74321b3fa19bd61adfd7ca0c"
}
],
"title": "scsi: qla2xxx: Fix scheduling while atomic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49156",
"datePublished": "2025-02-26T01:55:20.285Z",
"dateReserved": "2025-02-26T01:49:39.275Z",
"dateUpdated": "2025-05-04T08:31:11.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49411 (GCVE-0-2022-49411)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 08:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bfq: Make sure bfqg for which we are queueing requests is online
Bios queued into BFQ IO scheduler can be associated with a cgroup that
was already offlined. This may then cause insertion of this bfq_group
into a service tree. But this bfq_group will get freed as soon as last
bio associated with it is completed leading to use after free issues for
service tree users. Fix the problem by making sure we always operate on
online bfq_group. If the bfq_group associated with the bio is not
online, we pick the first online parent.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c Version: e21b7a0b988772e82e7147e1c659a5afe2ae003c |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T21:14:17.027775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T21:21:43.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ccddf8cd411c1800863ed357064e56ceffd356bb",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "51f724bffa3403a5236597e6b75df7329c1ec6e9",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "6ee0868b0c3ccead5907685fcdcdd0c08dfe4b0b",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "97bd6c56bdcb41079e488e31df56809e3b2ce628",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "7781c38552e6cc54ed8e9040279561340516b881",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
},
{
"lessThan": "075a53b78b815301f8d3dd1ee2cd99554e34f0dd",
"status": "affected",
"version": "e21b7a0b988772e82e7147e1c659a5afe2ae003c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.121",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Make sure bfqg for which we are queueing requests is online\n\nBios queued into BFQ IO scheduler can be associated with a cgroup that\nwas already offlined. This may then cause insertion of this bfq_group\ninto a service tree. But this bfq_group will get freed as soon as last\nbio associated with it is completed leading to use after free issues for\nservice tree users. Fix the problem by making sure we always operate on\nonline bfq_group. If the bfq_group associated with the bio is not\nonline, we pick the first online parent."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:37:06.106Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ccddf8cd411c1800863ed357064e56ceffd356bb"
},
{
"url": "https://git.kernel.org/stable/c/51f724bffa3403a5236597e6b75df7329c1ec6e9"
},
{
"url": "https://git.kernel.org/stable/c/6ee0868b0c3ccead5907685fcdcdd0c08dfe4b0b"
},
{
"url": "https://git.kernel.org/stable/c/97bd6c56bdcb41079e488e31df56809e3b2ce628"
},
{
"url": "https://git.kernel.org/stable/c/7781c38552e6cc54ed8e9040279561340516b881"
},
{
"url": "https://git.kernel.org/stable/c/075a53b78b815301f8d3dd1ee2cd99554e34f0dd"
}
],
"title": "bfq: Make sure bfqg for which we are queueing requests is online",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49411",
"datePublished": "2025-02-26T02:12:33.628Z",
"dateReserved": "2025-02-26T02:08:31.567Z",
"dateUpdated": "2025-05-04T08:37:06.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54683 (GCVE-0-2024-54683)
Vulnerability from cvelistv5
Published
2025-01-11 12:29
Modified
2025-10-01 19:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: IDLETIMER: Fix for possible ABBA deadlock
Deletion of the last rule referencing a given idletimer may happen at
the same time as a read of its file in sysfs:
| ======================================================
| WARNING: possible circular locking dependency detected
| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted
| ------------------------------------------------------
| iptables/3303 is trying to acquire lock:
| ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20
|
| but task is already holding lock:
| ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v]
|
| which lock already depends on the new lock.
A simple reproducer is:
| #!/bin/bash
|
| while true; do
| iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme"
| iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme"
| done &
| while true; do
| cat /sys/class/xt_idletimer/timers/testme >/dev/null
| done
Avoid this by freeing list_mutex right after deleting the element from
the list, then continuing with the teardown.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:55:27.468543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:21.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_IDLETIMER.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c2c8445cda8f59c38dec7dc10509bcb23ae26a0",
"status": "affected",
"version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
"versionType": "git"
},
{
"lessThan": "45fe76573a2557f632e248cc141342233f422b9a",
"status": "affected",
"version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
"versionType": "git"
},
{
"lessThan": "f36b01994d68ffc253c8296e2228dfe6e6431c03",
"status": "affected",
"version": "0902b469bd25065aa0688c3cee6f11744c817e7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_IDLETIMER.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.67",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.6",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: IDLETIMER: Fix for possible ABBA deadlock\n\nDeletion of the last rule referencing a given idletimer may happen at\nthe same time as a read of its file in sysfs:\n\n| ======================================================\n| WARNING: possible circular locking dependency detected\n| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted\n| ------------------------------------------------------\n| iptables/3303 is trying to acquire lock:\n| ffff8881057e04b8 (kn-\u003eactive#48){++++}-{0:0}, at: __kernfs_remove+0x20\n|\n| but task is already holding lock:\n| ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v]\n|\n| which lock already depends on the new lock.\n\nA simple reproducer is:\n\n| #!/bin/bash\n|\n| while true; do\n| iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n| iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n| done \u0026\n| while true; do\n| cat /sys/class/xt_idletimer/timers/testme \u003e/dev/null\n| done\n\nAvoid this by freeing list_mutex right after deleting the element from\nthe list, then continuing with the teardown."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:57:10.479Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c2c8445cda8f59c38dec7dc10509bcb23ae26a0"
},
{
"url": "https://git.kernel.org/stable/c/45fe76573a2557f632e248cc141342233f422b9a"
},
{
"url": "https://git.kernel.org/stable/c/f36b01994d68ffc253c8296e2228dfe6e6431c03"
}
],
"title": "netfilter: IDLETIMER: Fix for possible ABBA deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-54683",
"datePublished": "2025-01-11T12:29:54.407Z",
"dateReserved": "2025-01-09T09:49:29.693Z",
"dateUpdated": "2025-10-01T19:57:21.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49207 (GCVE-0-2022-49207)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix memleak in sk_psock_queue_msg
If tcp_bpf_sendmsg is running during a tear down operation we may enqueue
data on the ingress msg queue while tear down is trying to free it.
sk1 (redirect sk2) sk2
------------------- ---------------
tcp_bpf_sendmsg()
tcp_bpf_send_verdict()
tcp_bpf_sendmsg_redir()
bpf_tcp_ingress()
sock_map_close()
lock_sock()
lock_sock() ... blocking
sk_psock_stop
sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED);
release_sock(sk);
lock_sock()
sk_mem_charge()
get_page()
sk_psock_queue_msg()
sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED);
drop_sk_msg()
release_sock()
While drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge
and has sg pages need to put. To fix we use sk_msg_free() and then kfee()
msg.
This issue can cause the following info:
WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 sk_stream_kill_queues+0xc8/0xe0
Call Trace:
<IRQ>
inet_csk_destroy_sock+0x55/0x110
tcp_rcv_state_process+0xe5f/0xe90
? sk_filter_trim_cap+0x10d/0x230
? tcp_v4_do_rcv+0x161/0x250
tcp_v4_do_rcv+0x161/0x250
tcp_v4_rcv+0xc3a/0xce0
ip_protocol_deliver_rcu+0x3d/0x230
ip_local_deliver_finish+0x54/0x60
ip_local_deliver+0xfd/0x110
? ip_protocol_deliver_rcu+0x230/0x230
ip_rcv+0xd6/0x100
? ip_local_deliver+0x110/0x110
__netif_receive_skb_one_core+0x85/0xa0
process_backlog+0xa4/0x160
__napi_poll+0x29/0x1b0
net_rx_action+0x287/0x300
__do_softirq+0xff/0x2fc
do_softirq+0x79/0x90
</IRQ>
WARNING: CPU: 0 PID: 531 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x175/0x1b0
Call Trace:
<TASK>
__sk_destruct+0x24/0x1f0
sk_psock_destroy+0x19b/0x1c0
process_one_work+0x1b3/0x3c0
? process_one_work+0x3c0/0x3c0
worker_thread+0x30/0x350
? process_one_work+0x3c0/0x3c0
kthread+0xe6/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49207",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:47:03.450960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:06.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skmsg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef9785f429794567792561a584901faa9291d3ee",
"status": "affected",
"version": "9635720b7c88592214562cb72605bdab6708006c",
"versionType": "git"
},
{
"lessThan": "4dd2e947d3be13a4de3b3028859b9a6497266bcf",
"status": "affected",
"version": "9635720b7c88592214562cb72605bdab6708006c",
"versionType": "git"
},
{
"lessThan": "03948ed6553960db62f1c33bec29e64d7c191a3f",
"status": "affected",
"version": "9635720b7c88592214562cb72605bdab6708006c",
"versionType": "git"
},
{
"lessThan": "938d3480b92fa5e454b7734294f12a7b75126f09",
"status": "affected",
"version": "9635720b7c88592214562cb72605bdab6708006c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skmsg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix memleak in sk_psock_queue_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation we may enqueue\ndata on the ingress msg queue while tear down is trying to free it.\n\n sk1 (redirect sk2) sk2\n ------------------- ---------------\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n tcp_bpf_sendmsg_redir()\n bpf_tcp_ingress()\n sock_map_close()\n lock_sock()\n lock_sock() ... blocking\n sk_psock_stop\n sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED);\n release_sock(sk);\n lock_sock()\n sk_mem_charge()\n get_page()\n sk_psock_queue_msg()\n sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED);\n drop_sk_msg()\n release_sock()\n\nWhile drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge\nand has sg pages need to put. To fix we use sk_msg_free() and then kfee()\nmsg.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 sk_stream_kill_queues+0xc8/0xe0\nCall Trace:\n \u003cIRQ\u003e\n inet_csk_destroy_sock+0x55/0x110\n tcp_rcv_state_process+0xe5f/0xe90\n ? sk_filter_trim_cap+0x10d/0x230\n ? tcp_v4_do_rcv+0x161/0x250\n tcp_v4_do_rcv+0x161/0x250\n tcp_v4_rcv+0xc3a/0xce0\n ip_protocol_deliver_rcu+0x3d/0x230\n ip_local_deliver_finish+0x54/0x60\n ip_local_deliver+0xfd/0x110\n ? ip_protocol_deliver_rcu+0x230/0x230\n ip_rcv+0xd6/0x100\n ? ip_local_deliver+0x110/0x110\n __netif_receive_skb_one_core+0x85/0xa0\n process_backlog+0xa4/0x160\n __napi_poll+0x29/0x1b0\n net_rx_action+0x287/0x300\n __do_softirq+0xff/0x2fc\n do_softirq+0x79/0x90\n \u003c/IRQ\u003e\n\nWARNING: CPU: 0 PID: 531 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x175/0x1b0\nCall Trace:\n \u003cTASK\u003e\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n ? process_one_work+0x3c0/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:32:22.335Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef9785f429794567792561a584901faa9291d3ee"
},
{
"url": "https://git.kernel.org/stable/c/4dd2e947d3be13a4de3b3028859b9a6497266bcf"
},
{
"url": "https://git.kernel.org/stable/c/03948ed6553960db62f1c33bec29e64d7c191a3f"
},
{
"url": "https://git.kernel.org/stable/c/938d3480b92fa5e454b7734294f12a7b75126f09"
}
],
"title": "bpf, sockmap: Fix memleak in sk_psock_queue_msg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49207",
"datePublished": "2025-02-26T01:55:46.177Z",
"dateReserved": "2025-02-26T01:49:39.291Z",
"dateUpdated": "2025-10-01T19:47:06.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49269 (GCVE-0-2022-49269)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-05-04 08:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: sanitize CAN ID checks in isotp_bind()
Syzbot created an environment that lead to a state machine status that
can not be reached with a compliant CAN ID address configuration.
The provided address information consisted of CAN ID 0x6000001 and 0xC28001
which both boil down to 11 bit CAN IDs 0x001 in sending and receiving.
Sanitize the SFF/EFF CAN ID values before performing the address checks.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/isotp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d72866a7f5326160d2a9d945a33eb6ef1883e25d",
"status": "affected",
"version": "e057dd3fc20ffb3d7f150af46542a51b59b90127",
"versionType": "git"
},
{
"lessThan": "f343dbe82314ab457153c9afd970be4e9e553020",
"status": "affected",
"version": "e057dd3fc20ffb3d7f150af46542a51b59b90127",
"versionType": "git"
},
{
"lessThan": "cf522d741f5301223cc94b978eb1603c7590d65e",
"status": "affected",
"version": "e057dd3fc20ffb3d7f150af46542a51b59b90127",
"versionType": "git"
},
{
"lessThan": "7b4652fc71dcec043977a6def80ef5034c913615",
"status": "affected",
"version": "e057dd3fc20ffb3d7f150af46542a51b59b90127",
"versionType": "git"
},
{
"lessThan": "3ea566422cbde9610c2734980d1286ab681bb40e",
"status": "affected",
"version": "e057dd3fc20ffb3d7f150af46542a51b59b90127",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/isotp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: sanitize CAN ID checks in isotp_bind()\n\nSyzbot created an environment that lead to a state machine status that\ncan not be reached with a compliant CAN ID address configuration.\nThe provided address information consisted of CAN ID 0x6000001 and 0xC28001\nwhich both boil down to 11 bit CAN IDs 0x001 in sending and receiving.\n\nSanitize the SFF/EFF CAN ID values before performing the address checks."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:45.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d72866a7f5326160d2a9d945a33eb6ef1883e25d"
},
{
"url": "https://git.kernel.org/stable/c/f343dbe82314ab457153c9afd970be4e9e553020"
},
{
"url": "https://git.kernel.org/stable/c/cf522d741f5301223cc94b978eb1603c7590d65e"
},
{
"url": "https://git.kernel.org/stable/c/7b4652fc71dcec043977a6def80ef5034c913615"
},
{
"url": "https://git.kernel.org/stable/c/3ea566422cbde9610c2734980d1286ab681bb40e"
}
],
"title": "can: isotp: sanitize CAN ID checks in isotp_bind()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49269",
"datePublished": "2025-02-26T01:56:17.204Z",
"dateReserved": "2025-02-26T01:49:39.297Z",
"dateUpdated": "2025-05-04T08:33:45.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49371 (GCVE-0-2022-49371)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: fix deadlock in __device_attach
In __device_attach function, The lock holding logic is as follows:
...
__device_attach
device_lock(dev) // get lock dev
async_schedule_dev(__device_attach_async_helper, dev); // func
async_schedule_node
async_schedule_node_domain(func)
entry = kzalloc(sizeof(struct async_entry), GFP_ATOMIC);
/* when fail or work limit, sync to execute func, but
__device_attach_async_helper will get lock dev as
well, which will lead to A-A deadlock. */
if (!entry || atomic_read(&entry_count) > MAX_WORK) {
func;
else
queue_work_node(node, system_unbound_wq, &entry->work)
device_unlock(dev)
As shown above, when it is allowed to do async probes, because of
out of memory or work limit, async work is not allowed, to do
sync execute instead. it will lead to A-A deadlock because of
__device_attach_async_helper getting lock dev.
To fix the deadlock, move the async_schedule_dev outside device_lock,
as we can see, in async_schedule_node_domain, the parameter of
queue_work_node is system_unbound_wq, so it can accept concurrent
operations. which will also not change the code logic, and will
not lead to deadlock.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 765230b5f084863183aa8adb3405ab3f32c0b16e Version: 765230b5f084863183aa8adb3405ab3f32c0b16e Version: 765230b5f084863183aa8adb3405ab3f32c0b16e Version: 765230b5f084863183aa8adb3405ab3f32c0b16e Version: 765230b5f084863183aa8adb3405ab3f32c0b16e Version: 765230b5f084863183aa8adb3405ab3f32c0b16e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:42:17.592122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:52.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/dd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "593b595332bd2d65e1a5c1ae7897996c157f5468",
"status": "affected",
"version": "765230b5f084863183aa8adb3405ab3f32c0b16e",
"versionType": "git"
},
{
"lessThan": "36ee9ffca8ef56c302f2855c4a5fccf61c0c1ada",
"status": "affected",
"version": "765230b5f084863183aa8adb3405ab3f32c0b16e",
"versionType": "git"
},
{
"lessThan": "df6de52b80aa3b46f5ac804412355ffe2e1df93e",
"status": "affected",
"version": "765230b5f084863183aa8adb3405ab3f32c0b16e",
"versionType": "git"
},
{
"lessThan": "d53a227bfcd5160ce1b61d9954901968a20651e7",
"status": "affected",
"version": "765230b5f084863183aa8adb3405ab3f32c0b16e",
"versionType": "git"
},
{
"lessThan": "34fdd9b7def9d2fcb71bb7b0bc4848dd7313767e",
"status": "affected",
"version": "765230b5f084863183aa8adb3405ab3f32c0b16e",
"versionType": "git"
},
{
"lessThan": "b232b02bf3c205b13a26dcec08e53baddd8e59ed",
"status": "affected",
"version": "765230b5f084863183aa8adb3405ab3f32c0b16e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/dd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.122",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.47",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.15",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix deadlock in __device_attach\n\nIn __device_attach function, The lock holding logic is as follows:\n...\n__device_attach\ndevice_lock(dev) // get lock dev\n async_schedule_dev(__device_attach_async_helper, dev); // func\n async_schedule_node\n async_schedule_node_domain(func)\n entry = kzalloc(sizeof(struct async_entry), GFP_ATOMIC);\n\t/* when fail or work limit, sync to execute func, but\n\t __device_attach_async_helper will get lock dev as\n\t well, which will lead to A-A deadlock. */\n\tif (!entry || atomic_read(\u0026entry_count) \u003e MAX_WORK) {\n\t func;\n\telse\n\t queue_work_node(node, system_unbound_wq, \u0026entry-\u003ework)\n device_unlock(dev)\n\nAs shown above, when it is allowed to do async probes, because of\nout of memory or work limit, async work is not allowed, to do\nsync execute instead. it will lead to A-A deadlock because of\n__device_attach_async_helper getting lock dev.\n\nTo fix the deadlock, move the async_schedule_dev outside device_lock,\nas we can see, in async_schedule_node_domain, the parameter of\nqueue_work_node is system_unbound_wq, so it can accept concurrent\noperations. which will also not change the code logic, and will\nnot lead to deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:36:16.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/593b595332bd2d65e1a5c1ae7897996c157f5468"
},
{
"url": "https://git.kernel.org/stable/c/36ee9ffca8ef56c302f2855c4a5fccf61c0c1ada"
},
{
"url": "https://git.kernel.org/stable/c/df6de52b80aa3b46f5ac804412355ffe2e1df93e"
},
{
"url": "https://git.kernel.org/stable/c/d53a227bfcd5160ce1b61d9954901968a20651e7"
},
{
"url": "https://git.kernel.org/stable/c/34fdd9b7def9d2fcb71bb7b0bc4848dd7313767e"
},
{
"url": "https://git.kernel.org/stable/c/b232b02bf3c205b13a26dcec08e53baddd8e59ed"
}
],
"title": "driver core: fix deadlock in __device_attach",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49371",
"datePublished": "2025-02-26T02:11:13.652Z",
"dateReserved": "2025-02-26T02:08:31.555Z",
"dateUpdated": "2025-10-01T19:46:52.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49059 (GCVE-0-2022-49059)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: add flush_workqueue to prevent uaf
Our detector found a concurrent use-after-free bug when detaching an
NCI device. The main reason for this bug is the unexpected scheduling
between the used delayed mechanism (timer and workqueue).
The race can be demonstrated below:
Thread-1 Thread-2
| nci_dev_up()
| nci_open_device()
| __nci_request(nci_reset_req)
| nci_send_cmd
| queue_work(cmd_work)
nci_unregister_device() |
nci_close_device() | ...
del_timer_sync(cmd_timer)[1] |
... | Worker
nci_free_device() | nci_cmd_work()
kfree(ndev)[3] | mod_timer(cmd_timer)[2]
In short, the cleanup routine thought that the cmd_timer has already
been detached by [1] but the mod_timer can re-attach the timer [2], even
it is already released [3], resulting in UAF.
This UAF is easy to trigger, crash trace by POC is like below
[ 66.703713] ==================================================================
[ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490
[ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33
[ 66.703974]
[ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5
[ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work
[ 66.703974] Call Trace:
[ 66.703974] <TASK>
[ 66.703974] dump_stack_lvl+0x57/0x7d
[ 66.703974] print_report.cold+0x5e/0x5db
[ 66.703974] ? enqueue_timer+0x448/0x490
[ 66.703974] kasan_report+0xbe/0x1c0
[ 66.703974] ? enqueue_timer+0x448/0x490
[ 66.703974] enqueue_timer+0x448/0x490
[ 66.703974] __mod_timer+0x5e6/0xb80
[ 66.703974] ? mark_held_locks+0x9e/0xe0
[ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0
[ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410
[ 66.703974] ? queue_work_on+0x61/0x80
[ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130
[ 66.703974] process_one_work+0x8bb/0x1510
[ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230
[ 66.703974] ? rwlock_bug.part.0+0x90/0x90
[ 66.703974] ? _raw_spin_lock_irq+0x41/0x50
[ 66.703974] worker_thread+0x575/0x1190
[ 66.703974] ? process_one_work+0x1510/0x1510
[ 66.703974] kthread+0x2a0/0x340
[ 66.703974] ? kthread_complete_and_exit+0x20/0x20
[ 66.703974] ret_from_fork+0x22/0x30
[ 66.703974] </TASK>
[ 66.703974]
[ 66.703974] Allocated by task 267:
[ 66.703974] kasan_save_stack+0x1e/0x40
[ 66.703974] __kasan_kmalloc+0x81/0xa0
[ 66.703974] nci_allocate_device+0xd3/0x390
[ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0
[ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd
[ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0
[ 66.703974] tty_ioctl+0x764/0x1310
[ 66.703974] __x64_sys_ioctl+0x122/0x190
[ 66.703974] do_syscall_64+0x3b/0x90
[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 66.703974]
[ 66.703974] Freed by task 406:
[ 66.703974] kasan_save_stack+0x1e/0x40
[ 66.703974] kasan_set_track+0x21/0x30
[ 66.703974] kasan_set_free_info+0x20/0x30
[ 66.703974] __kasan_slab_free+0x108/0x170
[ 66.703974] kfree+0xb0/0x330
[ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0
[ 66.703974] nci_uart_tty_close+0xdf/0x180
[ 66.703974] tty_ldisc_kill+0x73/0x110
[ 66.703974] tty_ldisc_hangup+0x281/0x5b0
[ 66.703974] __tty_hangup.part.0+0x431/0x890
[ 66.703974] tty_release+0x3a8/0xc80
[ 66.703974] __fput+0x1f0/0x8c0
[ 66.703974] task_work_run+0xc9/0x170
[ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0
[ 66.703974] syscall_exit_to_user_mode+0x19/0x50
[ 66.703974] do_syscall_64+0x48/0x90
[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 Version: 6a2968aaf50c7a22fced77a5e24aa636281efca8 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:20.702464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:30.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d3232214ca4ea8f7d18df264c3b254aa8089d7f",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "9d243aff5f7e6b04e907c617426bbdf26e996ac8",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "1a1748d0dd0f0a98535c6baeef671c8722107639",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "5c63ad2b0a267a524c12c88acb1ba9c2d109a801",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "67677050cecbe0edfdd81cd508415e9636ba7c65",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "9ded5ae40f4fe37fcc28f36d76bf45df20be5432",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "edd4600120641e1714e30112e69a548cfb68e067",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "ef27324e2cb7bb24542d6cb2571740eefe6b00dc",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.311",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.239",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.190",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.112",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.35",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: add flush_workqueue to prevent uaf\n\nOur detector found a concurrent use-after-free bug when detaching an\nNCI device. The main reason for this bug is the unexpected scheduling\nbetween the used delayed mechanism (timer and workqueue).\n\nThe race can be demonstrated below:\n\nThread-1 Thread-2\n | nci_dev_up()\n | nci_open_device()\n | __nci_request(nci_reset_req)\n | nci_send_cmd\n | queue_work(cmd_work)\nnci_unregister_device() |\n nci_close_device() | ...\n del_timer_sync(cmd_timer)[1] |\n... | Worker\nnci_free_device() | nci_cmd_work()\n kfree(ndev)[3] | mod_timer(cmd_timer)[2]\n\nIn short, the cleanup routine thought that the cmd_timer has already\nbeen detached by [1] but the mod_timer can re-attach the timer [2], even\nit is already released [3], resulting in UAF.\n\nThis UAF is easy to trigger, crash trace by POC is like below\n\n[ 66.703713] ==================================================================\n[ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490\n[ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33\n[ 66.703974]\n[ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5\n[ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work\n[ 66.703974] Call Trace:\n[ 66.703974] \u003cTASK\u003e\n[ 66.703974] dump_stack_lvl+0x57/0x7d\n[ 66.703974] print_report.cold+0x5e/0x5db\n[ 66.703974] ? enqueue_timer+0x448/0x490\n[ 66.703974] kasan_report+0xbe/0x1c0\n[ 66.703974] ? enqueue_timer+0x448/0x490\n[ 66.703974] enqueue_timer+0x448/0x490\n[ 66.703974] __mod_timer+0x5e6/0xb80\n[ 66.703974] ? mark_held_locks+0x9e/0xe0\n[ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0\n[ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410\n[ 66.703974] ? queue_work_on+0x61/0x80\n[ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130\n[ 66.703974] process_one_work+0x8bb/0x1510\n[ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230\n[ 66.703974] ? rwlock_bug.part.0+0x90/0x90\n[ 66.703974] ? _raw_spin_lock_irq+0x41/0x50\n[ 66.703974] worker_thread+0x575/0x1190\n[ 66.703974] ? process_one_work+0x1510/0x1510\n[ 66.703974] kthread+0x2a0/0x340\n[ 66.703974] ? kthread_complete_and_exit+0x20/0x20\n[ 66.703974] ret_from_fork+0x22/0x30\n[ 66.703974] \u003c/TASK\u003e\n[ 66.703974]\n[ 66.703974] Allocated by task 267:\n[ 66.703974] kasan_save_stack+0x1e/0x40\n[ 66.703974] __kasan_kmalloc+0x81/0xa0\n[ 66.703974] nci_allocate_device+0xd3/0x390\n[ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0\n[ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd\n[ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0\n[ 66.703974] tty_ioctl+0x764/0x1310\n[ 66.703974] __x64_sys_ioctl+0x122/0x190\n[ 66.703974] do_syscall_64+0x3b/0x90\n[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 66.703974]\n[ 66.703974] Freed by task 406:\n[ 66.703974] kasan_save_stack+0x1e/0x40\n[ 66.703974] kasan_set_track+0x21/0x30\n[ 66.703974] kasan_set_free_info+0x20/0x30\n[ 66.703974] __kasan_slab_free+0x108/0x170\n[ 66.703974] kfree+0xb0/0x330\n[ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0\n[ 66.703974] nci_uart_tty_close+0xdf/0x180\n[ 66.703974] tty_ldisc_kill+0x73/0x110\n[ 66.703974] tty_ldisc_hangup+0x281/0x5b0\n[ 66.703974] __tty_hangup.part.0+0x431/0x890\n[ 66.703974] tty_release+0x3a8/0xc80\n[ 66.703974] __fput+0x1f0/0x8c0\n[ 66.703974] task_work_run+0xc9/0x170\n[ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0\n[ 66.703974] syscall_exit_to_user_mode+0x19/0x50\n[ 66.703974] do_syscall_64+0x48/0x90\n[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:28:51.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d3232214ca4ea8f7d18df264c3b254aa8089d7f"
},
{
"url": "https://git.kernel.org/stable/c/9d243aff5f7e6b04e907c617426bbdf26e996ac8"
},
{
"url": "https://git.kernel.org/stable/c/1a1748d0dd0f0a98535c6baeef671c8722107639"
},
{
"url": "https://git.kernel.org/stable/c/5c63ad2b0a267a524c12c88acb1ba9c2d109a801"
},
{
"url": "https://git.kernel.org/stable/c/67677050cecbe0edfdd81cd508415e9636ba7c65"
},
{
"url": "https://git.kernel.org/stable/c/9ded5ae40f4fe37fcc28f36d76bf45df20be5432"
},
{
"url": "https://git.kernel.org/stable/c/edd4600120641e1714e30112e69a548cfb68e067"
},
{
"url": "https://git.kernel.org/stable/c/ef27324e2cb7bb24542d6cb2571740eefe6b00dc"
}
],
"title": "nfc: nci: add flush_workqueue to prevent uaf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49059",
"datePublished": "2025-02-26T01:54:29.819Z",
"dateReserved": "2025-02-26T01:49:39.243Z",
"dateUpdated": "2025-05-04T08:28:51.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49560 (GCVE-0-2022-49560)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: check if cluster num is valid
Syzbot reported slab-out-of-bounds read in exfat_clear_bitmap.
This was triggered by reproducer calling truncute with size 0,
which causes the following trace:
BUG: KASAN: slab-out-of-bounds in exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174
Read of size 8 at addr ffff888115aa9508 by task syz-executor251/365
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174
exfat_free_cluster+0x25a/0x4a0 fs/exfat/fatent.c:181
__exfat_truncate+0x99e/0xe00 fs/exfat/file.c:217
exfat_truncate+0x11b/0x4f0 fs/exfat/file.c:243
exfat_setattr+0xa03/0xd40 fs/exfat/file.c:339
notify_change+0xb76/0xe10 fs/attr.c:336
do_truncate+0x1ea/0x2d0 fs/open.c:65
Move the is_valid_cluster() helper from fatent.c to a common
header to make it reusable in other *.c files. And add is_valid_cluster()
to validate if cluster number is within valid range in exfat_clear_bitmap()
and exfat_set_bitmap().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:16.623841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:39.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c",
"fs/exfat/exfat_fs.h",
"fs/exfat/fatent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82f723b8a5adf497f9e34c702a30ca7298615654",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "c504167adc3248095a905fa0700a9693897cb5ed",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "7c58b14b6f9cde9f69e7fa053ab73f6e013a7131",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "2193286402df2d9c53294f7a858d5e6fd7346e08",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "64ba4b15e5c045f8b746c6da5fc9be9a6b00b61d",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c",
"fs/exfat/exfat_fs.h",
"fs/exfat/fatent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.45",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: check if cluster num is valid\n\nSyzbot reported slab-out-of-bounds read in exfat_clear_bitmap.\nThis was triggered by reproducer calling truncute with size 0,\nwhich causes the following trace:\n\nBUG: KASAN: slab-out-of-bounds in exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174\nRead of size 8 at addr ffff888115aa9508 by task syz-executor251/365\n\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118\n print_address_description+0x81/0x3c0 mm/kasan/report.c:233\n __kasan_report mm/kasan/report.c:419 [inline]\n kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309\n exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174\n exfat_free_cluster+0x25a/0x4a0 fs/exfat/fatent.c:181\n __exfat_truncate+0x99e/0xe00 fs/exfat/file.c:217\n exfat_truncate+0x11b/0x4f0 fs/exfat/file.c:243\n exfat_setattr+0xa03/0xd40 fs/exfat/file.c:339\n notify_change+0xb76/0xe10 fs/attr.c:336\n do_truncate+0x1ea/0x2d0 fs/open.c:65\n\nMove the is_valid_cluster() helper from fatent.c to a common\nheader to make it reusable in other *.c files. And add is_valid_cluster()\nto validate if cluster number is within valid range in exfat_clear_bitmap()\nand exfat_set_bitmap()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:34.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82f723b8a5adf497f9e34c702a30ca7298615654"
},
{
"url": "https://git.kernel.org/stable/c/c504167adc3248095a905fa0700a9693897cb5ed"
},
{
"url": "https://git.kernel.org/stable/c/7c58b14b6f9cde9f69e7fa053ab73f6e013a7131"
},
{
"url": "https://git.kernel.org/stable/c/2193286402df2d9c53294f7a858d5e6fd7346e08"
},
{
"url": "https://git.kernel.org/stable/c/64ba4b15e5c045f8b746c6da5fc9be9a6b00b61d"
}
],
"title": "exfat: check if cluster num is valid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49560",
"datePublished": "2025-02-26T02:14:05.548Z",
"dateReserved": "2025-02-26T02:08:31.591Z",
"dateUpdated": "2025-10-01T19:46:39.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49551 (GCVE-0-2022-49551)
Vulnerability from cvelistv5
Published
2025-02-26 02:14
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: isp1760: Fix out-of-bounds array access
Running the driver through kasan gives an interesting splat:
BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c
Read of size 20 at addr f1db2e64 by task swapper/0/1
(...)
isp1760_register from isp1760_plat_probe+0x1d8/0x220
(...)
This happens because the loop reading the regmap fields for the
different ISP1760 variants look like this:
for (i = 0; i < HC_FIELD_MAX; i++) { ... }
Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.
However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[],
isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are
dynamically sized during compilation.
Fix this by putting an empty assignment to the [HC_FIELD_MAX]
and [DC_FIELD_MAX] array member at the end of each array.
This will make the array one member longer than it needs to be,
but avoids the risk of overwriting whatever is inside
[HC_FIELD_MAX - 1] and is simple and intuitive to read. Also
add comments explaining what is going on.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49551",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:19.759163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:39.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/isp1760/isp1760-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf2558bbdce3ab1d6bcba09f354914e4515d0a2b",
"status": "affected",
"version": "1da9e1c06873350c99ba49a052f92de85f2c69f2",
"versionType": "git"
},
{
"lessThan": "47d39cb57e8669e507d17d9e0d067d2b3e3a87ae",
"status": "affected",
"version": "1da9e1c06873350c99ba49a052f92de85f2c69f2",
"versionType": "git"
},
{
"lessThan": "463bddd3ff1acf4036ddb80c34a715eb99debf46",
"status": "affected",
"version": "1da9e1c06873350c99ba49a052f92de85f2c69f2",
"versionType": "git"
},
{
"lessThan": "26ae2c942b5702f2e43d36b2a4389cfb7d616b6a",
"status": "affected",
"version": "1da9e1c06873350c99ba49a052f92de85f2c69f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/isp1760/isp1760-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: isp1760: Fix out-of-bounds array access\n\nRunning the driver through kasan gives an interesting splat:\n\n BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c\n Read of size 20 at addr f1db2e64 by task swapper/0/1\n (...)\n isp1760_register from isp1760_plat_probe+0x1d8/0x220\n (...)\n\nThis happens because the loop reading the regmap fields for the\ndifferent ISP1760 variants look like this:\n\n for (i = 0; i \u003c HC_FIELD_MAX; i++) { ... }\n\nMeaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.\n\nHowever the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[],\nisp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are\ndynamically sized during compilation.\n\nFix this by putting an empty assignment to the [HC_FIELD_MAX]\nand [DC_FIELD_MAX] array member at the end of each array.\nThis will make the array one member longer than it needs to be,\nbut avoids the risk of overwriting whatever is inside\n[HC_FIELD_MAX - 1] and is simple and intuitive to read. Also\nadd comments explaining what is going on."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:22.041Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf2558bbdce3ab1d6bcba09f354914e4515d0a2b"
},
{
"url": "https://git.kernel.org/stable/c/47d39cb57e8669e507d17d9e0d067d2b3e3a87ae"
},
{
"url": "https://git.kernel.org/stable/c/463bddd3ff1acf4036ddb80c34a715eb99debf46"
},
{
"url": "https://git.kernel.org/stable/c/26ae2c942b5702f2e43d36b2a4389cfb7d616b6a"
}
],
"title": "usb: isp1760: Fix out-of-bounds array access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49551",
"datePublished": "2025-02-26T02:14:01.196Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-10-01T19:46:39.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49118 (GCVE-0-2022-49118)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: hisi_sas: Free irq vectors in order for v3 HW
If the driver probe fails to request the channel IRQ or fatal IRQ, the
driver will free the IRQ vectors before freeing the IRQs in free_irq(),
and this will cause a kernel BUG like this:
------------[ cut here ]------------
kernel BUG at drivers/pci/msi.c:369!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Call trace:
free_msi_irqs+0x118/0x13c
pci_disable_msi+0xfc/0x120
pci_free_irq_vectors+0x24/0x3c
hisi_sas_v3_probe+0x360/0x9d0 [hisi_sas_v3_hw]
local_pci_probe+0x44/0xb0
work_for_cpu_fn+0x20/0x34
process_one_work+0x1d0/0x340
worker_thread+0x2e0/0x460
kthread+0x180/0x190
ret_from_fork+0x10/0x20
---[ end trace b88990335b610c11 ]---
So we use devm_add_action() to control the order in which we free the
vectors.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "224903cc60d045576393c3b16907742f23e6c740",
"status": "affected",
"version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
"versionType": "git"
},
{
"lessThan": "f05a0d8de2ea49af36821a20b0b501e20ced937e",
"status": "affected",
"version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
"versionType": "git"
},
{
"lessThan": "8b6eab9d683bae7f88dc894b8c851f866032301c",
"status": "affected",
"version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
"versionType": "git"
},
{
"lessThan": "b4cc04fa8f1fc3816c8494d77abab3f72b9d2292",
"status": "affected",
"version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
"versionType": "git"
},
{
"lessThan": "554fb72ee34f4732c7f694f56c3c6e67790352a0",
"status": "affected",
"version": "47caad1577cd7a39e2048c5e4edbce4b863dc12b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hisi_sas/hisi_sas_v3_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Free irq vectors in order for v3 HW\n\nIf the driver probe fails to request the channel IRQ or fatal IRQ, the\ndriver will free the IRQ vectors before freeing the IRQs in free_irq(),\nand this will cause a kernel BUG like this:\n\n------------[ cut here ]------------\nkernel BUG at drivers/pci/msi.c:369!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nCall trace:\n free_msi_irqs+0x118/0x13c\n pci_disable_msi+0xfc/0x120\n pci_free_irq_vectors+0x24/0x3c\n hisi_sas_v3_probe+0x360/0x9d0 [hisi_sas_v3_hw]\n local_pci_probe+0x44/0xb0\n work_for_cpu_fn+0x20/0x34\n process_one_work+0x1d0/0x340\n worker_thread+0x2e0/0x460\n kthread+0x180/0x190\n ret_from_fork+0x10/0x20\n---[ end trace b88990335b610c11 ]---\n\nSo we use devm_add_action() to control the order in which we free the\nvectors."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:16.543Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/224903cc60d045576393c3b16907742f23e6c740"
},
{
"url": "https://git.kernel.org/stable/c/f05a0d8de2ea49af36821a20b0b501e20ced937e"
},
{
"url": "https://git.kernel.org/stable/c/8b6eab9d683bae7f88dc894b8c851f866032301c"
},
{
"url": "https://git.kernel.org/stable/c/b4cc04fa8f1fc3816c8494d77abab3f72b9d2292"
},
{
"url": "https://git.kernel.org/stable/c/554fb72ee34f4732c7f694f56c3c6e67790352a0"
}
],
"title": "scsi: hisi_sas: Free irq vectors in order for v3 HW",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49118",
"datePublished": "2025-02-26T01:55:00.169Z",
"dateReserved": "2025-02-26T01:49:39.263Z",
"dateUpdated": "2025-05-04T08:30:16.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49121 (GCVE-0-2022-49121)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix tag leaks on error
In pm8001_chip_set_dev_state_req(), pm8001_chip_fw_flash_update_req(),
pm80xx_chip_phy_ctl_req() and pm8001_chip_reg_dev_req() add missing calls
to pm8001_tag_free() to free the allocated tag when pm8001_mpi_build_cmd()
fails.
Similarly, in pm8001_exec_internal_task_abort(), if the chip ->task_abort
method fails, the tag allocated for the abort request task must be
freed. Add the missing call to pm8001_tag_free().
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c",
"drivers/scsi/pm8001/pm8001_sas.c",
"drivers/scsi/pm8001/pm80xx_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0bb65eadbf942024226241d9d99fed17168940b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43c617eefab7077d69f5989ad3e2a273da1d728b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bdc74815f1c39905054b7d47399e0260b201b14d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9cc72bcc1c096ed42c91646f130d4b4191580a4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c8f04b1905cd4b776d0b720463c091545478ef7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c",
"drivers/scsi/pm8001/pm8001_sas.c",
"drivers/scsi/pm8001/pm80xx_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix tag leaks on error\n\nIn pm8001_chip_set_dev_state_req(), pm8001_chip_fw_flash_update_req(),\npm80xx_chip_phy_ctl_req() and pm8001_chip_reg_dev_req() add missing calls\nto pm8001_tag_free() to free the allocated tag when pm8001_mpi_build_cmd()\nfails.\n\nSimilarly, in pm8001_exec_internal_task_abort(), if the chip -\u003etask_abort\nmethod fails, the tag allocated for the abort request task must be\nfreed. Add the missing call to pm8001_tag_free()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:30:20.626Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0bb65eadbf942024226241d9d99fed17168940b"
},
{
"url": "https://git.kernel.org/stable/c/43c617eefab7077d69f5989ad3e2a273da1d728b"
},
{
"url": "https://git.kernel.org/stable/c/bdc74815f1c39905054b7d47399e0260b201b14d"
},
{
"url": "https://git.kernel.org/stable/c/9cc72bcc1c096ed42c91646f130d4b4191580a4c"
},
{
"url": "https://git.kernel.org/stable/c/4c8f04b1905cd4b776d0b720463c091545478ef7"
}
],
"title": "scsi: pm8001: Fix tag leaks on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49121",
"datePublished": "2025-02-26T01:55:01.671Z",
"dateReserved": "2025-02-26T01:49:39.264Z",
"dateUpdated": "2025-05-04T08:30:20.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49239 (GCVE-0-2022-49239)
Vulnerability from cvelistv5
Published
2025-02-26 01:56
Modified
2025-10-01 19:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
This is similar to commit 64b92de9603f
("ASoC: wcd9335: fix a leaked reference by adding missing of_node_put")
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:52.621969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:02.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd934x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f24716e38220fc9e52e208d20591d2bc9b7f020",
"status": "affected",
"version": "a61f3b4f476eceb25274161e5a53a8d18e42610b",
"versionType": "git"
},
{
"lessThan": "2f44eca78cc6d4e1779eb95765ec79e433accab4",
"status": "affected",
"version": "a61f3b4f476eceb25274161e5a53a8d18e42610b",
"versionType": "git"
},
{
"lessThan": "f3793eeb7b94a5eeed6f5c7a44bce403c6681a12",
"status": "affected",
"version": "a61f3b4f476eceb25274161e5a53a8d18e42610b",
"versionType": "git"
},
{
"lessThan": "f8e89d84ea83c51ba3ba97ff154f7aa679326760",
"status": "affected",
"version": "a61f3b4f476eceb25274161e5a53a8d18e42610b",
"versionType": "git"
},
{
"lessThan": "9531a631379169d57756b2411178c6238655df88",
"status": "affected",
"version": "a61f3b4f476eceb25274161e5a53a8d18e42610b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd934x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\nThis is similar to commit 64b92de9603f\n(\"ASoC: wcd9335: fix a leaked reference by adding missing of_node_put\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:33:07.680Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f24716e38220fc9e52e208d20591d2bc9b7f020"
},
{
"url": "https://git.kernel.org/stable/c/2f44eca78cc6d4e1779eb95765ec79e433accab4"
},
{
"url": "https://git.kernel.org/stable/c/f3793eeb7b94a5eeed6f5c7a44bce403c6681a12"
},
{
"url": "https://git.kernel.org/stable/c/f8e89d84ea83c51ba3ba97ff154f7aa679326760"
},
{
"url": "https://git.kernel.org/stable/c/9531a631379169d57756b2411178c6238655df88"
}
],
"title": "ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49239",
"datePublished": "2025-02-26T01:56:02.220Z",
"dateReserved": "2025-02-26T01:49:39.294Z",
"dateUpdated": "2025-10-01T19:47:02.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49542 (GCVE-0-2022-49542)
Vulnerability from cvelistv5
Published
2025-02-26 02:13
Modified
2025-10-01 19:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Move cfg_log_verbose check before calling lpfc_dmp_dbg()
In an attempt to log message 0126 with LOG_TRACE_EVENT, the following hard
lockup call trace hangs the system.
Call Trace:
_raw_spin_lock_irqsave+0x32/0x40
lpfc_dmp_dbg.part.32+0x28/0x220 [lpfc]
lpfc_cmpl_els_fdisc+0x145/0x460 [lpfc]
lpfc_sli_cancel_jobs+0x92/0xd0 [lpfc]
lpfc_els_flush_cmd+0x43c/0x670 [lpfc]
lpfc_els_flush_all_cmd+0x37/0x60 [lpfc]
lpfc_sli4_async_event_proc+0x956/0x1720 [lpfc]
lpfc_do_work+0x1485/0x1d70 [lpfc]
kthread+0x112/0x130
ret_from_fork+0x1f/0x40
Kernel panic - not syncing: Hard LOCKUP
The same CPU tries to claim the phba->port_list_lock twice.
Move the cfg_log_verbose checks as part of the lpfc_printf_vlog() and
lpfc_printf_log() macros before calling lpfc_dmp_dbg(). There is no need
to take the phba->port_list_lock within lpfc_dmp_dbg().
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49542",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:37:35.607576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:46:40.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_init.c",
"drivers/scsi/lpfc/lpfc_logmsg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "271725e4028559ae7974d762a8467dc9de412f2e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cc6501afccec55b8b6c90584cbf71f1fefa77d1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "09c772557a4fd9490fed1bfb133268313ea22213",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e294647b1aed4247fe52851f3a3b2b19ae906228",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_init.c",
"drivers/scsi/lpfc/lpfc_logmsg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move cfg_log_verbose check before calling lpfc_dmp_dbg()\n\nIn an attempt to log message 0126 with LOG_TRACE_EVENT, the following hard\nlockup call trace hangs the system.\n\nCall Trace:\n _raw_spin_lock_irqsave+0x32/0x40\n lpfc_dmp_dbg.part.32+0x28/0x220 [lpfc]\n lpfc_cmpl_els_fdisc+0x145/0x460 [lpfc]\n lpfc_sli_cancel_jobs+0x92/0xd0 [lpfc]\n lpfc_els_flush_cmd+0x43c/0x670 [lpfc]\n lpfc_els_flush_all_cmd+0x37/0x60 [lpfc]\n lpfc_sli4_async_event_proc+0x956/0x1720 [lpfc]\n lpfc_do_work+0x1485/0x1d70 [lpfc]\n kthread+0x112/0x130\n ret_from_fork+0x1f/0x40\nKernel panic - not syncing: Hard LOCKUP\n\nThe same CPU tries to claim the phba-\u003eport_list_lock twice.\n\nMove the cfg_log_verbose checks as part of the lpfc_printf_vlog() and\nlpfc_printf_log() macros before calling lpfc_dmp_dbg(). There is no need\nto take the phba-\u003eport_list_lock within lpfc_dmp_dbg()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:40:10.611Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/271725e4028559ae7974d762a8467dc9de412f2e"
},
{
"url": "https://git.kernel.org/stable/c/cc6501afccec55b8b6c90584cbf71f1fefa77d1e"
},
{
"url": "https://git.kernel.org/stable/c/09c772557a4fd9490fed1bfb133268313ea22213"
},
{
"url": "https://git.kernel.org/stable/c/e294647b1aed4247fe52851f3a3b2b19ae906228"
}
],
"title": "scsi: lpfc: Move cfg_log_verbose check before calling lpfc_dmp_dbg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49542",
"datePublished": "2025-02-26T02:13:56.961Z",
"dateReserved": "2025-02-26T02:08:31.589Z",
"dateUpdated": "2025-10-01T19:46:40.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…